Yahoo settles class action suit over scanning email for ad targeting

Yahoo has settled a class action lawsuit over automatically scanning email sent by non-Yahoo Mail customers – including attachments – without consent, in order to deliver targeted ads to Mail users.

The upshot: Yahoo’s going to keep scanning email, but it’s tweaking the timing so that it scans only after the email has reached a user’s inbox.

Outgoing messages will also still continue to be scanned, but only after they show up in the sent folder.

Thursday’s settlement, first spotted by The Recorder, doesn’t include payouts to class members, given that the plaintiffs had earlier in the case dropped demands for statutory damages.

The plaintiffs do plan to seek a $5,000 service award for each of the four class representatives, according to The Recorder, and the lawyers plan to ask for up to $4 million in fees and costs.

The class action lawsuit, which tied together six lawsuits filed in 2013, was given the go-ahead by a US District judge in May 2015.

In the settlement (PDF), posted by Ars Technica, Yahoo agreed that e-mail content will be “only sent to servers for analysis for advertising purposes after a Yahoo Mail user can access the email in his or her inbox.”

As far as the plaintiffs are concerned, this will bring Yahoo in line with the California Invasion of Privacy Act (CIPA).

That law was enacted to prohibit wiretapping of any conversation if there’s a reasonable expectation that it’s not being overheard or recorded.

The plaintiffs had also argued that Yahoo violated the Stored Communications Act (SCA) when it tested Google’s AdSense for Mail in 2013, as well as the federal Wiretap Act.

The SCA addresses voluntary and compelled disclosure of “stored wire and electronic communications and transactional records” held by third-party internet service providers (ISPs).

Yahoo, which wasn’t found guilty of acting unlawfully, has argued that plaintiffs failed to show lack of consent.

The judge found that Yahoo’s terms of service agreement explicitly acknowledged Yahoo’s scanning, fulfilling the Wiretap Act’s requirement that at least one party consent to interception of communications.

The settlement refers to Yahoo’s changes to system architecture and website – i.e. that email will be scanned only after it hits an inbox or outbox – as “significant structural changes.”

These changes have everything to do with getting square with the laws’ restrictions on intercepting email while in transit.

But those changes, which also include tweaks to its privacy statement and other online verbiage, don’t appear to usher in any changes to the actual privacy implications of Yahoo’s habit of scanning email.

Thus, it’s unclear how the settlement will satisfy the plaintiffs, privacy-wise.

Ars Technica points to a redacted September filing (PDF) in which the lawyers for the plaintiffs wrote that Yahoo’s “invasion of the privacy of class members constitutes an irreparable injury.”

Plaintiffs at the time were seeking an injunction that would force Yahoo to stop its scanning without having first secured “consent” and that would require the company to “permanently delete all information it has collected and stored from class members’ email without their consent.”

The plaintiffs have in the past argued that Yahoo could stop scanning email in order to target ads if it wanted to, while still scanning for spam and other abuse.

Ars’s Joe Mullen questions why the class action lawyers are celebrating a settlement that “will change none of those practices. In fact, it explicitly authorizes them.”

The reaction of many has been to look to the $4 million those lawyers will be seeking and to wonder whether the actual wronged parties – non-Yahoo users whose emails were scanned – should have gotten a payout.

But as other internet commenters are pointing out, a class action lawsuit such as this one is more about righting a wrong than scoring a jackpot that’s divisible by the number of parties.

Image of Yahoo HQ courtesy of Ken Wolter /