The government has been doing an excellent job of basically extorting these companies into compliance. They threaten the full weight of the US government's wraith and then tie every order up with classifications and gag orders.
You aren't legally allowed to talk to other companies in the same position. Most your legal team probably doesn't get to know what's going on. You can't take your case to the public without being held in contempt.
I'm not giving these companies a complete pass for being complicit in the erosion of individual's civil liberties but treating this as if the decision is easy is vastly unfair.
Don't pay attention to the fact he denied installing what he considered unconstitutional wire taps for the NSA resulting in the government pulling almost a billion dollars worth of contracts from the company. That example alone proved that the government can tell any narrative they want; they own the media, they'll own private companies too.
I think you win in the court of public opinion if it's a broad program like this (and IMO clearly unconstitutional). If it's an NSL about, say, an order to specifically target UBL, you probably hang in public opinion. If it's an NSL about, say, finding Snowden, you might be ok. This is an interesting check and balance vs. government overreach.
I'd be a lot more comfortable with someone going public in a live press conference in DC (maybe releasing a key to a file which is pre-distributed), than someone running off to Russia or doing it anonymously, though.
Apple got a mixed response when they pushed back on the FBI, but certainly not a clearly negative one. Lavabit's rather alarming case earned them substantial respect in the tech circles that learned about the matter.
Certainly whistleblowers have faced immense consequences, but they've been government or military employees engaged in major disclosures. To jail a 'captain of industry' for reporting that the government handed her a sheet of paper would be spectacularly bad optics, attacking a respected private citizen over an intuitively absurd legal mandate.
I suppose the details of the account in question would become important. If the public can be persuaded that you blew up an important investigation, you probably lose all support; we've certainly seen the government disclose a surprising amount of formerly-secret material to turn public opinion against whistleblowers. Even there, though, you could test the gag order by disclosing the fact of an NSL without the content.
If they can't show overwhelming importance, though? If it's just a cartel bust or a leaker or something similarly non-terrorist-y? I'm trying to picture the government bringing the hammer down on Cook or Mayer for going up on stage at a conference and unashamedly violating an NSL. It doesn't seem like a good fight to pick.
As you point out, best to wisely pick your battle as you'll want public opinion behind you. And remember that as popular as she is, Martha Stewart still went to jail.
Under the Patriot Act its 5 years in federal prison for any individual who violates a gag order.
Also, Yahoo spent many years fighting similar requests (I think before anyone else did) and won nothing.
She also was obviously being advised by Ron Bell, the GC. If she didn't tell Stamos, it was probably based on the guidance of Mr. Bell. I'm not sure we can fault Mayer much on this one.
Was Yahoo given a contract, or otherwise compensated?
So, if citizens continuously allow or even create (surveillance supporters) a police state, then the companies operating in it are under no ethical obligation to take risk to protect them from that police state's activities. Those companies would actually be putting in more effort and taking more risk than most of the citizens themselves. That's an unreasonable expectation.
U.S. citizens need to get their shit straight in this country. Interestingly, the vast majority are pushing for the two most corrupt candidates imaginable for this election who have each mocked the Constitution and support the police state apparatus. Trying to protect them is a lost cause. Better to invest that effort into a different democracy whose people actually give a shit vs this one.
full weight? You mean like a small fine ? That's what happened to Wells Fargo. The govt . seems really angry about it, but what can they really do to a corp that is considered an entity?
It's so important that these leaks go public for two critical reasons:
1) with that type of financial regulatory environment for public companies, the only way to create incentives for that type of consumer protection play is when it has monetary consequences if they do nothing (customers shutting down their accounts)
2) court docs from an earlier Yahoo trial in a secret court were already released when the NSA requested a huge trove of emails and Yahoo challenged it. I read the judges ruling and the TLDR is that the judge said the customers will never know their email is being read so how can you claim that a privacy violation has occurred?
The twisted logic here is that there's no damage to the customer/company as long as the intrusion is conducted in total secrecy.
So that's why Yahoo is so willing to fold here. This is what they are dealing with.
Side note: Imagine the same logic was applied to police a search warrant that allowed police to enter hundreds of houses, a type of warrant that could never be challenged by these homeowners defence attorneys. "They'll never know police broke into their house and went through all of their drawers and personal belongings. They'll come home the next day and everything will seem exactly. the same. So what claim to privacy violation could do they have?"
The need for secrecy in FISA courts goes well beyond protecting state secrets like NSA tech. This type of judicial rationalization would never withstand scrutiny in open courts which is why total secrecy is the key.
Centralised powers have capabilities, but also weaknesses and vulnerabilities, and Yahoo in particular is an exceptionally vulnerable technology company.
Companies can influence specific laws, and sometimes work in concert to achieve specific aims (see the totalitarian plutonomic pact, a/k/a TPP, backed by virtually every major infotech and comms company: Amazon, Apple, AT&T, Cisco, Facebook, Google, Intel, Microsoft, and Verizon, among others). But they're also vulnerable to specific legal threats, investigations, and withdrawals of contracts.
Where corporations influence governments most effectively is where the collective interests of political and industrial leaders is furthered. Where corporations successfully oppose governments is where the corporations have some level of political leverage, often through influence on key elements of local economy. Where government has influence over corporations is where there's little financial upside, and often only a vague and long-term benefit to the company, and where national security or mass popular interest plays strongly against the companies.
Yahoo had no leverage and considerable downside in trying to stand up against this order. The long-term downside to compliance is what's emerged here: disclosure of the project and a possible scuttling of Yahoo's announced purchase by Verizon. The best case for Yahoo without the Verizon takeover is that it's dead. With the takeover, some of the investors and executives recoup a small amount of the long-term loss of value in the company.
Yahoo had little to gain by fighting (it would have been executively decapitated and entered immediately into a likely fatal legal fight with the US Government), and something to gain by playing along.
Mayer took the easy, and unprincipled, decision to play along.
The amount of leverage NSA/FISA have is rather different than what the CFPB has at its disposal.
1. Report the letter stolen.
2. Publish it anonymously from a public hotspot with a throwaway phone.
It's not even particularly risky.
It's much harder to say "I will defy you and in the process cost 10k+ people their jobs without them having any say or knowledge of this".
[0] https://www.popularresistance.org/former-qwest-ceo-says-refu...
Mayer was probably too new and too scared to deal with this, especially when she had to think about her new baby.
My point is it has less to do with "Yahoo being scared about being destroyed by the US government" and more with Mayer's own personal fear of the US government, and easily caving to such threats, whether it was because of her baby, because of weak character, or because she was inexperienced as CEO didn't know how to handle this.
EDIT: Also Yahoo's response to the story is such bullshit:
> “Yahoo is a law abiding company, and complies with the laws of the United States.”
What's the law you're abiding with that says you need to implement such a backdoor? Name it. Even the FBI named the law or laws it thought would help it force Apple to put a backdoor in its phones.
So if Yahoo can't even name the law, then that law or the gag order saying they can't name it are unconstitutional. Period. It also proves once again how easily Yahoo caved.
A court order to enable warrantless wiretapping per FISA provisions. That's what they were doing with others per the leaks. The Sentry Eagle leaks, highest classification they had, indicated the FBI "compelled" domestic firms to "SIGINT-enable" their stuff with FISA mentioned repeatedly. It didn't define the methods they used to compel companies.
So, they have some way of leaning on them with the Patriot and FISA Acts as legal support. It shouldn't surprise you given it's happening in an active, police state with apathetic citizens who haven't forced Congress to roll back the legislation. Media has been fairly complicit, too, as they're not pushing the angles that would stir people into action. They watered down the previous debates.
Until these legislations are killed, there's secret courts, secret consequences, and gag orders that all these companies are faced with. Unlikely anybody will help them if they violate the rules that serve the state. So, it's on the citizenry to modify those rules so there's accountability. They mostly don't care. So, compliance with the court orders is rational choice by a company with no rational alternatives unless it intends to shutdown and make everyone jobless. Which will likely just shift business to competitors that secretly cooperate with the State. Like with Lavabit.
Note: Apple got to be lucky exception since FBI publicized the case and tried to fight in court of public opinion on top of an actual court. Terrible thing is we still don't know if they backdoored stuff for them with that being a show. Especially that HSM. It's illegal to know in the U.S..
OK, I normally think misogyny claims are over-blown and people are way too sensitive.
But your comment positively reeks of misogyny.
Rather than go for a down-vote, because you're able to edit your comment, I think you should reconsider the phrasing and delete the misogyny. If your comment doesn't stand without it, I believe deleting it would add to rather than subtract from, the discussion.
But let us just do a thought experiment. Suppose your bank suddenly locks up your money tomorrow, and when you ask for it back, they say: "Well, there was an unexpected event in some sector of the economy which happened behind the scenes which we cannot tell you about. However, what we can tell you is that we were sufficiently pressurized by the government that it was for the good of the entire economy to not give money back to the depositors. Also, you should know that we didn't take this decision lightly but spent many many hours agonizing over it. Please come back in a year. And you might have to take a little haircut on your money as well."
Would you say, "Oh, I didn't realize you gave it so much thought. Besides, its all for the good of the economy. Tell you what, why don't you just keep the money?"
Does the fact that the decision was actually genuinely hard, or even possibly justifiable in some sense, make you any less likely to get mad? Your justification of the hardness of the decision is a poor excuse, because many of these companies are trustees of a lot of money from the public who have some expectations about how their data should be managed and secured (not explicitly, sure. But they wouldn't agree to random strangers searching through their email if told beforehand, either). To borrow a cliche, great power comes with great responsibility. In the field of software unfortunately the only thing which comes with great power is a tendency to turn a blind eye and simply try and acquire even more power.
My objection was entirely to how the first commenters in this topic treated the situation as obvious and the CEO as the clear moral antagonist of this story.
One of my life mottos is seek first to understand. Another is that very few things in life are as simple as they appear.
I will forever object to vilification and simplification.
I don't know about that, Yahoo has a pretty big platform they could use against the government.
Not that I'd really expect anyone to pick up that fight, but Yahoo is far from powerless here.
But it still makes using their services dangerous to you and your company or the company you are working for.
I would even go so far and require any politician running for any office to not have used any foreign email, messenger or social network in the last X years except for reaching out to voters.
There's a high risk that they could be blackmailed with their private communication being in the hands of foreign governments and I don't want compromised people like that anywhere near public office.
You have to criticize and a spew abuse at these companies, whether or not they are secretly resisting these orders, because their resistance is secret. Only by damaging entities responsible for implementing government policy can you affect change.
They definitely have a lot more power than the little voter people.
Does anyone ever take responsibility for anything they do over there?
Especially for Yahoo, given their tough financial and market situation. It was far easier For Apple and Google.
Actually you are giving them a pass because your comment contains nothing but apologetics for these companies. Whether their decision to spy on their customers and invade their privacy was easy is irrelevant and all of your apologetics are worthless speculations based on nothing whatsoever.
I'm as upset about this as anybody, but realistically speaking... they had a gun to their heads. The real problem here isn't Yahoo! (or the other corporations), it's the government.
The problems are of establishing protocols and standards, and seeing that others adopt them, and of creating self-contained systems that are bulletproof to set up and operate.
There are projects working on this, but the hurdle for having Joe Random User operate their own server is fairly high.
I'd much rather see a highly, but not entirely distributed system, with pervasive security, and very strong legal protections. I don't know if that can happen.
Whatever you can say about Yahoo, they're not the one holding the gun.
Yourself? The idea that you have to either trust governments or corporations is very much a false dichotomy.
GPG, running your own mail server, etc. may not be for you (they aren't for me), but let's not pretend cloud-hosted mail is the only option, or that encryption is impossible.
The message is obviously to control your own security to the maximum extent practicable. Esau didn't assign fault in their comment. You might disagree with their assertion, but your comment is attacking a straw man, rather than the claim posted.
Also, I'm wondering if this story is bigger because people love to hate on Mayer. I am certain this kind of thing happened/happens at Facebook, Google, Twitter, WhatsApp, etc., so it's confusing why this is so newsworthy. It's not really newsworthy that data from an email provider is sent to NSA under secret court orders and NSA can search the full text of it. Is the newsworthy part that she asked the team to do it without consulting the security team? My question would be, why wouldn't a manager from the email team consult the security team if they had the power to?
It absolutely is newsworthy. We may have suspected it beforehand, we may suspect it happens at other providers, but we have specific proof about Yahoo now. This is new and important and we should be making a fuss. If we play the jaded cynic we are joining the enemies of democracy.
When info about FBI Carnivore system was leaked (or announced, cannot recall), there was a public outcry that made FBI shut it down (according to Wikipedia they soon replaced it with a similar system under a different name). Learning about massive government data collections of today? Resigned acceptance :(
I would rather this be newsworthy because it gets people interested in fighting FISC orders again, not against Yahoo and Mayer.
It definitely is newsworthy, it's astonishing how people rationalize any amount of spying.
Are you serious? It's newsworthy because we have proof they did it.
If we had proof Google or Facebook did it, then it would be news, too. And probably much bigger news, because nobody really cares about Yahoo anymore, especially after its sale to Verizon.
In fact, check social media and Reddit. A story about Wikileaks hinting at Google manipulating search results to favor a certain US candidate is already being talked about. And that's despite the latest trend to hate on Wikileaks because they focus too much (?!) on exposing Clinton's corruption.
You're knowingly sending your data to a 3rd party. You're not encrypting. It's not through the USPS (special protections).
It seems bloody evident that, of course, your email provider can read your emails! Unless you're encrypting with GPG, then they can (and they can still read the signing keys).
Yahoo, Google, and friends all scan, dedup, and all sorts of tricks to determine marketing and quality content (spamming). If you're worried, run your own mailserver. It's what I do, along with using gmail. But I know that, at any time, people/scripts/ai are reading everything sent and received.
edit: I'd much prefer to hear commentary/how wrong/how right/how crazy I am, rather than -1's.I'd like to hear a discussion about the "Secrecy of text written on postcards"....
This report isn't complaining about unencrypted emails. It's about them giving an intelligence agency the equivalent of a `grep "terrorism" | tail -f` for all their users' email. Without a warrant. (Not that a warrant could even be granted for something so broad, anyway.)
What data restrictions do we have that would prevent $dataCompany from sharing data with other actors? I'm sure a "privacy policy" can do something, but in the end, not really. The FTC doesn't require a privacy policy; they can only enforce one and apply lowball fines for bad behavior.
For example, what laws would prevent me from running a "* As a Service", scanning everything, ranging from copyright violations, spammers, criminal enterprises, and today's bugagboo of terrorism; and forwarding each of those things to the relevant authorities? Can a law protect criminal behavior in cases it is illegal? What responsibilities do you have if you know of criminality?
And specifically talking of emails, unless they are encrypted, they are akin to postcards with the content all in the clear.
(And for your example, I get your sentiment, but I'm guessing they'd have a neural net that triggers on examples of terrorism discussion. And they'd run all messages through it. Not saying I agree with it without a warrant...)
What you've just said is the email equivalent to "she deserved to be raped, because she was dressed like a slut".
Yes, we should take precautions to protect ourselves. But that in no way justifies the privacy intrusions that happened here.
My underlying thoughts are as follows. Yahoo is the target in this story, so I'll use Yahoo as the placeholder for any company that deals with user data in that capacity.
When you send an email, it shows up at a destination. You send it from your mail provider, "magic happens", and it shows up at the destination. By definition, the text that you send it what is received.
By sending your text with who you want it to go to, you are relinquishing control over your data. Now, Yahoo can read it. And any mailserver in between. And the destination mailserver can as well. You also give up a form of copyright- because the basis of this transmission means that the same message may appear multiple places.
With the USPS, we pay postage to send data and packages. And there are stringent safeguards in place for the USPS. We have no such data safeguard laws in the US. European Union is different (I don't know the laws there). But whatever data I send to some private org, can be used and reused in whatever ways that are bound by their privacy policy (which they write), and whatever contracts they abide by (PCI DSS, HIPAA, FERPA, etc).
Even though this part isn't logical, whenever I don't pay for a service, I automatically assume that I'm paying with my data. I guess when you're cash-poor, it's a good trade-off.
Privacy is a quality people generally expect to have. The USPS protections were created after the long social feedback cycle it took for people to realize what they were missing. We're going through another one of those cycles now, where people are finally realizing how surveilled-by-design modern technology is.
I'm unsure what will be quicker - groupwise societal understanding leading to legal privacy protection, or individual adoption of specific better technology. Given that social protections only work for those in "average" society, I personally hope it's the latter. But the two viewpoints are not conflicting, and are actually complementary - privacy preserving tools educate society as to what is possible, and a person has to value privacy before they can seek out tools to preserve it,
I would be for something akin to "Swiss Banking requirements for Data" - where companies are NOT allowed to share data unless given exception in writing/cryptographically. I'm sure we can expound on these ideas collectively.
I'd also be OK with services that DO treat data as a semipermeable membrane. Think of what Google has done with all their free services. They make neural models that they (and others they choose to release) can exploit to great effect. In cases like this, there needs to be a simple chart; think of something like this https://tldrlegal.com/license/apache-license-2.0-(apache-2.0... . I also think of these services as bringing technology to me when I could not afford it... And yes, it has been a wonderful boon for me, and I'm sure as for Google as well.
I also want to be able to request all the data on my account, sent to me in a reasonable format (multiple of: Zip, ftp, file share, mailed DVDs for reasonable price). European Union already has that law, to great effect. I should also be able to legally command a company to remove my content. If copyright is so great, I should be able to revoke their rights to it as well due to copyright.
______________________________
I get privacy. I get how networks work, and how the Internet works. I know how mailservers work, as well as file deduplication. And I see a glaring hole in the technology that allows an action, a-ethical companies that will do anything to get ahead, and a government hell-bent on dismantling privacy and data security all to stop today's big bad monster, terrorism.
I'm also guaranteed on watch lists. I'm a minor Tor developer, and greatly utilizes Tor in many ways. In fact, my network resides in Tor-Space. I've figured out how to get Linux to resolve .onion addresses seamlessly, and have .onion endpoints on all my Linux machines. I also work with IPFS and Zeronet, both technologies that have some very... interesting content as well.
It's my little corner of the Net... And if I help others with my tech, awesome. If enough of us do this, then we can start stemming the tide of data insecurity. But I also remember, parts of these issues are with the Political system, and not of technology. Until these older, technologically ignorant politicians die or retire, and Millenials come in, we're stuck. At least we've grown up with it.
In a nutshell, there's a near-consensus (if I'm not mistaken) among judicial experts that in fact, email has the same expectations of privacy as regular, sealed postal mail (i.e. not postcards). So that's where the postcard analogy breaks down.
I'm really hoping and trusting they haven't.
"Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.
Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied.
Alphabet Inc's Google and Microsoft Corp, two major U.S. email service providers, did not respond to requests for comment."
It's not a hard question to answer. You either are or are not searching all emails in realtime at the behest of the NSA.
A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and also declined further questions: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”
For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"
http://arstechnica.com/tech-policy/2016/10/fbi-demands-signa...
It's easy to answer if you're not. If you are, you can't answer (at least not truthfully).
And as much as you might think this is a huge problem, it's a bigger problem with companies aren't restrained by government orders. Imagine if Exceleon politely declined to allow nuclear inspections.
Exhibit 1: http://www.apple.com/customer-letter/
Exhibit 2: http://www.nytimes.com/2010/03/23/technology/23google.html
That cheap-oil-for-your-private-planes deal with Pentagon is one small evidence [1]. The other is Matt Cutts working for (on a temporary basis) the Defense Department's branch of USDS [2]
[1]: http://www.wsj.com/articles/SB100014241278873238646045790697...
[2]: http://fedscoop.com/former-google-spam-chief-heads-to-usds
As for Microsoft, well, no debate there.
a perk they apparently shouldn't have been getting and was cut off by the pentagon is evidence the pentagon has front door access to Google?
> The other is Matt Cutts working for (on a temporary basis) the Defense Department's branch of USDS
What, do you think he really needed a job so the web search spam guy gave access to user accounts in exchange for getting to work in government contracting?
Really need to work on your circumstantial evidence.
> Barack Obama: NSA is not rifling through ordinary people's emails. US president is confident intelligence services have 'struck appropriate balance', he tells journalists in Berlin
edit: link fixed https://www.theguardian.com/world/2013/jun/19/barack-obama-n...
A story like https://www.wired.com/2010/05/kuok/ is a relevant case here.
> Using a Yahoo e-mail address and a different name, Kuok also allegedly contacted an Arizona company this year that had posted on eBay a KG-175 TACLANE — an NSA designed encryption device used to communicate with classified military computer networks, such as the Defense Department’s SIPRNet.
> Kuok repeatedly expressed fears that he might be dealing with an NSA, CIA or FBI agent, but continued to negotiate with the undercover officer, even cautioning him to avoid referencing the items by model number in e-mail, because “your country has this system to analyze” e-mail for keywords.
What if the string was something like "KG-175 TACLANE"? How many ordinary people would have this string in an e-mail? What is wrong with getting a warrant to read through e-mails containing such a string?
This news is definitely news to me. It is just not shocking or unexpected or contrary to what Barack Obama has been saying.
I need a new sig. "KG-175 TACLANE" it shall be!
Is it still an invasion of privacy if a machine reads my emails? Google read my emails to check for spam.
"The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events."
Your theory is that Yahoo scanned hundreds of millions of accounts for the NSA, but the NSA isn't doing / hasn't done anything with those billions of emails. Your premise requires that the NSA come into possession of a truly massive load of data and then never touches it at all. That's absurd.
However, if it went down like this -- he did probably the least destructive thing possible. I probably would have gone public or done something stupider, but at the very least not being a party to ongoing abuse of users' trust is necessary.
I'd like to see what other senior execs at Yahoo! were aware of the program and supported or at least tolerated it, so I can avoid ever working with any of them.
Qwest CEO Joseph Nacchio who <edit> claims to have </edit> resisted NSA spying is out of prison (2013)
https://www.washingtonpost.com/news/the-switch/wp/2013/09/30...
"All that is necessary for the triumph of evil is that good [men and women] do nothing."
Both Meyer and Stamos made their choices, on this issue.
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&gr...
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&gr...
"It is the duty of an attorney to do all of the following: ... To employ, for the purpose of maintaining the causes confided to him or her those means only as are consistent with truth ..."
"Every attorney is guilty of a misdemeanor who either: (a) Is guilty of any deceit or collusion, or consents to any deceit or collusion, with intent to deceive the court or any party."
"Promises only bind those who believe in them" - Henri Queuille
Pass: Apple, Google
Fail: Microsoft, Yahoo
Unknown: Facebook, Twitter
For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"[0]
I wonder if Google could even run a program like this while keeping it secret. Yahoo had their program discovered within weeks, and public within a year. Stamos could easily have immediately gone public in a way which would have prevented him from being prosecuted - say posting a blog post about how hypothetically Yahoo would implement such a system at the governments request, forwarding this on to Bruce Scheiner, and then refusing to comment if such a "hypothetical" program actually existed.
[0] http://arstechnica.com/tech-policy/2016/10/report-fbi-andor-...
It's still interesting to know which companies have been actually exposed for this kind abuse of their customers' trust.
However, not all of them will go to prison -- only those who cross the politicians will ever be tried and convicted.
“Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with.”
― Ayn Rand, Atlas Shrugged
-- John Rogers
It's common everywhere!
> According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.
"Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo's challenge was unsuccessful."
Her real mistake was going directly to the e-mail team to implement the backdoor without telling the security chief about it:
"They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
"Realistically, this is every American company. Why trust anyone?
Surprisingly, stacks of $100 bills make great mattresses. She won't lose a night of sleep.
It's very likely, from what we have observed over the past sixty to seventy years, that the Executive Branch does not operate this way in practice. The actual bureaucratic system has probably morphed to allow for deniability and other measures that offer structural protection against political or legal attacks.
IIRC, Yahoo has always provided more data not even because they shared it, but because they were so lax with security.
Rent a cheap, dedicated server (a VPS provides poor privacy protection), encrypt the root partition and install sovereign (https://github.com/sovereign/sovereign).
Maybe the Yahoo! Board should have surveyed the startups scene, looking for founders who bootstrapped successfully and proven their worth, and recruit the best they could get. I am not very familiar with management of people and aspects of running a business, but I believe there is a lot more to it than being a smart person with computers.
Contrast with the rumors that Apple engineers were prepared to refuse & resign if ordered to share the iPhone's encryption keys.
This is why no provider can be trusted. Every routine communication should be e2e encrypted. Otherwise this WILL happen.
Getting anyone else I know to do this seems like a long shot. Is there something simpler?
1. It doesn't protect metadata. Who you communicate with, and when, and what subject you specify, are all available to any system which can read the packets. Unless you only accept and transmit TLS (secured-session) transport (HTTPS), this means that your communications patterns are in the clear. If your receiving party are fetching messages via a cleartext protocol (IMAP or POP, say, and in some cases HTTP, rather than the secured variants IMAPS, POPS, and HTTPS), then the headers and possibly mail body will be clear.
Cryptography has to be end-to-end to be effective, though attack surfaces exist at many levels. Ultimately the viewing device itself may be compromised, but that's a rather unscalable attack.
2. If you're using PGP but nobody else you're communicating with is then you're not gaining much. Keep in mind, I've been yelled at and/or chided by highly technical people with strong security backgrounds over sending PGP-encrypted emails. Including senior Google technical staff and Gene Spafford, of recent memory.
Much of that is due to a wide range of email clients not playing well with PGP, which gets again to vendor issues.
I recently posted a long critique of email on HN, and ultimately it's the lack of privacy, security, encryption, authentication, and reputation which make me think it's time to scrap it and start over, although learning from it and taking the best bits along.
This is a common argument here.
"Company A secretly collaborates with government agency to subvert their users' security."
"Yes, but Company B collects user data for their own commercial purposes, fully disclosed to the user. Same thing."
Not the same thing.
Google Now displays cards with information pulled from the user's Gmail account ...
Or take her to a super boss level, she could have used whisper to talk to guccifer and let him know about some vuln that would allow access to the legal directory.... which would have to gag order. #wikileakitup
Totally protected speech.
There is nothing to be shocked about. Unless nobody else than intelligence officials are getting access to this, and if the investigations are legit, then what?
News like this are trying to ride the whole Snowden train, but that's not what Snowden what whistle blowing about. Snowden was trying to warn about the abuse of those tools.
Now people moan and yell each time agencies try to do their job.
If you have to hide things from your own security team, it's pretty clear you're doing something very bad and you know it.
And my imaginary hat off to Stamos for resigning when he found his boss betrayed user privacy and undermined security. If everybody had such level of integrity, doing shady stuff would be much harder.
"... he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails...."
The CEO of Yahoo must have known that this kind of scanning and storage puts their users at risk. She choose to do it anyway as being the path of least resistance against a more powerful adversary (US govt.). Bad judgement compounded by zero spine... Verizon looks like the perfect fit.
$250k per day doubling every week that can come with a gag order sounds like the sort of thing that could damage a business to the point of extinction, no?
https://www.theguardian.com/world/2014/sep/11/yahoo-nsa-laws...
Congress is up for grabs. You can really change who is in congress this round. If you don't like the guy you have vote in another. Vote for people that want to cut surveillance programs and agencies that request them. We could save or reallocate mountains of money.
How would a company under such a gag order announce bankruptcy? "Sorry, we lost all the money and we can't tell you why"?
""" The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in. """
this is from Reuters: http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSK
I can imagine being in that security team :) But there is also something more profound in this about secrecy in our times.
The first case to surface. Anybody else could have been doing it for just as long, but we don't know yet.
This involved bulk search of data past the decryption layer.
Yahoo Inc last year secretly built a custom software program to
search all of its customers' incoming emails for specific
information provided by U.S. intelligence officials, according
to people familiar with the matter.
Like most people, I have no problem with the government using probable cause to get warrants that are in search of something specific (none of these grab-all bullshit orders). If you have a legitimate reason to be looking at someone, then there should be no problem getting a warrant.
These secret FISA court orders are a serious violation to the rights of Americans in many cases. At minimum, if we really do need these secret courts to prevent people from finding out they are the subject of surveillance, then there needs to be an expiration on those gag orders. This crap about never being able to mention it FOREVER has to go. There should be a limit, say 5 years, which is well beyond the length of time most investigations take. At that time, those orders should expire so that these government actions can be brought to light if there is any question of wrong-doing on the part of our overzealous law enforcement.
"Former NSA General Counsel Stewart Baker said email providers 'have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.'" Sorry, but no. That's not how it works. There is no obligation to do the work of government unless it is actually written into law (i.e. record-keeping laws). And it currently is not. This is precisely why everyone should be encrypting all communications on the CLIENT side themselves. It should never leave your device (PC, phone, whatever) unencrypted. That way, if the government wants to go on a fishing expedition or has an actual legitimate reason to look at you, they will have to get a warrant for the device itself, which will at least give you a head's up that they are trying to put you in the clink with a bunkmate named Bubba.
The NSA, and the government in general, has completely blown any goodwill they once had with the public. Under no circumstance will I ever advocate for anything that makes their job easier. And it is for no other reason than simply because they have proven time and again they cannot be trusted.
Honestly, I'm still not even clear why every employee of project PRISM isn't rotting a jail cell right now after Snowden shed some light on the program for the rest of us peasants. Every single employee of that program had to know the clear violations of the constitution they were helping to partake in. Keep in mind the constitution protects against unreasonable SEIZURE as well as search. Gobbling up communications in the manner they did clearly counts as seizure because they would not have had them otherwise - whether or not they actually search the records is immaterial.
I'm not an Apple fan, but when they told the government to go pound sand regarding that terrorist phone encryption case, that was the first time that I can recall I actually approved of Apple's political position on something.
Former NSA General Counsel Stewart Baker said email providers "have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies."
What will they do??? Fine, court, shut down the company? If that happened would the public not outcry?
Why would you think that?
FWIW, SIGINT is a major part of the present festivities in the Woah on Terruh. It's simply unrealistic to expect anything transmitted through ordinary means to be remotely private.
I don't believe they are capable of writing the "siphon" they are accused of. To be honest, I don't think they actually have engineers. I think they just use summer interns.