Take one part paranoia, one part zeal, two parts conspiracy theory, and someone with too much time on their hands, and what do you get? No, it’s not the sequel to Minority Report. It’s the allegation that Yahoo and other ISPs are spying on their users and selling their users’ information, with publication of the so-called “Yahoo Spying Guide”, and other ISP “Spying Guides” as “proof” that Yahoo and other ISPs have put a price on their own users’ heads.
It all started when one Christopher Soghoian filed a Freedom of Information request under the Freedom of Information Act (FOIA). Soghoian’s request was regarding how much the United States Marshals Service (USMS) had paid to various ISPs for the processing of requests for legal evidence pursuant to investigations or pending legal cases. In other words, how much had the USMS paid in administrative and processing fees to the various ISPs that had fulfilled those requests?
You see, Yahoo, like many other companies, has various manuals and other material which document and govern all manner of processes (think employee manuals, HR manuals, press kits, etc.), including a “Compliance Guide for Law Enforcement” document. Yahoo’s Compliance Guide for Law Enforcement is a 17-page document which outlines what they require before they will turn over a user’s information to law enforcement (court orders, subpoenas, etc.), what sort of user information Yahoo retains (if at all) and for how long, and, in a tiny section taking up not more than one third of one page, comprising about 15 lines total, a listing of the adminstrative fees associated with having to compile the various types of information pursuant to a valid law enforcement request.
Yahoo had, in the ordinary course of business, provided a copy of their Compliance Guide for Law Enforcement guidelines to the U.S. Marshals Service. When Yahoo learned of the Freedom of Information request that Soghoian had made to the U.S. Marshals Service, they sent the USMS a letter, in which Yahoo opined that their Compliance Guide for Law Enforcement did not fall within the parameters of Soghoian’s request, because the request was “What had the USMS paid”, not for a price list of possible fees from the ISPs – much like how asking someone what they had paid for a restaurant meal would not be the same as asking to see the menu. That argument may or may not have held water, as it seems that Soghoian’s request may have included a request for any ISP law enforcement compliance price lists that the USMS had in its possession.
However, in addition, Yahoo pointed out that, in their opinion, their Compliance Guide for Law Enforcement falls within one of the exemptions to the Freedom of Information Act; “Exemption 4”, to be exact, which exempts “trade secrets and commercial or financial information” and which is intended “to protect the interests of both the government and submitters of information. Its very existence encourages submitters to voluntarily furnish useful commercial or financial information to the government and it correspondingly provides the government with an assurance that such information will be reliable. The exemption also affords protection to those submitters who are required to furnish commercial or financial information to the government by safeguarding them from the competitive disadvantages that could result from disclosure.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
In other words, Exemption 4 is there a) to protect companies who must submit commercial and financial information to the government in the ordinary course of business, so that the information won’t fall into the hands of competitors, and b) to ensure that the government gets accurate information during these transactions by letting those companies know they can openly share the information without fear of it being divulged to their competitors through a Freedom of Information request.
Yahoo’s letter, which was written by Yahoo’s attorneys, included all of the legal authority (caselaw, etc.) to back up each of their points. It should be noted here that whenever one is suggesting to a third party that there is a legal basis for that third party to act or not act, it’s important to give that third party all of the information and legal basis for that action, which is exactly what Yahoo did.
Of course, it made not a whit of difference, because Yahoo’s objection letter itself made it to Soghoian and out to the Internet, where publications such as Wired covered the story and suggested that any readers who might have a copy of the elusive Yahoo Compliance Guide for Law Enforcement could send it to them anonymously.
Shortly thereafter, a copy of Yahoo’s Compliance Guide for Law Enforcement made its way into the hands of John Young and his Cryptome, where it was published for all the world to see, and from there it was a short leap before Cryptome, Wired, and all other manner of Internet observers had perverted the story into a “Yahoo will spy on their users and sell their information” brouhaha.
“Yahoo isn’t happy that a detailed menu of the spying services it provides law enforcement agencies has leaked onto the web,” charges Wired, elsewhere calling Yahoo’s Compliance Guide for Law Enforcement “the company’s spying guide.”
Ironically, further down in their own article, Wired ‘exposes’ that “The Compliance Guide reveals, for example, that Yahoo does not retain a copy of e-mails that an account holder sends unless that customer sets up the account to store those e-mails. Yahoo also cannot search for or produce deleted e-mails once they’ve been removed from a user’s trash file,” and that “The contents of accounts on Flickr, which Yahoo also owns, are purged as soon as a user deactivates the account.” {Emphasis added by TIP}
Clearly, if Yahoo is spying on their users, they are pretty inept in how they are going about it.
Wired also unearthed the shocking fact that “Chats conducted through the company’s Web Messenger service may be saved on Yahoo’s server if one of the parties in the correspondence set up their account to archive chats.” {Well, duh.}
There is, as we say in the biz, no there there.
For his part, John Young has refused to comply with a DMCA request by Yahoo to take down the copy of the Yahoo Compliance Guide for Law Enforcement that he put up on Cryptome.org, because, Young claims, Yahoo does not have a copyright on their own work product because there is no copyright notice on the document.
For those of you who have no reason to need to know this (which does not include Cryptome’s John Young), or who are interested in knowing the actual law (which also apparently does not include Cryptome’s John Young), here, from no less an authority than EFF Chairman Brad Templeton’s 10 Myths About Copyright, is the rule about copyright notice:
Myth: “If it doesn’t have a copyright notice, it’s not copyrighted.”
This was true in the past, but today almost all major nations follow the Berne copyright convention. For example, in the USA, almost everything created privately and originally after April 1, 1989 is copyrighted and protected whether it has a notice or not. The default you should assume for other people’s works is that they are copyrighted and may not be copied unless you know otherwise. There are some old works that lost protection without notice, but frankly you should not risk it unless you know for sure.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Your own little brouhaha seems to be over the terminology itself, “Spying Guide”, and that is a red herring as well. Yahoo may want to data-mine and aggregate and all that, but why in the hell would they want to SPY, as in Goerge Carlin’s take on privacy “and late at night we read them”? The real concern for many, I think, and this is of even more relevance regarding Google’s user web history database, is how broadly and in what way the databases can be searched. Can the government just get carte blanche access to search for ANYTHING without supplying specific suspect user IDs? In other words, can they search for ANYONE who searched for XYZ whenever and whereever (based on IP geographic locale data).
That’s a lot closer to big brother if they can.