Yahoo hops on transparency report bandwagon

Filed Under: Featured, Law & order, Privacy

YahooIn the last few months the giant companies which provide our favourite internet services have been falling over each other to prove their dedication to openness and transparency.

Thanks to PRISM and the numerous other shocks unveiled by Edward Snowden's leaked cache of secret documents, just how much of our data is accessible by government agencies, and how they go about getting at it, is a major question for many people.

Reassuring us that our data is kept as private as possible is thus a must for any provider hoping to hang on to its users.

So, there will be little surprise that Yahoo! Inc. has published a breakdown of which governments have been asking for info on its users, and what data has been handed over.

Following similar reports from Google and more recently Facebook, Yahoo's first Transparency Report covers the first half of 2013, with figures for 17 countries. It has promised to update it every six months.

The limited number of regions featuring in the report is due to it only covering countries where Yahoo maintains a 'legal entity' - essentially, a corporate presence. In other areas, users should be protected from having their government snoop into their doings on Yahoo sites, as there is no local Yahoo branch for the government to put pressure on.

The countries which do have power to request data seem to do so with the usual regularity.

Unsurprisingly, the US tops the list, with 12,444 requests made affecting 40,322 separate users. This is mainly due to a very large user base in Yahoo's native land, where it is the fourth most popular website and picks up a third of its traffic.

US data requests

The second biggest hitter is Germany, at 4,295 requests covering 5,306 user accounts. This is a little more of a surprise as Yahoo's popularity is somewhat lower in Germany than elsewhere, only just scraping into the the top ten sites.

Third place goes to Italy, which asked for info on 2,937 people in 2,637 separate requests. Taiwan (where Yahoo is the most visited site), France, the UK and India made between 1,000 and 2,000 requests, covering between 2,000 and 3,000 user accounts each.

Perhaps more interesting than these raw numbers of requests are the details of how requests were responded to.

Yahoo has helpfully broken down the information, showing how many requests were rejected, how many failed to turn up any information, how many produced user metadata and how many led to actual content (which could include anything from email and messenger traffic to calendars, address books or Flickr photo stashes) being revealed to governments.

Looking at some of these metrics, Hong Kong stands out as something of an outlier.

Hong Kong data requests

Although, uniquely, the country's authorities had no requests turned down, a rather large 36% returned 'no data found'. This suggests, perhaps, that although Hong Kong agencies are very good at ensuring they only put in requests backed up by full legal propriety, they are also somewhat prone to fishing expeditions.

Presumably, if they take an interest in a particular person, they simply send out requests for account information to all potential providers. Yahoo is the fourth most popular site in Hong Kong, on a par with its overall significance worldwide, so police and snoops might fairly expect many of their suspects to hold accounts.

Even when accounts were found to exist, in-depth information was rarely forthcoming, with only 1% returning actual user content. The remaining 63% produced user metadata only, although it's not made clear whether requests generally were for actual content - in many cases, cops may only be after details of IP addresses, for example.

The opposite is true of Canada, where requests were pretty limited at only 29, covering 43 users, but all of them turned up at least some data on the person of interest, barring only a single rejected request.

90% of all Canadian requests produced actual content, implying that the Mounties only go after data they are fairly sure exists and that they can legally demand.

Ireland also failed to turn up any 'no data' entries, but had a rather higher rejection rate, and received only metadata in 70% of cases.

Canada's neighbours to the south had a similarly high hit rate, with only 2% of requests from US agencies rejected by Yahoo and 6% returning no data, but a much higher 55% produced only metadata. Again, it's entirely possible that this was all they were after.

Another country with a high percentage of failed requests is Australia, with 21% returning no data and 34% rejected as lacking adequate legal backing. This reflects rather dimly on the Australian authorities, as not only are they fishing for data rather randomly, they're also often doing it without adequate justification.

India also managed to have 34% of requests turned down, and Singapore - the leader on this scale - had 41% failing to show the proper legal standing. The UK's rejection rate is also pretty high, at 27%.

All in all, some interesting numbers are revealed here. Yahoo may not have the clout of Google, Facebook, Microsoft and Apple these days, but it remains a major player, boasting half a billion users worldwide and a $5 billion turnover.

Although that's only a tenth of the revenues Google generates, its contribution to our privacy (or lack thereof) is well worth keeping an eye on.

If you are a Yahoo user, and live in a region where Yahoo has a major presence, you may want to cast an eye over the numbers for yourself, check out how your government has been acting and ponder what it means.

Are you happy to live in a state which routinely fishes for information on its people's online lives, or are you lucky enough to live somewhere where the authorities make only limited and controlled requests?

, ,

You might like

One Response to Yahoo hops on transparency report bandwagon

  1. JT Reynolds · 406 days ago

    This seems like window-dressing for Yahoo to tell users what we already know: They're giving user data to NSA and other domestic & foreign government agencies. And we know that the NSA's philosophy is, "We're hunting terrorists. We don't need no stinking 4th Amendment."

    Common sense tells me we need to take matters into our own hands to protect what little is left of our privacy. Encryption won't keep NSA out entirely, but it will make it harder for them to pick us out of the crowd. Decrypting still takes extra time & effort and that little bit of hassle may be enough to keep their noses out of your business.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.