A document purported to be Yahoo Inc.'s Compliance Guide for Law Enforcement was released on Dec. 5 by Wikileaks, an online purveyor of leaked information. The 17-page guide outlines what is ostensibly Yahoo's information retention and disclosure policies and procedures for law enforcement authorities. I can't independently confirm the authenticity of the document, because Yahoo has failed to respond to questions I submitted to the company on Saturday.
What I can say is that the document appears to be authentic, and that if it is, Yahoo doesn't want you to see it. The document states specifically that "it is not meant to be distributed to individuals or organizations that are not law enforcement entities, including Yahoo! customers, consumers, or civil litigants."
Now, let me back up for a minute and state my strong conviction that Yahoo is to be commended for working cooperatively and proactively with law enforcement authorities. It's clear that user information held by Yahoo can be invaluable in aiding the investigation of criminal activity, including the exploitation of minors, so Yahoo should do everything it's legally able to do to assist law enforcement officials in those investigations.
The problem I have is the senseless lack of transparency. There is absolutely no legitimate reason for the information in this document to be withheld from the general public, or for Yahoo to hide what it's able and prepared to do to assist in criminal investigations. The customer has every right to know exactly what Yahoo's policies and capabilities are in this regard, so that he can weigh that information in his decision to sign up for Yahoo services.
That's fine, but exactly what information is Yahoo able to provide to law enforcement authorities? It's not too much of a stretch to surmise that Yahoo officials don't want the answer to be publicly available because of the concern that it would scare off too many customers. That's just not a good enough reason for it to be kept under wraps.
The following list, extracted directly from the document posted by Wikileaks, outlines the information that Yahoo is able to provide:
- Subscriber information supplied by the user at the time of registration, including name, location, date account created, and services used
- IP addresses associated with logins to a user account available for up to one year
- Registration IP address data available for IDs registered since 1999
Yahoo! Mail (including e-mail associated with specific properties such as Personals, Small Business, Domains, and Flickr)
- Any e-mail available in the user's mail account, including IP address of computer used to send e-mail
- Yahoo! is not able to search for or produce deleted e-mails
- Note that Yahoo! now hosts two new e-mail domains: ymail.com and rocketmail.com
- Friends List for Yahoo! Messenger
- Time, date, and IP address logs for Chat and Messenger use within the prior 45-60 days
- Archives of Messenger communications may be available on the user's computer if the user has chosen to archive communications
- Archives of Web Messenger communications may be stored on Yahoo! servers if at least one party to the communication chose to archive communications
- Member list, e-mail addresses of members, and date when members joined the Group
- Information about Group moderators
- Contents of the Files, Photos, and Messages sections
- Group activity log describing when members subscribe and unsubscribe, post or delete files, and similar events
- Note: Message Archive does not contain attachments to messages
Yahoo! GeoCities, Domains, Web-hosting, and Stores
- Active files user has uploaded to the Web site and date of file upload
- For stores, may have store transactional data
- Contents in Flickr account and comments on other users' photos
- IP address and timestamp of content uploaded to account
- Flickr Groups to which a user belongs and Group content
- Contents of a user's profile
- Time, date, and IP address logs of content added
Regardless of the authenticity of this document, Yahoo is obligated to be forthcoming and transparent in making its users aware of exactly what information it retains and is prepared to share with government authorities. And it's obligated to explain why that's not happening.