As it happens, Yahoo has been scanning all inbound email on behalf of the US Government. Reuters news broke the story yesterday.
“Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.”
Yahoo built proprietary software to accomplish the task, subverting it’s own end-to-end encryption it had rolled out to secure users’ webmail access. From Mike Masnick’s coverage on Techdirt, we further learn that it did so without informing their CIO and head of security Alex Stamos, or their security department. The security team found the software within weeks after it had been installed and initially worried it was malware and that they had been hacked. The software was also found to contain vulnerabilities which would have made the emails siphoned off under the program accessible to third-party intruders. Stamos resigned over the incident (he is now at Facebook).
I didn’t watch the VP debate last night but I can’t find any references this morning to one or the other pounding his lectern and pledging “to put American citizens’ privacy first!”
Trump has said in the past that “he wouldn’t spy on Americans”. But Max Rosenthal writing for Mother Jones found at least 4 instances where he said he would, including reinstating expired provisions of The Patriot Act. Kind of like The Simpson’s “Duffman”, when it comes to the always entertaining, rarely syntactically coherent stream-of-consciousness emanating from Trump’s mouth, “The Donald says a lot of things”. He has also in the past talked about shutting down the internet:
“We are losing a lot of people to the Internet. We have to do something. We have to go see Bill Gates and a lot of different people that really understand what’s happening. We have to talk to them [about], maybe in certain areas, closing that internet up in some way.”
Alas Hillary Clinton is no champion of citizen privacy either. As a career politician she is far more adroit at paying requisite lip service to the need for transparency, accountablity (yada yada yada); but if you read between the lines of what she is really saying, we can expect more of the same from many of the tech companies in the US. Her phrase for it was an “intelligence surge” (see: Hillary Clinton Calls for More Surveillance to Fight Terror) when she said she would,
“ask technology companies in Silicon Valley to expand their oversight of posts that could be used to radicalize recruits. Tech companies, she said, should enforce strong service agreements and track questionable content.”
What is troubling about this Yahoo case is that we aren’t talking about a social network where people are posting publicly and gassing their opinions, of which intelligence has the task of combing through these public postings and finding the radical and subversive (and illegal?) bits therein.
This is wholesale keyword search through all incoming private email correspondence to Yahoo. There was no target selection, no specific email addresses codified in a warrant or court order, it was “a directive” and it covered everything.
I’m not sure what bothers me more:
A) that it happened, that it’s really happening (probably elsewhere as well), that it’s not a conspiracy theory;
B) that it’s absent from the dialog. That it’s not an election issue. That voters are not being tasked with choosing from the privacy candidate or the surveillance candidate. It’s that the voters are supposed to ratify one surveillance state candidate vs the other surveillance state candidate. What kind of a choice is that?
It just underscores the harsh truth that electoral politics has devolved into a dumbed-down infotainment reality show. You think this cycle is a freak-show? Next time it’ll be worse. It’ll keep getting worse until the wheels just come right off of this crazy carnival ride.
The “choice” is between two narrowly constrained and largely overlapping platforms with more of the big issues relegated “out-of-scope” and than “in-scope”. Meanwhile the policies that are enacted come from behind the scenes. They are seldom spoken of in polite company, and they will move forward regardless of who wins the damn election. Just watch: next year there will be more surveillance, more censorship, more financial repression, more central planning, more economic intervention, and more war, not less.
The only thing we will have less of are fewer civil rights and less economic freedom.
All you can do as an individual or as an organization is to protect yourself and your communications security as best you can. You can’t expect your government to do it for you, not when they’re the ones doing it to you.
If you are email forwarding to Yahoo and still want to protect the confidentiality and privacy of your business and personal communications, remember that you can GPG encrypt your email forwarders here at easyDNS.
If you want to host your email on servers outside of the USA with a company that absolutely, most assuredly is not wholesale vacuuming your communications on behalf of an intelligence agency, then think about easyMail. It bundles with most of the domain packages around here (for now, we’re going to unbundle them at some point soon).
For the moment, there are no FISA warrants in Canada or as far as I know, all encompassing “directives” from intelligence agencies compelling service providers to scan all inbound emails, although as Michael Geist notes this morning, with Liberal government reviewing Bill C-51 including “lawful access”, that too may change. Before it does, we’ll be there with more crypto and more options for safeguarding your data.
- Things go better with crypto. GPG encrypt your forwarded email.
- The US Government Has No Credibility to Compel Anybody to Weaken Security
- Bill C-30 Awful Access, Especially for ISPs (later passed as C-51)