Yahoo fights NSA worries, issues first transparency report

Company releases aggregate numbers on government-made requests for customer data and reiterates need for right to publish more-specific figures involving US National Security Agency. It wants to quiet user fears.

Edward Moyer Senior Editor
Edward Moyer is a senior editor at CNET and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch. ¶ For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
Expertise Wordsmithery. Credentials
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Edward Moyer
4 min read

Yahoo has issued its first-ever global transparency report, joining other tech companies that are trying to quell suspicions of overzealous cooperation with government surveillance agencies.

The report covers the six-month period from January 1, 2013, through June 30, 2013, and shows how many government-made requests for customer data were received or processed by Yahoo in countries where the company has a legal entity. That covers four regions: the Americas, Asia-Pacific, Europe, and Latin America.

During that period, according to the report, Yahoo's US arm received 12,444 government data requests "such as criminal law enforcement requests and those under US national security authorities, including the Foreign Intelligence Surveillance Act (FISA) and National Security Letters (NSLs), if any were received." That's far more requests than in any other country.

The company said it was not allowed to break that figure down to show, for example, how many of those requests were specifically made by the US National Security Agency.

Suspicion over the involvement of tech companies in the NSA's Prism program were fired up earlier this year by the initial reports about Prism in The Guardian and The Washington Post, which said the NSA had "direct access" to company servers. CNET's Declan McCullagh subsequently reported that there was no evidence of wholesale access to company servers.

Since the first Guardian and Post reports, Google, Microsoft, Facebook, Yahoo, and other tech companies have pushed the US government to allow them to reveal details about how many data requests they receive. Facebook and Microsoft have published aggregate information on requests, as has Apple, and Google and Microsoft are reportedly planning to file a lawsuit against the NSA on Monday over the right to publish more-detailed figures. The US director of national intelligence has also said the intelligence community will begin releasing annual transparency reports, which will, however, be "limited by our need to protect intelligence sources and methods."

In the Yahoo transparency report, the company addresses the issue of more-specific information:

The U.S. Government does not permit us to disclose additional details regarding the number of requests, if any, under national security authorities at this time, or even to separate them in aggregate from other requests...We strenuously disagree with the government's position and will continue to advocate for greater transparency regarding requests made under national security authorities. If we succeed in persuading the U.S. Government to allow greater transparency, we will disclose additional details in future reports, and we will also update this report with more details related to national security requests as permitted.

Regarding the roughly 12,500 data requests received by Yahoo in the US, the report says content was disclosed by the company in about 4,600 cases -- 37 percent of the time. In about 6,800 instances (55 percent of the time), "Non-content data," or "NCD," was handed over. The report defines the two types of data thus:

Content: Data that our users create, communicate, and store on or through our services. This could include words in a communication (e.g., Mail or Messenger), photos on Flickr, files uploaded, Yahoo Address Book entries, Yahoo Calendar event details, thoughts recorded in Yahoo Notepad or comments or posts on Yahoo Answers or any other Yahoo property.

NCD: Non-content data such as basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., "to," "from," and "date" fields from email headers).

Like Google, Microsoft, and other tech companies, Yahoo maintains that it gives the government data only in response to legal requests, and it emphasizes this in the report:

Yahoo has joined no program to volunteer user data to governments. Our legal department demands that government data requests be made through lawful means and for lawful purposes. We regularly push back against improper requests for user data, including fighting requests that are unclear, improper, overbroad or unlawful. In addition, we mounted a two-year legal challenge to the 2008 amendments to the Foreign Intelligence Surveillance Act, and recently won a motion requiring the U.S. Government to consider further declassifying court documents from that case.

In a short statement on June 17, Yahoo had announced its intention to release the transparency report, saying it would issue such reports every six months. It also said then that the company had received between 12,000 and 13,000 requests for customer data in the US in the six-month period from December 1, 2012, to May 31, 2013.