The privacy perils of rocks and hard places

There is more behind the story of Yahoo searching its customers' email

yahoo headquarters
Denis Balibouse/Reuters

It has not been a good couple of weeks for Yahoo. On the heels of the disclosure of a major data breach, the company faced reports that it had created code to search email content for signatures associated with state-sponsored terrorist activity. Yahoo responded cautiously, saying, "Yahoo is a law abiding company, and complies with the laws of the United States.” Later reports from the New York Times and others confirmed the story.

Predictably, the Twittersphere was lit up with privacy and civil liberties advocates crying foul over this latest violation of our technological privacy. The story even made the NBC Nightly News, amid a crowded national election media cycle. Most of the stories and social media responses focused on the violation of privacy, and Yahoo’s culpability in acceding to the FBI’s demand for data.

But shouldn’t we pause for a moment and understand the difficult position that Yahoo faced?

It is clear that the request from the FBI was delivered to Yahoo through an order of the Foreign Intelligence Surveillance Act court (FISA). The proceedings of the FISA court are secret, and the companies receiving orders cannot disclose their receipt or subsequent actions. FISA court orders are, nonetheless, legal obligations to which companies must respond.

Yahoo has history in this regard. In 2007, it fought a FISA court order, claiming that the order to hand over data from email accounts was warrantless and unenforceable. The FISA court ultimately ruled against Yahoo in that case. But what is particularly notable is that Yahoo fought the case under the veil of secrecy that shrouds the FISA courts. In other words, Yahoo made a principled stand in defense of privacy, even when the public and media didn’t know what was happening.

Yahoo also has been explicit in their communications to users through their privacy policies, terms of service, and transparency reports. Legitimate governmental requests for data are clearly spelled out as a manner in which the company will disclose user information.

And herein lies the difficulty of managing data in today’s information economy. On the one hand, organizations are expected to respond to legal requests for data. Indeed, we all should have some expectation that companies will comply with valid governmental demands when our national security and safety are at risk. Not many question the monitoring that tech companies do to help prevent child pornography, spam or malware.

On the other hand, companies also must be stewards of their customers’ data, and that means resisting governmental overreach and abuse. Rock, meet hard place. Imagine how vexing these FISA orders must be for the companies that receive them. The orders are secret. The process is secret. The company cannot notify their customers of the request for their data. And yet, every company receiving a FISA order knows that the brand damage that can occur if the order is ever disclosed can be high. Privacy, it turns out, is a high-risk issue in today’s information economy.

How high is the privacy risk?

Recent reports suggest that Verizon is asking for a cool billion as a discount off of their original offer to acquire Yahoo. Certainly, some of this is related to the previously announced breach of Yahoo accounts, but some portion of that discount must be associated with the brand damage that has occurred with this week’s FISA stories.

Managing privacy expectations in the information economy ain’t easy.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)