Yahoo isn’t happy that a detailed menu of the spying services it provides law enforcement agencies has leaked onto the web.
IN OTHER WIRED ACCOUNTS: YAHOO! , VERIZON: “Our spy capabiltes would “shock”, “confuse” customers
Shortly after Threat Level reported this week that Yahoo had blocked the FOIA release of its law enforcement and intelligence price list, someone provided a copy of the company’s spying guide to the whistleblower site Cryptome.
The 17-page guide describes Yahoo’s data retention policies and the surveillance capabilities it can provide law enforcement, with a pricing list for these services. Cryptome also published lawful data-interception guides for Cox Communications, SBC, Cingular, Nextel, GTE and other telecoms and service providers.
But of all those companies, it appears to be Yahoo’s lawyers alone who have issued a DMCA takedown notice to Cryptome demanding the document be removed. Yahoo claims that publication of the document is a copyright violation, and gave Cryptome owner John Young a Thursday deadline for removing the document. So far, Young has refused.
Yahoo’s letter was sent on Wednesday, within hours of the posting of Yahoo’s Compliance Guide for Law Enforcement at Cryptome. In addition to copyright infringement, the letter accuses the site of revealing Yahoo’s trade secrets and engaging in “business interference.” According to the letter, disclosure of its surveillance services (.pdf) would help criminals evade surveillance.
The Compliance Guide reveals, for example, that Yahoo does not retain a copy of e-mails that an account holder sends unless that customer sets up the account to store those e-mails. Yahoo also cannot search for or produce deleted e-mails once they’ve been removed from a user’s trash file.
The guide also reveals that the company retains the IP addresses from which a user logs in for just one year. But the company’s logs of IP addresses used to register new accounts for the first time go back to 1999. The contents of accounts on Flickr, which Yahoo also owns, are purged as soon as a user deactivates the account.
Chats conducted through the company’s Web Messenger service may be saved on Yahoo’s server if one of the parties in the correspondence set up their account to archive chats. This pertains to the web-based version of the chat service, however. Yahoo does not have the content of chats for consumers who use the downloadable Web Messenger client on their computer.
Instant message logs are retained 45 to 60 days and includes an account holder’s friends list, and the date and times the user communicated with them.
Young responded to Yahoo’s takedown request with a defiant note:
I cannot find at the Copyright Office a grant of copyright for the Yahoo spying document hosted on Cryptome. To assure readers Yahoo’s copyright claim is valid and not another hoary bluff without substantiation so common under DMCA bombast please send a copy of the copyright grant for publication on Cryptome.
Note: Yahoo’s exclamation point is surely trademarked so omitted here.
The company responded that a copyright notice is optional for works created after March 1, 1989 and repeated its demand for removal on Thursday. For now, the document remains on the Cryptome site.
Threat Level reported Tuesday that muckraker and Indiana University graduate student Christopher Soghoian had asked all agencies within the Department of Justice, under a Freedom of Information Act (FOIA) request, to provide him with a copy of the pricing list supplied by telecoms and internet service providers for the surveillance services they offer government agencies. But before the agencies could provide the data, Verizon and Yahoo intervened and filed an objection on grounds that the information was proprietary and that the companies would be ridiculed and publicly shamed were their surveillance price sheets made public.
Yahoo wrote in its objection letter that if its pricing information were disclosed to Soghoian, he would use it “to ’shame’ Yahoo! and other companies — and to ’shock’ their customers.”
“Therefore, release of Yahoo!’s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies,” the company added.
The price list that Yahoo tried to prevent the government from releasing to Soghoian appears in one small paragraph in the 17-page leaked document. According to this list, Yahoo charges the government about $30 to $40 for the contents, including e-mail, of a subscriber’s account. It charges $40 to $80 for the contents of a Yahoo group.