Secretive Yahoo Needs to Open up on Privacy

Don Tennant

A document purported to be Yahoo Inc.'s Compliance Guide for Law Enforcement was released on Dec. 5 by Wikileaks, an online purveyor of leaked information. The 17-page guide outlines what is ostensibly Yahoo's information retention and disclosure policies and procedures for law enforcement authorities. I can't independently confirm the authenticity of the document, because Yahoo has failed to respond to questions I submitted to the company on Saturday.


What I can say is that the document appears to be authentic, and that if it is, Yahoo doesn't want you to see it. The document states specifically that "it is not meant to be distributed to individuals or organizations that are not law enforcement entities, including Yahoo! customers, consumers, or civil litigants."


Now, let me back up for a minute and state my strong conviction that Yahoo is to be commended for working cooperatively and proactively with law enforcement authorities. It's clear that user information held by Yahoo can be invaluable in aiding the investigation of criminal activity, including the exploitation of minors, so Yahoo should do everything it's legally able to do to assist law enforcement officials in those investigations.


The problem I have is the senseless lack of transparency. There is absolutely no legitimate reason for the information in this document to be withheld from the general public, or for Yahoo to hide what it's able and prepared to do to assist in criminal investigations. The customer has every right to know exactly what Yahoo's policies and capabilities are in this regard, so that he can weigh that information in his decision to sign up for Yahoo services.


To its credit, Yahoo has posted its Privacy Policy on its Web site in an easily accessible manner. Included in that policy is this statement:


"We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!'s terms of use, or as otherwise required by law."


That's fine, but exactly what information is Yahoo able to provide to law enforcement authorities? It's not too much of a stretch to surmise that Yahoo officials don't want the answer to be publicly available because of the concern that it would scare off too many customers. That's just not a good enough reason for it to be kept under wraps.


The following list, extracted directly from the document posted by Wikileaks, outlines the information that Yahoo is able to provide:


Subscriber Information

  • Subscriber information supplied by the user at the time of registration, including name, location, date account created, and services used
  • IP addresses associated with logins to a user account available for up to one year
  • Registration IP address data available for IDs registered since 1999


Yahoo! Mail (including e-mail associated with specific properties such as Personals, Small Business, Domains, and Flickr)

  • Any e-mail available in the user's mail account, including IP address of computer used to send e-mail
  • Yahoo! is not able to search for or produce deleted e-mails
  • Note that Yahoo! now hosts two new e-mail domains: ymail.com and rocketmail.com



Yahoo! Chat/Messenger

  • Friends List for Yahoo! Messenger
  • Time, date, and IP address logs for Chat and Messenger use within the prior 45-60 days
  • Archives of Messenger communications may be available on the user's computer if the user has chosen to archive communications
  • Archives of Web Messenger communications may be stored on Yahoo! servers if at least one party to the communication chose to archive communications


Yahoo! Groups

  • Member list, e-mail addresses of members, and date when members joined the Group
  • Information about Group moderators
  • Contents of the Files, Photos, and Messages sections
  • Group activity log describing when members subscribe and unsubscribe, post or delete files, and similar events
  • Note: Message Archive does not contain attachments to messages



Yahoo! GeoCities, Domains, Web-hosting, and Stores

  • Active files user has uploaded to the Web site and date of file upload
  • For stores, may have store transactional data



Yahoo! Flickr

  • Contents in Flickr account and comments on other users' photos
  • IP address and timestamp of content uploaded to account
  • Flickr Groups to which a user belongs and Group content


Yahoo! Profiles

  • Contents of a user's profile
  • Time, date, and IP address logs of content added


Regardless of the authenticity of this document, Yahoo is obligated to be forthcoming and transparent in making its users aware of exactly what information it retains and is prepared to share with government authorities. And it's obligated to explain why that's not happening.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Dec 7, 2009 11:44 AM geral geral  says:

Also to its credit, Yahoo has recently expanded coverage of my documentations on fbi corruption, criminality & gratuitous treachery; enter for example geral or fbi, and voila, YAHOO appears fully cognizant of the duty to allow public criticism of the nations most evil and homicidal group of domestic government thugs.

Dec 7, 2009 1:04 PM FedUp2 FedUp2  says:

Funny you should mention Yahoo's value in aiding the investigation of criminal activity, including the exploitation of minors. That's because Yahoo is such a contributor to and enabler of that activity. Yahoo hosts millions of unlabeled hardcore images and videos shared by countless sex predators, pedophiles, and stalkers (like Michael Barrett) on THEIR website, Flickr, available in most elementary classes. Also funny is that when we contacted several hundred Yahoo advertisers to notify them of their ads directly sponsoring this Yahoo porn being pumped into schools and libraries, they sent ex-FBI agent and Yahoo security/legal head John Zent to threaten us for providing copyrighted screen shots to their ad clients. They used the same DMCA threats and legal BS bluffs against the sites publishing this Security Shopping List, as well as censured Yahoo user Shepard Johnson for asking Obama to end the war on his Flickr page. The same one our President placed the photo of him with the Salahis on. Yes, it's all just really hilarious stuff.

Dec 9, 2009 5:04 PM Kevin Kevin  says:

It's funny, you give someone an email address and they want to know if you are collecting information on them. Are you (as my email provider) storing my emails? Are you kidding? Who said you could do that. Come on, really? If I sign up for a service and request certain features (like email), I'd be pretty mad if they (Yahoo, MSN, Gmail) did something like delete my emails b/c they were afraid people might think they are collecting information on their users... Archving IM messages... really? Come on, that's the best feature out their to document conversations you are having outside of email... especially if used for business... and it's at the users request on their own machine. Live Messenger does this also... I can't live without it. They are storing which services I use? Oh no...heaven forbid they be able to provide those services to me...b/c if they don't know I'm using a service, how can they link it to my account? If you took away all the above points from their secret document, you would no longer be able to provide said services. Either that or a user would have to create 10 different accounts with 10 different emails to use 10 different services. Heaven forbid a single sign-on. If you are afraid of the information you described up above being held by an ISP or service provider rendering said services above, you have no business using the Internet. Guess what would happen if you wrote your own applications to mimic said services from Yahoo....you would most likely store all of the information above about yourself... what they have in their privacy statement is fine b/c most people out there all clueless as to all the technical details of the information provided by this "Secret document". I would be hard pressed to find a services related site that didn't do a background check on your IP upon first visit. Why? THey want to see if your IP comes up on some sort of blacklist known for hacking, hi-jacking, DOS attacks, phishing, spamming, etc so they can kick you off. And rightfully so. I do the same thing on my websites. I don't want some guy in Indonesia trying to get services that can and are only offered to my members in North America. He's most likely trying to pull member emails off my site to use in his SPAM. I'm glad banks do checks like that as well... so they can use this information to determine if someone (and possibly who) was trying to hack my account. Most servers out there log this information without you asking. If I setup IIS on my web server for a Website or FTP Site... guess what, it's going to collect what pages were requested and when by which IP address. That is beyond common and you are living in a different world if you think otherwise.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.