UPDATE 10/26/2016: Yahoo! has now sent a letter to James Clapper, the director of national intelligence in the U.S., asking the federal government to clarify whether it issued a classified order to the company, as reported by Reuters on Oct. 4, and if so, to release information on the order and its context. We are glad to see Yahoo! press the government for more transparency regarding U.S. surveillance powers and the impact on our privacy and other human rights. We support Yahoo!’s assertion that transparency is critical for accountability, and we expect the government to respond fully and promptly.
In addition, Access Now joined a coalition of civil society organizations in a letter to James Clapper calling for greater transparency around the order issued to Yahoo! The letter asks for the publication of legal interpretations underlying the order, relevant court opinions, and details on the scope and type of data implicated in the program.
Last week news broke that Yahoo! had allegedly secretly scanned all incoming email traffic on behest of the United States government. Today, Access Now sent a letter demanding that Verizon — which is set to purchase Yahoo! — commit to protecting the human rights of its expanding global user base.
As Reuters first reported and then other outlets confirmed, in 2015 Yahoo! had, at the order of the U.S. government, designed and implemented a system to scan all users’ incoming email for provided “selectors.” According to the reports, Yahoo! did so without challenging the order in court or even consulting internal security staff to understand the risks of implementing such a system. In response, U.N. Special Rapporteur for freedom of expression David Kaye raised concerns about the program’s impact on user rights and Yahoo’s apparent failure to challenge the order.
The Foreign Intelligence Surveillance Act (FISA) authorizes broad U.S. government surveillance of non-U.S. persons with few adequate safeguards. Presumably, it was the law used to compel Yahoo! to operate the email scanning program. One section, Section 702 of the FISA Amendments Act, is set to sunset at the end of next year. The law must be reformed to provide protections for all users. Yahoo! and other tech companies played an important role in a previous effort to reform U.S. surveillance law, and must do so again in order to provide meaningful privacy protections. For that reason, we’re focusing on the Yahoo! transition as an opportunity for both companies to live up to human rights principles and protect user rights.
Specifically, our letter sets out several steps that Verizon must take in order to commit to the protection of the human rights of its users. We explained, “[m]ass government surveillance threatens the right to privacy. This is true whether the surveillance takes place directly or, as is increasingly the case, by a private proxy at the government’s demand.” Access Now urges Verizon “to probe the privacy and security risks and safeguards needed to protect Yahoo! and Verizon users.”
Though recent events show a low priority for digital security, Yahoo! has adopted bold protective measures in the past. In the letter, we pointed to Yahoo!’s leadership as a founding member of the Reform Government Surveillance coalition, which played an essential role in the passage of the USA FREEDOM Act. Even before that, Yahoo! had created the first business and human rights program in the tech industry and was lauded for its robust challenge to broad government surveillance authority in the secret FISA Court.
In this case, however, inaction spoke louder than words. Instead of confronting the secret court order, Yahoo! allowed the government to invade users’ personal data and, in doing so, created a weakness that could have facilitated unauthorized third–party access. This story comes only weeks after Yahoo! provided a long overdue notice of a massive data breach that exposed sensitive user data in 2014. These failures are indicative of a company that does not prioritize user protections.
In order to ensure that Yahoo!’s users are protected under Verizon’s ownership, we recommend that Verizon:
- Ensures proper consultation with internal and external structures through a fully independent human rights and security audit with results public as permissible.
- Reaffirms a commitment to detailed and robust transparency reporting by ensuring both companies’ reports are as complete and accurate as the law permits and revisiting both companies’ reports to ensure they keep pace with new threats.
- Implements strong, proactive digital security protections through robust encryption, increasing protections for stored data, effective breach notification, and consultation with the high-level security staff whenever user security is at issue.
- Demonstrates a broader commitment to user rights by recommitting to Yahoo!’s continued membership in the Reform Government Surveillance coalition and exploring Verizon’s independent membership.
- Increases engagement with civil society in discussions around companies’ responsibilities to their users by participating at RightsCon Brussels from March 29 – 31 2017.
Verizon has a long way to go to establish trust with millions of users who now know Yahoo! as inattentive to their rights and security. Implementing these measures will serve as first steps.