​Yahoo updates methodology in new transparency report

The company changes how it tallies government requests for data in its second transparency report, following tech firm push back over the past year.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Yahoo's second Transparency Report separates US National Security Requests from the bulk of the data. Screenshot by Seth Rosenblatt/CNET

Yahoo may have been late to the transparency report game, but it's taking steps to be upfront about its moves to protect user data.

The second Yahoo Transparency Report, released Thursday, at first blush appears to detail a drop in US government requests for user account data between the first and second half of 2013. In fact, there are several reasons why the US government requests in the two reports are not comparable.

Ron Bell, Yahoo general counsel, said in a blog post announcing the new report that the company is pursuing a "user first" approach to transparency.

The most notable change is that Yahoo separately detailed US government National Security Requests in the second report. This follows a February blog post by Yahoo general counsel Ron Bell and associate general counsel Aaron Altschuler that explained changes in US government policy that allowed for slightly more detailed reporting of National Security Requests.

The Yahoo Transparency Report for the second half of 2013 shows 6,587 US government requests for user data, with 11,795 affected user accounts. Eight percent of those were rejected for either some kind of defect in the request, such as the law enforcement agency not having the jurisdiction to request the data or a user successfully contesting the government's demand. An additional 9 percent were rejected because no data was found.

A Yahoo spokesperson said that the company informs its users when a government has requested their data before it hands it over, and has been doing so since July 2013.

"When Yahoo Inc. receives a request for user data from a law enforcement agency, we inform the agency that we reach out to our users to let them know of the government request," the spokesperson said. "We've noted that law enforcement agencies frequently choose to withdraw their request once we inform them of our user notification policy."

The notification policy, said the spokesperson, has led to users "in multiple cases" finding "legitimate reasons...for not complying with the demand."

Yahoo also breaks out information such as requests for "non-content data," which is basically metadata including "alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., "to," "from," and "date" fields from email headers)." Sixty-four percent of US government requests resulted in non-content data disclosures, while another 19 percent resulted in disclosures that included content.

Other countries that made more than 1,000 requests for data from Yahoo in the second half of 2013 included the United Kingdom, India, Italy, France, Germany, and Taiwan.

Update at 4:55 p.m. PST with the month that Yahoo started informing its customers of government requests for their data.