Saturday, June 08, 2013

Analyzing Yahoo's PRISM non-denial

Today, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems.

Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data.

We want to set the record straight about stories that Yahoo! has joined a program called PRISM through which we purportedly volunteer information about our users to the U.S. government and give federal agencies access to our user databases. These claims are false. [emphasis added]

No one has claimed that the PRISM program is voluntary. As the Director of National Intelligence has confirmed, the PRISM program involves court orders granted using Section 702 of the Foreign Intelligence Surveillance Act.

By falsely describing PRISM as a voluntary scheme, Yahoo's general counsel is then able to deny involvement outright. Very sneaky.

Yahoo! has not joined any program in which we volunteer to share user data with the U.S. government. We do not voluntarily disclose user information.
Again, PRISM has nothing to do with voluntary disclosures. These are compelled disclosures, pursuant to an order from the FISA court.
The only disclosures that occur are in response to specific demands.
The government can make a specific demand for information about all communications coming to or from a particular country. This is an empty statement.
And, when the government does request user data from Yahoo!, we protect our users.
Claiming to "protect our users" means nothing.
We demand that such requests be made through lawful means and for lawful purposes. We fight any requests that we deem unclear, improper, overbroad, or unlawful.
When the law allows blanket surveillance, "lawful means and lawful purposes" doesn't mean anything.
We carefully scrutinize each request, respond only when required to do so, and provide the least amount of data possible consistent with the law.
When a FISA court order demands blanket surveillance, responding only when required to do so is an empty promise, as is providing the least amount of data possible.
The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false.

Elsewhere in the post, Yahoo's uses the terms "user data" and "user information". Why the sudden switch to the term "users' records"? This seems to deny participation in a Section 215 metadata disclosure program (see: the Verizon Business order revealed earlier this week), which has nothing to do with PRISM.

In any case, the PRISM scandal is not about unfettered access to users' data. It is about giving the government data in which one party of the communication is not in the US. Yahoo is not accused of giving the government unfettered access to communications where all parties are in the US.

Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive.
Note the use of the word directive in this statement, which does not mean voluntary. Now see below.
Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested.
Here, Yahoo switches to using the term "requests" which are voluntary, not demands. The government is not obligated to describe "a specific legal purpose" when it has obtained a court order compelling the disclosure of data. It is only when the government is making a voluntary request of Yahoo that the company has the ability to set terms for the disclosure.
Then, and only then, do our employees evaluate the request and legal requirements in order to respond—or deny—the request.
Yahoo has flexibility when the government makes a request for data. The company has far less flexibility when it receives a court order demanding the disclosure of data.
We deeply value our users and their trust, and we work hard everyday to earn that trust and, more importantly, to preserve it.
If that were true, Yahoo would protect the privacy and security of its customers by enabling HTTPS by default for Yahoo Mail. Yahoo was the last big email provider to even offer HTTPS as an opt-in option, and has still not enabled it by default.