Urgent Advisory: Yahoo! IM Privacy EXPOSED - EVERYONE IS AFFECTED!

[Adam X]

Server Bugs or Hidden Agenda? You decide...

Ever since Yahoo! Messenger version 11 beta was released to the public we've been able (had no choice) to archive our instant messages (PMs) & SMS text messages online stored directly on their servers. Since Yahoo! got rid of their decade old .dat file message archives locally saved on your computer they've left us no choice but to use and manage our archives online (on their servers) in Yahoo! Messenger 11 (older versions still support the old, local message archiving).

We all knew, or at least most of us, with Yahoo!'s track record of privacy & security being so poor, that this new move to store our messages online was a BAD ONE!

Of course, we were right, and not just because of the future potential risk of exploitation, but for another reason that I'll disclose here (which may shock a lot of you).

Now I wish I would've looked into this 4 1/2 months ago when YM 11 beta was released. Better late noticing this than never.

That said... here are some very important things you currently need to know.

Yahoo! states in their Privacy Policy that we, the users of these features, have complete control over whether or not your instant messages are stored on their servers. It's specifically stated in here that we can choose to opt-out, elect to not store them on their servers at all. This means they're saying that we can not only disable this so it no longer occurs but also that we can delete our instant messages that are stored so they are erased from their servers. Even more, they state that this is JUST a Yahoo! Messenger 11 "feature" and that only in this specific version of Messenger will the practice of archiving our messages be exercised (if we opt-in to, so choose to).

The above excerpts mentioned from their Privacy Policy are not honored and as a result our right to opt out of storing our messages is not currently possible; our choice to disable this from occurring and privacy as a result is not respected.

- Yahoo! now appears to be exercising a new, shady, undisclosed, 'private [mal]practice' of storing all of our instant messages, without our consent and without our knowledge, whether we like it or not.

- ALL instant messages (PMs) are now stored on the Yahoo! chat servers when sent both to and from your names (main id username and any aliases you may have on your account), whether you were online or not at the time (meaning all offline messages too).

- Online Message Archiving is done regardless, even if you disable it.

- Deleting your Archived Messages still does not remove them from the chat servers that they also reside on.

- Yahoo! Messenger's Online Archive Viewer lies and doesn't show all the messages that are stored on the chat servers that Yahoo! Messenger 11 beta's Recent Messages feature retrieves and displays within your PM windows (fetched for a specific username). The full picture is not shown for us to see in their Online Archive Viewer / Conversation History Manager which YM 11 provides us through it's Preferences.

- Online Message Archiving of our instant messages is being done BY DEFAULT, automatically, on their chat servers and this affects ALL Yahoo! Chat ID's, whether you're using Yahoo! Messenger 11 or ANY other chat client that exists.

EVERYTHING IS AFFECTED:

- ALL versions and builds of Yahoo! Messenger
- Yahoo! Web Messenger @ http://web.im
- Yahoo!'s Mobile Messenger @ http://m.yahoo.com/messenger
- E-mail supported instant messaging from within Yahoo! Mail
- ALL 3rd party chat clients (YahELite, YaZak, Y!Supra, Y!Epic, Pidgin, Trillian etc)

This is being done for EVERYBODY at the CHAT SERVER-LEVEL. There currently is NO WAY to disable our instant messages to and from our account names from being stored on Yahoo!'s YMSG chat servers and there is NO WAY to delete them from here either! We have absolutely no control over this.

Go ahead and delete all of your archived messages from within Yahoo!'s browser-based Web Messenger archive manager and the messages will still be there, stored on their YMSG chat servers, even though you've deleted the messages and disabled the archiving. You can delete all your IM's from Yahoo! Messenger 11's Conversation History archive manager too, as well as directly disable it, and your instant messages will still be stored on their chat servers. While doing these two steps in attempt to stop this practice does delete them from their mail servers that your messages are stored and retrieved on, they do not delete these same messages stored on the YMSG chat servers and storage continues to happen regardless!

- Yahoo! is referring to their new Messenger online archiving (conversation history) as a feature only from within Yahoo! Messenger 11 beta when this couldn't be further from the truth. In reality, your instant messages are being stored on both their mail servers, which you have control over (archive managers), but, most importantly, also from their own chat servers which we have no control over. Whether you've deleted all your messages and disabled the archiving 'feature' from within Yahoo! Messenger 11 and/or from within Web Messenger itself; all of our messages are still collected and stored on their chat servers, making the entire point of being able to disable the HTTP/Mail server-stored message archiving and deleting our stored IM's MEANINGLESS.

Yahoo!'s current (behind-the-scenes malpractice) of Online Message Archiving favors Accessibility & Convenience over OUR PRIVACY!

- Yahoo! DOES NOT inform us that this is being done regardless of whether you even use the online archiving, have disabled it, or have deleted all your messages. They continue to store our 'Recent Messages' nonetheless.

The best way to PROVE this is happening, without your knowledge and definitely without your consent, is to follow these brief simple steps...

1) Create a brand new Yahoo! id or use an existing one, any id that can log into their chat servers.

2) Log-in with any 3rd party chat client such as YahELite, Y!Epic, Y!Supra, Pidgin, Trillian, Y!Hook, YaZak etc... whichever you choose. You can also log-in to any version/build of Yahoo! Messenger previous to Yahoo! Messenger 11 and this will offer the same proof (since this conversation history "feature" is only supposed to be in Yahoo! Messenger 11 beta & Yahoo! Web Messenger). Yahoo! Messenger versions 8.0/8.1 - 10.0 will work fine for this test because they don't have this new Conversation History for archiving our messages on their servers. However, you'll soon witness that this doesn't matter one way or another.

3) Send an instant message (PM) to any username, and, if you care to, have that user send one or two messages back to you (they can be a friend or not, doesn't matter whatsoever).

4 Download and install Yahoo! Messenger 11 beta (http://xh.yimg.com/gj/msgr/11/client/ymsgr1100_1751_us.exe), if you already don't have it, and then sign-in with the same account name you used to instant message the person's username from the previous step.

5) Open a new instant message window with that same person's username, click inside the text display screen area of the instant message window to get focus for it, and then on your keyboard press the F3 key to use the Recent Messages feature.

*These 5 simple steps will show the last 40+ (maximum of 50 is supported) messages you've exchanged between the username you contacted or were contacted by. Your PM window, once you press the F3 key, will fetch your stored messages from the YMSG chat server and they will be displayed in the window for the specific user you've chosen to download and view them for.*

Alternatively, you can avoid using Yahoo! Messenger entirely, as the ultimate test, and send this Recent Messages YMSG service packet (0x011B / 283) yourself from your very own Yahoo! chat client, if you're a programmer, to witness this yourself. Your messages are being stored automatically by Yahoo! on their chat servers and you're able to retrieve them from ANY YMSG login implementation (Web Messenger, YMSG/HTTP which uses the same Web/YMSG XML-based protocol as Web Messenger, or straight YMSG protocol using their own sets of chat servers). The YMSG protocol version you use does not matter as this will work with them all.

Since there is nothing we can do about this (outside of Yahoo! Inc.), the following solutions can be used so this can be avoided or at least partially remedied:

1) Encrypt or encode your instant messages (PMs) when sending them out. They will still be stored by the chat servers but it's a partial solution to obscure the stuff you've typed.

Unfortunately, this doesn't help with instant messages that you receive unless the senders of these messages also encrypt/encode their own instant messages to you. So this is a partial solution to the problem if only one side encodes their instant messages but serves as a full solution if BOTH sides utilize this.

2) Force your Yahoo! Messenger sessions to go Peer-to-Peer when instant messaging your friends and vice versa. This establishes a direct connection to them or to you, whatever is negotiated, and as a result Yahoo!'s chat servers can not store an archive of your messages because they don't pass through their chat servers at all.

You can only establish direct Peer-to-Peer IM/PM sessions with friends on your list, and, your friends have to also be using Messenger. You'll want to be on their friends list too, which is a requirement, for this to work correctly. If you are behind a router you may need to port forward TCP port 5101, which can be changed through the registry to another server port of your choosing, unless your friend happens to not be behind a router at all. If your friend isn't behind a router but you are then this means you can connect out to them instead of them connecting to you without worrying about having to forward your direct IM server port in your router.

3) Simply AVOID using instant messages/PM's entirely. Instead, use chat rooms, conferences, and even SMS text messages to communicate instead. Voice chat (chat rooms and PC to PC calling / PC to phone calls and vice versa) would work fine too. Yahoo! does support the conversation history 'Recent Messages' practice for SMS text message storage too but it currently doesn't work properly yet when attempting to retrieve them (which is GOOD thing for us at the moment). You can, for now at least, get away with SMS text messaging your friends without worrying about them being accessible over the YMSG chat servers.

4) You can use Yahoo! Pingboxes (up to 10 per account) to message your friends and webpage visitors and avoid your instant messages being stored on their chat servers as well. As with the SMS texting solution, which is just a current one, Pingbox messaging also supports this shady Recent Messages/Conversation History "feature" too but it doesn't correctly work yet to store and retrieve your instant messages. You should use Pingbox messaging and SMS text messaging with caution as these services may soon be fixed to start storing your messages for retrieval.

The most practical way to protect yourself from this privacy risk is to use solution #3 by simply not using instant messages/private messages at all until this privacy "bug" is fixed. It wouldn't take much for a person to take your account and read your messages from the chat servers. The attacker could literally (programmatically or manually) go down your entire buddy list, one by one friend username at a time, and retrieve all messages sent bidirectionally (both to you and from all of your friends that have instant messaged you) with ease. SCARY thought.

Yahoo!'s Privacy statement covering the Message History/Conversation History in Yahoo! Messenger 11 beta --> http://info.yahoo.com/privacy/us/yahoo/messenger/pc/details.html

Conversation History, Access, and Search

    You may now archive Yahoo! instant messages along with Yahoo! Mail messages and search them together (in addition to Voice Mail, SMS, call history, and more).

        For users that have elected to archive their messages, Yahoo! Messenger will now archive messages on Yahoo! servers to establish and maintain this archive.

        Messages stored on Yahoo! servers in this manner are accessible from any computer system or device able to use the latest versions of Yahoo! Messenger for PC.

        You can view your Yahoo! Messenger conversation history and Yahoo! Mail archive (if they are tied to the same user ID) on Messenger through ?Conversation History? in your settings.

        You can turn off this feature for instant messages at any time by selecting ?Do not keep a record of my conversations?.

        Please be aware that even if you choose not to save your message history, users with whom you communicate may opt to use the functionality available in their version of Messenger to save the communications and your conversations may be saved on Yahoo! servers, just like email.
       
        You can delete your archived messages by selecting the message, and clicking on the ?Delete? button. However, this does not delete any of your conversations saved by other users.
       
        Yahoo! may analyze instant messages you elect to archive in order to provide personally relevant product features, content, advertising, spam and malware detection.
       
        For more questions on this new feature, please see our Mail Beta FAQ.

Personally Relevant Experiences

    If you chose to store your instant messages, Yahoo! provides personally relevant product features, content, advertising, spam and malware detection by analyzing your archive. Some of these features and advertising will be based on our understanding of the content and meaning of your instant messages. For instance, we analyze instant messages to identify key elements of meaning and then categorize this information for immediate and future use.

        This information may also be used for interest-based advertising. To view interests associated with this web browser and opt-out of some or all interest categories, please visit our Ad Interest Manager.

        Please refer to our Help Pages to learn more.

*Important Note* The above privacy statement doesn't tell you that your messages are being stored automatically, whether you delete them through the online archive manager, or whether you disable the feature entirely. Yahoo! then states that they _may_ analyze your stored messages (their contents) so they can push you specific 'content' and advertisements. This means that Yahoo! _may_, if they so choose, use the content from your stored instant messages to deliver you targeted, specific ads, related to your message content, throughout their services (Yahoo! Mail, Yahoo! Messenger, etc). They reserve the right to do this which is where the hidden agenda theory comes into play; being that you can't currently "opt-out" of their message archiving done on their chat servers (which I believe was done on purpose).

After you've confirmed this for yourself (or taken my word for it)... feel free to contact Yahoo! Inc. and let them know that what they're doing is VIOLATING your privacy rights, without your knowledge, and without your consent!

Contact Resources:

Yahoo! Inc.
Customer Care - Privacy Policy Issues
701 First Avenue
Sunnyvale, CA 94089
(408) 349-5070

Yahoo! Privacy - File a Complaint --> http://help.yahoo.com/l/us/yahoo/privacy/general.html
Make sure to use the preset Subject field list item "Privacy Violations" when filing your own complaints if you choose to.

[Adam X]

Here are the complete technical details (YMSG packets included) concerning this privacy issue

There are 3 online message archive managers/viewers that all work to serve you your archived messages. This takes place over HTTP protocol (SOAP implementation etc). All of these archives can be disabled and as a result they will no longer store your instant messages.

However, since this privacy issue affects the message storage on the [YMSG] CHAT servers directly, the small benefit you receive by disabling your archives (which only applies to the MAIL servers) isn't even worth doing.

The YMSG packet to DISABLE Yahoo! Messenger 11's Conversation History online message archiving feature:

YMSG Service (Packet Type) 0xEF / 239

1Login_ID30231230031231353140301312303312


To ENABLE Yahoo! Messenger 11's Conversation History online message archiving it's the same packet but with a single byte value difference:

1Login_ID30231230031231353141301312303312

This same 0xEF packet is also used in Yahoo!'s Web Messenger (http://web.im) except it's payload key's values are different for disabling and enabling it's own Message History archive.

DISABLING the Message History online message archiving used in Web Messenger & YMSG/HTTP chat protocol implementations:

1^$ Login_ID ^$302^$312^$300^$312^$313^$2^$314^$2^$301^$312^$303^$312^$


ENABLING the Message History online message archiving in Web Messenger & YMSG/HTTP chat protocol implementations:

1^$ Login_ID ^$302^$312^$300^$312^$313^$2^$314^$3^$301^$312^$303^$312^$

*Note the differences within this same packet type, especially where I've bolded, underlined, and italicized the relevant YMSG key/value pairs used*


The Recent Messages YMSG packet, the root of this privacy issue, is used to fetch and view all your instant messages even with all the archives supposedly disabled and with the messages in them supposedly deleted:

YMSG Service (Packet Type) 0x011B / 283

1Your_ID5Users_ID46050

The above Recent Messages packet can be used from ALL YMSG protocol versions and implementations and it will retrieve the instant messages you've requested from your own main id or account aliases for the target username (friend, chat user, whoever). Sending this packet will pull your instant messages directly from the YMSG chat servers, not from the HTTP archive's management location (the mail servers).

You'll realize now that Yahoo! is storing ALL your instant messages, without your knowledge or consent, and without offering you a WORKING way to either delete these stored messages OR a WORKING way to stop the chat servers from continuing to store all your current and future messages.

The bolded 50 value in the Recent Messages packet is the max count (at present) for requesting how many messages to pull from the chat server with your account name (alias or main id) + the target username. If you only want to check 15 or 20 messages then you simply replace the 50 value with 15 or 20, as long as it's at least 1 it'll return the stored message to you.

You can also retrieve your Facebook (if you have your FB account "linked" to your Yahoo! account), MSN/WLM, LCS/Reuters, and IBM Lotus Sametime instant messages as well as your SMS text messages (SMS text message storage currently isn't working but will be at some point in time), even your Pingbox messages (Pingbox message storage currently isn't working but will be at some point in time).

Instead of using a standard Yahoo! username to fetch the messages for a target user you would use the person's mobile phone number, exclusively for SMS Text message retrieval. Also, instead of using a standard Yahoo! username to fetch the messages for a target user you would use the person's Visitor ID number (such as 334 for example), exclusively for Pingbox message retrieval.

An example for US mobile phone number (target user) syntax is --> 1+Area Code+Number together such as "19371234567". Facebook, MSN/WLM, IBM Lotus Sametime, Yahoo! Pingbox, and LCS/Reuters instant messages all have their own network identification key/value pairs which you need to add to the end of the Recent Messages packet in order to retrieve messages from people using these chat networks which you've communicated with.

The Key/Value pairs for network identification of all these interoperable chat networks are listed below:

Microsoft (LCS) Live Communications Server (Reuters Messaging Network) --> 2411

Microsoft Windows Live (MSN) --> 2412

IBM Lotus Sametime --> 2419

Yahoo! Pingbox --> 241100

Facebook Chat --> 24113


Facebook instant messaging over Yahoo! Chat utilizes a user-unfriendly numeric id code which looks like --> -xxxxxxxxx@chat.facebook.com, where the x's are numbers 0-9 for identifying and messaging your specific friends over the bridged chat network. You would use it's unique (listed above) key/value pair at the end of the Recent Messages packet and use their personal numeric id username for retrieving the stored instant messages. From within Yahoo! Messenger 11, you can simply right-click on a friend and view their profile and then obtain their personal numeric id OR just simply open up a PM window with them (press F3 on your keyboard) and you'll see the messages you've sent one another.

Separate records exist for all names on your account that you may have (main id + up to 6 aliases = 7 total) where the message store is independent and based on your account names that you've used to communicate with each person's usernames (which includes their aliases too). I've attempted to max this out (all 50) and request even more messages but the most you'll see is 40-42 if your message storage for that particular user is full. The message count is a combination of messages that you've both received and the messages you've sent to the username. After 40+ messages have been stored the chat servers will start to discard the oldest messages and replace them with any newer messages between you and the user if you've exchanged more instant messages with each other since you last had contact. This behavior for only storing the most recent messages, in this case (up to 40+ max), and discarding the old is known as FILO (First In, Last Out) management.

The 3 message archive managers/viewers you have are within Yahoo! Messenger 11 beta (Conversation History), Web Messenger (Message History), and inside Yahoo! Mail if you have a mail account (Search Messages).

While all three HTTP-based message archives, which store and retrieve your messages from the mail servers, can be disabled and the messages deleted... this does not disable the recent message archiving or even delete a single one of your Recent Messages from the chat servers they're stored on!

[Adam X]

This is my formal complaint that I filed with Yahoo! Customer Care detailing their privacy violation concerning their new Conversation History IM storage practice.

I used their official complaint submission form to file but you can also e-mail them at privacypolicy@cc.yahoo-inc.com to contact Yahoo! Customer Care regarding their entire Privacy Policy.

Instead, I would recommend using their official complaint form here --> http://help.yahoo.com/l/us/yahoo/privacy/general.html as they may not even read or respond to an e-mail since there are form submission format requirements for processing that your e-mail won't contain.

First off, I'll introduce myself. I'm a professional software developer, network security auditor, systems architect, and the lead security researcher at Torseq Technologies (an independent security R&D group). I have been using Yahoo!'s services, specifically Yahoo! Chat, every day, for nearly a decade. I'm also a co-author of several chat-based applications that interoperate with Yahoo! Messenger and Yahoo! voice chat (YTK & VC Sync), both commercial and freeware programs respectively.

Recently, after installing your latest Yahoo! Messenger 11 beta build, I decided to investigate your new Conversation History feature for it's online message archiving functionality (stored on your servers). What I discovered is very DISTURBING with this particular "feature" you've now added. After lots of research and testing I've concluded that your Conversation History/Message History functionality VIOLATES our end-user right to privacy and completely contradicts your very own privacy policy (concerning this feature) in numerous ways.

Here is a brief overview of what this privacy violation is comprised of:

- Your new, _supposedly_ Yahoo! Messenger-specific, Conversation History message archiving feature is flawed. While you can disable the Conversation History feature within Messenger's preferences, as well as in your Web-based Messenger, both DO NOT prevent ALL instant messages from continuing to be stored on your chat servers.

- As stated above, disabling the message archives in both versions of Yahoo! Messenger (web and YM 11) does not stop the collection of ALL instant messages sent & received from your Yahoo! account ID's. Even more, when you delete the messages that are retrieved and displayed in your message archives they DO NOT delete these messages from the YMSG chat servers, which is your first/primary storage location for them to reside. Instead, all that happens is the messages, stored as records, are only deleted (over HTTP) from your mail servers; the servers that your archive managers use for viewing and deleting these messages.

- The storage of all our instant messages is done at the CHAT SERVER-LEVEL, meaning, they'll be collected and stored regardless of whether you use Yahoo! Messenger for the Web (with archiving turned off here), Yahoo! Messenger versions 8.0/8.1 - 11 beta, Mobile Messenger (WAP), IM'ing from within Yahoo! Mail, or from any 3rd party chat client that uses your chat network. We (the end-users) have not been informed by you that this is [automatically] going on, we have not given our consent for this practice to take place, NOR have we been given the ability to STOP this from occurring.

Yahoo! Messenger 11's "Recent Messages" feature, which is supposed to be complementary to your message archive, reveals ALL of our instant messages (including from Facebook friends, IBM Lotus Sametime, LCS, and MSN/WLM users) being stored on your YMSG chat servers. Up to 40+ (50 maximum) IM's are stored per username from our account, per user that we've contacted or been contacted by, all retrieved with the "Recent Messages" service packet (YMSG service type 283). While this _could_ be an event-synchronization bug between your message archive management over HTTP and the chat server-stored messages over YMSG (message deletion from your mail servers not removing the messages from the chat servers properly, for instance), I find this hard to believe for a couple reasons. Disabling the Conversation History archive in YM 11 and YM for the Web uses the YMSG service type 239 packet which is sent to the chat server, the same primary location that all these instant messages reside on.

This is starting to get really suspicious now. Could there REALLY be TWO bugs of such importance having gone unnoticed, especially for so long?! Yahoo! Messenger 11 beta has been out for over 4 1/2 months now. There's no telling how long this has been going on but I'll bet it's been AT LEAST 5 months. Your Conversation History privacy statement also discloses that Yahoo! _may_ exercise the right to analyze our stored message's content... "in order to provide personally relevant product features, content, advertising, spam and malware detection".

Your privacy statement then goes into even more detail...

"Yahoo! provides personally relevant product features, content, advertising, spam and malware detection by analyzing your archive. Some of these features and advertising will be based on our understanding of the content and meaning of your instant messages. For instance, we analyze instant messages to identify key elements of meaning and then categorize this information for immediate and future use. This information may also be used for interest-based advertising."

These aforementioned archive "bugs" need to be addressed and corrected ASAP! Hundreds are now aware of this and soon there will be thousands of upset Yahoo! chat users since I published all my findings the other day to my community forum. If this serious issue isn't rectified within a timely manner, or you don't AT LEAST come forward and INFORM your entire chat userbase (via blog post, YMSG system message notification, or updated privacy policy change) that this is happening, I'll be forced to take my own further action. If you choose to disregard this complaint I've filed with you here then I'll also have no choice but to publish all of my findings but this time to the proper security communities I'm a part of (Security Focus/Bugtraq & Secunia).

I expect a REAL person to contact me, not an automated e-mail, at the e-mail address I've supplied and I'll get back to you so WE can work on getting these flaws resolved for the millions of Yahoo! chatters around the world. The consequences are great, especially for those users who end up with their accounts compromised, where all it takes is this little bit of knowledge to collect all of their instant messages they've sent and received from friends, family, and co-workers.

Regards,
Adam {Torseq Technologies}

[Adam X]

I've read some comments in response to this thread's posts from various Yahoo! Chat related forums and feel the need to address what some people have said pertaining to this advisory's information I've made public.

It's been said by a few individuals across various chat-related forums that what Yahoo! is currently doing is to be expected, that they're allowed to do this without disclosing the practice of storing our instant message data to their clients and end-users, and other such things. This may be a somewhat common belief within a minority of internet users regarding what ISP's, chat network providers/operators, and any client -> server-based infrastructures including centralized and semi-centralized networks can legally do without informing their customers/subscribers and end-users of such private policies where data collection and storage is involved.

While it is true that most ISP's and chat network providers (to name just a couple) collect their user's data and store it this is usually limited in nature, expiration-based, and done for aiding in cooperation with national and international government agencies such as the FBI, CIA, NSA, as well as local law enforcement if an investigation needs to be conducted. There is a specific judiciary purpose for this private data collection practice to legally occur without it being disclosed to us. This data being stored is only legitimately (excluding hackers) accessible by the operators of these networks, encrypted, and/or isolated where it's inaccessible to everybody but these network operators and, if cooperation occurs, law enforcement agencies for specific review.

Individual policies and practices afar differ but normally this is the case. Data that is collected and stored is typically limited (at least somewhat) in nature and/or wiped after a set expiration time period has been reached. Usually, upon specific request by law enforcement, targeted individual data collection occurs which is quite common as not all network operators and service providers collect much, if any, user data automatically. Some operators and providers will only do this if it's been legally requested or mandated by the proper authorities and only specific users will be affected under these circumstances.

The main differences with what Yahoo! is currently doing with our instant messaging data are:

- Yahoo! Inc. has written and provided us with expressed statements in the form of opt-out options within their public Privacy Policy. These particular statements are false as they point-blank state (more or less promise) that we can delete our own stored messages if we've enabled archiving, and that we can choose to disable the archived message data collection entirely. This is in direct violation of their own published Privacy Policy document that they're supposed to be adhering to. They also state that this is a Yahoo! Messenger-specific "feature" when it isn't at all... it's a global practice affecting all instant messaging within their chat network. Yet another false statement.

As a direct result our IM privacy is now susceptible to being breached by Yahoo!'s very own authorized employees who supposedly only have "limited access" to our account data and more importantly through security vulnerabilities able to be exploited and used by hackers, crackers, and even script kiddies alike to compromise our Yahoo! accounts. Once an account is now comprised the assailant(s) can, with absolute ease, obtain ALL of our most recent instant message data (up to 40+ messages per account name, per contact) sent and received from our accounts. This jeopardizes both our privacy and potentially even our security.

- Our stored messages, of which we have absolutely no control over managing as far as deletion and disabling (regardless of Yahoo!'s Privacy Policy claims), are directly accessible to ANYONE who has or can gain access to our accounts, both by authorized and unauthorized means.

ISP's, for example, don't grant this administrative/operational-level privilege to their customers, obviously. We don't know if our instant message data is even encrypted in storage on their chat servers, how accessible it is to both the outside and their internal employees. Is it isolated or hidden at all? As far as I can tell these stored messages don't have any reasonable expiration deletion scheduling applied to them, if this is even done for that matter. I've been able to access my messages for days so time will tell to answer that question.

From Yahoo!'s Privacy Policy:

I want to know the true identity of a Yahoo! user. Will you give me their information?

If you are seeking to obtain the account information we may have regarding a specific subscriber, we will need a subpoena or a court order.

If you have obtained a subpoena or a court order for the release of information regarding a Yahoo! member or visitor, please direct it to:

Custodian of Records
Yahoo! Inc.
701 First Avenue
Sunnyvale, CA 94089

Source: http://help.yahoo.com/l/us/yahoo/privacy/requests/privacy-15.html

Obviously, we (or anybody outside of Yahoo! Inc. and the authorities) do not need a subpoena or court order to obtain all of a user's message data. Yahoo! provides the method for retrieval that's simple enough for anybody with access to the account to utilize.

Yahoo!'s track record for it's user's security and privacy is miserable at best. To make matters worse, this may be interesting to read as well...

User privacy

On November 30, 2009, Yahoo! was criticized by the Electronic Frontier Foundation for sending a DMCA notice to whistle-blower website "Cryptome" for publicly posting Yahoo!'s "Compliance Guide for Law Enforcement",[71] which details prices and procedures on obtaining private information pertaining to Yahoo!'s subscribers.

Source: http://en.wikipedia.org/wiki/Yahoo

How is this [automatic] online message archiving different from stored offline messages delivered to your Yahoo! accounts?

Offline message storage is a known, documented/disclosed, convenient feature that Yahoo! utilizes just as AOL Instant Messenger and other IM chat service providers use. This practice is documented (stated in their Terms of Service and elsewhere), and is accepted as a useful feature for when your account isn't signed in. These messages are only kept on their chat servers (up until now with their message archiving being done automatically including offline IM's) until they're delivered next time you sign-in. The total amount of offline messages stored for delivery to your account is also quite limited and there is, or at least used to be, an expiration policy if they've been sitting on the chat servers for too long. Granted, however, I have been able to retrieve offline IM's from my accounts that have sat there for a year or more.

Based on Yahoo!'s Privacy Policy statements concerning the analysis and use of our instant message content, I have a good reason to believe (or at least strongly assume) that Yahoo! is mainly doing this for increased advertisement revenue (a lot of which has decreased for them over the years since their active chat and mail userbases have seriously plummeted). They may be doing this on purpose for increased monetary gain by analyzing everyone's stored instant message data for pushing us specific, targeted advertisements and content of 'relevance' (ie. our specific interests keywords to push ads that would get us to notice and click them), as their Privacy Policy states they _may_ do as they reserve the right to. These ads can be for Yahoo!'s own products, goods, and services or for any of their affiliates or sponsors, in which case they'd receive referral money for not only driving traffic but for if/when purchases of these products, goods, and services are made.

[Adam X]

I'm still working on this. It's now been days since I filed my complaint to Yahoo!'s Privacy Customer Care department. I've heard nothing back so my next move is to forward my complaint to Yahoo! Security. After a few days of waiting for them to get back to me, if they do at all, then I'm going to either release this information to miscellaneous, highly respected, security sites (Secunia, Security Focus Bugtraq list, etc) and/or forward the information directly to the EFF (Electronic Frontier Foundation) http://www.eff.org, if it comes down to this.