By any measure, Yahoo! has had a bad year. Once the unchallenged monarch of Silicon Valley, the company was already reeling from revelations of a massive breach that compromised hundreds of millions of accounts. It has now been hit with another bombshell: a Reuters report that Yahoo developed a system to search customers’ correspondence for information provided by the intelligence community. A few thoughts:
-
As any attorney knows, press coverage invariably fails to communicate the full nuances of a complex legal issue. While little is known – the intelligence community does not comment on operational matters, and Yahoo issued a boilerplate statement – Yahoo may have assisted in intelligence efforts to prevent the introduction of malicious software.
-
What is known about the Yahoo effort distinguishes it from other government collection programs in that the communications appear to have been scanned in real time. Previous programs reportedly scanned archived data.
-
The program was a closely held secret within Yahoo. While top executives approved of the arrangement, it triggered the resignation of Yahoo’s security chief Alex Stamos. Yahoo General Counsel Ron Bell had previously stated, “We fight any requests that we deem unclear, improper, overbroad, or unlawful.” CEO Mayer had likewise said, “We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it.” “We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it.”
-
Ironically, Yahoo engineers discovered the system independently and were alarmed to detect an apparent hacker breach.
-
The potential damage is evident from the fact other technology giants – Microsoft, Twitter, Google, Facebook, Yahoo, and Apple – clambered to assure users that they had not received similar requests from the government, and would resist them if they did.
-
This casts a shadow over the new U.S.-E.U. data protocol, Privacy Shield. As we have previously written, Privacy Shield was subject to the same legal challenges that killed its predecessor, Safe Harbor. The legal foundations for Privacy Shield were buttressed in part by assurances from the Office of the Director of National Intelligence that the U.S. does not engage in bulk surveillance. Critics like Max Schrems have already pounded on the disclosure as undermining a fundamental premise of Privacy Shield.
The full implications of the Yahoo revelations can only be assessed with the passage of time. However, what is already certain is that Privacy Shield is more vulnerable to a legal challenge than it was 72 hours ago. The prudent company should have evaluated whether additional risk mitigation is warranted, in the form of binding corporate rules and model contracts.
PS. In a second high profile story, celebrity Kim Kardashian’s home invasion and subsequent ordeal in Paris appears to be been facilitated by data gleaned from social media. One expert noted that the robbery demonstrated the connection between physical and cyber-security: social media often leaks information that undermines both. Companies and individuals do not need to avoid social media, but should be cognizant of the risk entailed in the data they choose to share.