Anyone who uses email or cloud storage should be worried about some news stories of last few days. They show how email hosts and cloud storage is regularly snooped on by law enforcement who also act to keep it secret.
This isn’t targeted court orders against specific people. This is bulk tapping of messages from any least one major online provider.
On a slightly better note, one company shows how to deal with privacy intrusive court orders and still be entirely within the law.
Yahoo ‘hoovers’ email for the US Government
Reuters has discovered that Yahoo created software to allow the US Government (NSA and FBI) to copy all incoming messages or attachments which had certain words or phrases.
This was bulk collection and copying of personal messages in way not seen before.
What makes it troubling is that Yahoo made a special effort, through custom software, to make it happen.
According to experts, it’s the first known example of a broad range and real time check of messages according to certain key words or phrases.
You’d hope that the scanning of messages was for some anti-terror or other high importance crime but there’s no way of knowing that.
While this action was only for incoming emails, it could easily be extended to documents and images saved on cloud storage.
You’d be naïve to think that Yahoo was the only participant in this program. Both Microsoft and Google have denied any involvement but, if they did, they would be forbidden from saying so.
It’s worth noting the Yahoo’s own ‘Transparency Report‘ saying nothing about this major intrusion on customer privacy. The Report is prominently headed by a, now ironic, quote from the Yahoo CEO, Marissa Mayer.
This quote is from the same person who is reported to have authorized the tapping of incoming customer emails over the objections of other executives. And there’s the hacking of Yahoo‘s customer information in 2014 but only disclosed recently.
Unfortunately, none of these reports from any company can be taken at face value. Even if the company honestly wants to be fully transparent to their customers, the company can be legally prevented from telling customers what they are passing to a government.
Signal shows how it should be done
The best way to handle government intrusion on customer data is simple – don’t store any customer data!
That’s what sensible companies do like Open Whisper Systems (OWS), makers of the well-respected Signal messaging app.
The US government served a subpoena on OWS to hand over information they had about two customers. Subscriber details, addresses, telephone numbers, email addresses, method of payment , browser history, IP addresses, server logs etc. They wanted everything Signal/OWS had related to two phone numbers.
Signal complied with everything they had – which was very little. The time the account was created and the last time the user connected to the service. That’s it.
By design, OWS/Signal keeps very little information about their users. None of the messages are retained, not even a ‘call log’ of when, where and who exchange messages on their system.
A typical part of the government intrusion was the ‘gag order’. OWS/Signal was forbidden to tell anyone about the order for a year. There are reports that other orders to online companies have indefinite gag orders. That means the various corporate ‘Transparency Reports’ are incomplete, to put it kindly.
We’re NOT saying you shouldn’t use cloud storage for email and documents. It’s far too useful to totally ignore. But everyone should consider the downside of cloud storage. Emails, documents, images on OneDrive, Google Drive, Dropbox etc are ‘owned’ by those companies which can read your information and pass it onto others.
The news of the last few days confirms what we already knew. Sometimes the companies are legally forced to hand over customer data and forbidden from telling customers that it’s happening. We know that Microsoft has read customers emails for their own self-interest.