Thursday October 17, 2019
Dec-04-2009 23:57TweetFollow @OregonNews
Yahoo's Guide For Law EnforcementErsun Warnke Salem-News.com Business/Economy Reporter
Yahoo's Guide For Law Enforcement is only one documented example of just how loose internet providers are with their client's data.
(EUGENE, Ore.) - "What information can Yahoo provide without a warrant? Name, location, IP addresses; any email; time, date, and IP address logs for Chat and Messenger; files, photos, and messages; member lists, and group activity logs."
I just published an article entitle Techno-Regulatory Arbitrage and the Future of the Internet. That article addresses the lack of constitutionally guaranteed rights as they apply to internet communications.
Following publication of the Techno-Regulatory Arbitrage article, I came across a recently leaked internal Yahoo document that describes exactly what information they store and provide to Law Enforcement. The complete document is available here: COMPLIANCE GUIDE FOR LAW ENFORCEMENT Nothing in this document is particularly extraordinary because it is written in accordance with the requirements of U.S. law, particularly the Stored Communications Act, 18 U.S.C. 2703. Every internet service provider must have similar policies in order to comply with U.S. law.
I will break down the information available according to the legal requirements to obtain it.
Subpoenas may not require court oversight and their use is not necessarily tracked in any publicly accessible way.
With a subpoena Law Enforcement Agencies can obtain: -Subscriber information, such as, name, ip address, and services used -Contents of communications (emails) stored for over 180 days -Contents of communications posted on "services" (social networks, etc.) including all communications and files Yahoo classifies their services in two ways: those they provide as an "Electronic Communications Service Provider" and those they provide as a "Remote Computing Service Provider."
They classify services like Flikr and Yahoo Groups under the RCS category, which has a lower threshold for disclosing data. Since these services are comparable to Facebook, MySpace, and other social networking sites, it would be interesting to see what policies for disclosing customers' private information those sites have.
A 2703(d) order is a court order under the Stored Communications Act.
Since it requires judicial approval, there is at least a record of it, and there is some kind of oversight.
18 U.S.C. 2703(d) requires that "the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation."
The crucial difference between a search warrant and a 2703(d) is that a search warrant must specifically describe items that are evidence of a crime. A 2703(d) only requires "reasonable grounds" for belief that the item to be seized is "relevant" to a criminal investigation.
The link between the item being seized and an actual crime is removed, which dramatically broadens the potential scope of these orders.
With a 2703(d) Law Enforcement Agencies can obtain: -Transactional records. This includes IP addresses, times, and descriptions of all activity on the system, including all other users who the target communicated with, all sites visited, all files accessed, etc.
A search warrant is only required for Emails stored less than 180 days. This is due to the way that the Stored Communications Act is written.
No Process at All
If a Law Enforcement Officer submits an "Emergency Disclosure Request Form" alleging that there is an emergency involving imminent danger of death or serious physical injury, then Yahoo may release information with no process at all.
This provision makes sense, because there are legitimate emergencies where information needs to be accessed and no crime has been committed or a judicial process would be too slow.
While reasonable in the context of the information being available, and law enforcement needing it, emergency disclosures still raise major privacy concerns. All that is required to get information is sending a fax on police department letterhead. This creates major risks for users who trust companies like Yahoo with their private information.
Yahoo's Guide For Law Enforcement is only one documented example of just how loose internet providers are with their client's data. These same general guidelines are ubiquitous for all providers because they are required by law. If anyone has copies / links to these documents for other providers, I would be happy to get them... firstname.lastname@example.org
Articles for December 3, 2009 | Articles for December 4, 2009 | Articles for December 5, 2009