I've read some comments in response to this thread's posts from various Yahoo! Chat related forums and feel the need to address what some people have said pertaining to this advisory's information I've made public.
It's been said by a few individuals across various chat-related forums that what Yahoo! is currently doing is to be expected, that they're allowed to do this without disclosing the practice of storing our instant message data to their clients and end-users, and other such things. This may be a somewhat common belief within a minority of internet users regarding what ISP's, chat network providers/operators, and any client -> server-based infrastructures including centralized and semi-centralized networks can legally do without informing their customers/subscribers and end-users of such private policies where data collection and storage is involved.
While it is true that most ISP's and chat network providers (to name just a couple) collect their user's data and store it this is usually limited in nature, expiration-based, and done for aiding in cooperation with national and international government agencies such as the FBI, CIA, NSA, as well as local law enforcement if an investigation needs to be conducted. There is a specific judiciary purpose for this private data collection practice to legally occur without it being disclosed to us. This data being stored is only legitimately (excluding hackers) accessible by the operators of these networks, encrypted, and/or isolated where it's inaccessible to everybody
but these network operators and, if cooperation occurs, law enforcement agencies for specific review.
Individual policies and practices afar differ but normally this is the case. Data that is collected and stored is typically limited (at least somewhat) in nature and/or wiped after a set expiration time period has been reached. Usually, upon specific request by law enforcement, targeted individual data collection occurs which is quite common as not all network operators and service providers collect much, if any, user data automatically. Some operators and providers will only do this if it's been legally requested or mandated by the proper authorities and only specific users will be affected under these circumstances.
The main differences with what Yahoo! is currently doing with our instant messaging data are:
- Yahoo! Inc. has written and provided us with expressed statements in the form of opt-out options within their public Privacy Policy. These particular statements are false as they point-blank state (more or less promise) that we can delete our own stored messages if we've enabled archiving, and that we can choose to disable the archived message data collection entirely. This is in direct violation of their own published Privacy Policy document that they're supposed to be adhering to. They also state that this is a Yahoo! Messenger-specific "feature" when it isn't at all... it's a global practice affecting all instant messaging within their chat network. Yet another false statement.
As a direct result our IM privacy is now susceptible to being breached by Yahoo!'s very own authorized employees who supposedly only have "limited access" to our account data and more importantly through security vulnerabilities able to be exploited and used by hackers, crackers, and even script kiddies alike to compromise our Yahoo! accounts. Once an account is now comprised the assailant(s) can, with absolute ease, obtain ALL of our most recent instant message data (up to 40+ messages per account name, per contact) sent and received from our accounts. This jeopardizes both our privacy and potentially even our security.
- Our stored messages, of which we have absolutely no control over managing as far as deletion and disabling (regardless of Yahoo!'s Privacy Policy claims), are directly accessible to ANYONE who has or can gain access to our accounts, both by authorized and unauthorized means.
ISP's, for example, don't grant this administrative/operational-level privilege to their customers, obviously. We don't know if our instant message data is even encrypted in storage on their chat servers, how accessible it is to both the outside and their internal employees. Is it isolated or hidden at all? As far as I can tell these stored messages don't have any reasonable expiration deletion scheduling applied to them, if this is even done for that matter. I've been able to access my messages for days so time will tell to answer that question.
From Yahoo!'s Privacy Policy:
I want to know the true identity of a Yahoo! user. Will you give me their information?
If you are seeking to obtain the account information we may have regarding a specific subscriber, we will need a subpoena or a court order.
If you have obtained a subpoena or a court order for the release of information regarding a Yahoo! member or visitor, please direct it to:
Custodian of Records
Yahoo! Inc.
701 First Avenue
Sunnyvale, CA 94089
Source: http://help.yahoo.com/l/us/yahoo/privacy/requests/privacy-15.html
Obviously, we (or anybody outside of Yahoo! Inc. and the authorities) do not need a subpoena or court order to obtain all of a user's message data. Yahoo! provides the method for retrieval that's simple enough for anybody with access to the account to utilize.
Yahoo!'s track record for it's user's security and privacy is
miserable at best. To make matters worse, this may be
interesting to read as well...
User privacy
On November 30, 2009, Yahoo! was criticized by the Electronic Frontier Foundation for sending a DMCA notice to whistle-blower website "Cryptome" for publicly posting Yahoo!'s "Compliance Guide for Law Enforcement",[71] which details prices and procedures on obtaining private information pertaining to Yahoo!'s subscribers.
Source: http://en.wikipedia.org/wiki/Yahoo
How is this [automatic] online message archiving different from stored offline messages delivered to your Yahoo! accounts?Offline message storage is a known, documented/disclosed, convenient feature that Yahoo! utilizes just as AOL Instant Messenger and other IM chat service providers use. This practice is documented (stated in their Terms of Service and elsewhere), and is accepted as a useful feature for when your account isn't signed in. These messages are only kept on their chat servers (
up until now with their message archiving being done automatically including offline IM's) until they're delivered next time you sign-in. The total amount of offline messages stored for delivery to your account is also quite limited and there is, or at least used to be, an expiration policy if they've been sitting on the chat servers for too long. Granted, however, I have been able to retrieve offline IM's from my accounts that have sat there for a year or more.
Based on Yahoo!'s Privacy Policy statements concerning the analysis and use of our instant message content, I have a good reason to believe (or at least strongly assume) that Yahoo! is mainly doing this for increased advertisement revenue (a lot of which has decreased for them over the years since their active chat and mail userbases have seriously plummeted). They
may be doing this on purpose for increased monetary gain by analyzing everyone's stored instant message data for pushing us specific, targeted advertisements and content of 'relevance' (ie. our specific interests keywords to push ads that would get us to notice and click them), as their Privacy Policy states they _may_ do as they reserve the right to. These ads can be for Yahoo!'s own products, goods, and services or for any of their affiliates or sponsors, in which case they'd receive referral money for not only driving traffic but for if/when purchases of these products, goods, and services are made.
Home
Login
Register