Legal

Yahoo, Like Google, Demands Warrants for User E-Mail

As reported on Wired.

BY DAVID KRAVETS

Photo: Courtesy of Yahoo

 

Yahoo demands probable-cause, court-issued warrants to divulge the content of messages inside its popular consumer e-mail brands — Yahoo and Ymail, the web giant said Friday.

The Sunnyvale, California-based internet concern’s exclusive comments came two days after Google revealed to Wired that it demands probable-cause warrants to turn over consumer content stored in its popular Gmail and cloud-storage Google Drive services — despite the Electronic Communications Privacy Act not always requiring warrants.

“Yes, we require a probable cause warrant for e-mail content,” said Yahoo spokeswoman Lauren Armstrong, in an e-mail interview. “That is more than ECPA requires.”

The nation’s other major consumer-facing e-mail provider — Microsoft — which markets the Hotmail and Outlook brands, declined comment for this story.

In short, Yahoo and Google are granting their customers more privacy than the four corners of the ECPA. There’s been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days.

The Supreme Court has never ruled on the issue. Federal and state law enforcement officials are seemingly abiding by Yahoo’s and Google’s own rules to avoid a showdown before the Supreme Court.

“No, we don’t get any pushback from authorities,” Armstrong said, adding that Yahoo began the practice in “early 2011.”

ECPA was adopted in 1986, under the President Ronald Reagan administration, when e-mail was held briefly on servers on its way to a recipient’s inbox. In the 1980s, e-mail more than six months old was assumed abandoned, and therefore ripe for the taking.

For years, Congress has opposed reworking the law to comport with the advancement of technology.

So it appears that Google and Yahoo have changed some of the rules on their own. Under the letter of the ECPA law, the government only needs to show that it has “reasonable grounds to believe” e-mail and other documents stored in the cloud for more than 180 days would be useful to an investigation.

To be sure, Yahoo and Google still provide to the authorities a long laundry list of data about, or owned by their customers — all without probable-cause warrants.

Google, for example, said it forks over the IP address from where a Gmail account was created, and where and at what time a user signs in and out of an account. The IP addresses associated with a particular e-mail sent from a Gmail account or used to change the account password is also doled out without probable-cause warrants, in addition to the non-content portion of e-mail headers such as the “from,” “to” and “date” fields.

Yahoo conceded it provided plenty of information to the authorities, but did not immediately say whether it mirrored Google’s position above.

“For other content like entries in Yahoo! Calendar and AddressBook or files uploaded to a Yahoo! Group, we require standard legal process such as warrants, court orders and subpoenas, which is consistent with ECPA,” Yahoo’s Armstrong said.

Yahoo declined to divulge the number of times it provided information without a warrant, saying it does not publish a so-called “Transparency Report” as does Google.

Google, on the other hand, every six months releases its “Transparency Report” chronicling how many times the authorities demand data on its customers.

For the first time Monday, Google made available figures for how often a probable-cause warrant came along with a request.

In all, agencies across the United States demanded 8,438 times that Google fork over data on some 14,791 accounts for the six-month period ending December 2012. Probable-cause search warrants were issued in just 1,896 of the cases. Subpoenas, which require the government to assert that the data is relevant to an investigation, were issued 5,784 times. Google could not quantify the remaining 758.