Yahoo didn't install an NSA email scanner, it was a "buggy" NSA "rootkit"


#1

Originally published at: http://boingboing.net/2016/10/07/yahoo-didnt-install-an-nsa-e.html


#2

I don’t see how that’s anything but worse than the original claim. Oh, we didn’t install it, we just gave the US government carte blanche to do whatever they wanted to do with your emails, intercept, send, block, modify…


#3

As Sam Biddle says, delete your Yahoo account. Do it now!


#4

So are we sure this happened after the big breach in which the email account information was taken? Or is one an example and one a consequence of security not being taken seriously there?


#5

That’s one thing I was wondering.


#6

Did it long ago and told others to - the moment Mayer was appointed, in fact.


#7

I’m curious about the legal liability of companies that permit this sort of software spying. As far as I know, it is illegal for the government to do this on it’s own, though that doesn’t stop them. But here they have the aid of Yahoo, a non-governmental entity.

I haven’t read Yahoo’s user agreement or privacy policy, but let’s just assume this rootkit violates their policies. I’d assume this could support some sort of lawsuit based on fraud or breach of contract (violation of privacy policies, etc.). Proving damages would be difficult or impossible, since I’m sure there’d be no way to tie the gov’t secret actions to some negative consequences. However, there could easily be one of the following results of a suit:

  1. Yahoo must change their privacy policies to indicate that users agree to any manner of secret searches of their info by non-Yahoo persons. Basically, they’d have to tell users that they really have no privacy. If so, this would kill off a huge chunk of their users, since anyone with half a brain would simply not use Yahoo. Bad result for the company.

  2. Yahoo could be enjoined from allowing such rootkits, and must remove them. Could they request the government to remove the rootkits? Would you believe the government if the told you they removed the kits? (No.)

Either way, I have to think that this revelation has torpedoed any trust that users had left in Yahoo.


#8

Someone had better tell Huma Abedin, who apparently would forward Clinton’s State Department emails to her personal Yahoo account for printing at home when she had trouble printing them in Foggy Bottom.


#9

The way I read history, the British crown took an automatic 10% stake in every commercial endeavor in its empire. That gave it enormous power, but it also mandated some responsibility. The crown’s obligation was to protect these company’s interests abroad, even as it reaped the benefits. Bits of the empire started calving off the main 'berg as this investment became a liability rather than an asset.

Now we don’t call it an empire any more, not to its face, anyway, and because of this farce we call a democracy, it’s not a crown with its fingers in every pot. And while this meddlesome partner claims an interest in every single fucking transaction that happens, it also insists on plausible deniability, every single time.

Ultimately, I don’t think this version of empire is going to do any better than that older one.


#10

Haha and there were EU negotiators who thought you can trust the USA on the new Privacy Shield deal. How naive.

The EUCJ isn’t going to like this.


#11

Wow. That’s actually way worse than the original story.


#12

I’m sort of disappointed that Yahoo’s Security Team, having identified the hack of their network, didn’t sabotage it completely in quiet defiance regardless of corporate executive policy. Though the fact that we’re hearing about it now feels like a small victory.


#13

I don’t doubt this happened.
But I’m a little curious why we are hearing about this and the big hack now, right after Yahoo Mail sale was announced.


#14

Too much of my current job search is tied into that… :crying_cat_face: Once I secure employment yeah it is gonna go.


#15

Charlie Biddles’s brother?


#16

So get fired AND go to prison?


#17

For an unattributed accident/error? Obviously, they couldn’t be openly defiant of an arbitrary corporate mandate, but at least they wouldn’t have to defy a Federal order. We’re not talking about some sort of crime, here, it’d be protecting the public from unlawful searches!


#18

For impeding whatever investigation, yes?


#19

Find this in Ars Technica coverage:

In both of these situations, while government computers may electronically touch information about you contained in a digital database, the government actually knows nothing more about you than it did before—unless and until it has a valid purpose for learning that information. Fourth Amendment analysis should be based on that reality, rather than on hypotheticals.

Basically “trust us, we know what we’re doing”.

Sledge Hammer references aside, this assumes the government’s heuristic is perfect (and never wrongly points to an innocent person’s data).

It’s like asking us to accept the following argument:

“It’s okay if police shoot on sight because police only go after criminals.”

No reasonable person could swallow that.


#20

Not to mention the stories we keep seeing about police misusing their databases to spy on their acquaintances and family members.