Yahoo received nearly 5,000 requests for user data from the United States government in the last six months of 2014 and disclosed some content in nearly 25 percent of those cases. The company said in its new transparency report that it received between 0-999 National Security Letters from the U.S. government, too.
The latest report from Yahoo on government requests covers the period of July through December of 2014 and the company reported 4,865 total requests from the U.S. during that period. Those requests covered a total of 9,752 user accounts and the company disclosed some content in 1,157 of those cases. Yahoo rejected 258 of the U.S. government’s requests and disclosed solely non-content data in 2,887 cases. Yahoo defines non-content data as “the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information”.
The U.S. was by far the most active government in this report, with Taiwan coming in a distant second with 2,081 total requests. Germany sent 1,910 requests to Yahoo and the United Kingdom sent 1,570. In the previous six months, the U.S. sent 6,791 total requests to Yahoo and the company reported the same range of NSLs, 0-999. The government only allows companies to report the number of NSLs they receive in bands of 1,000. Yahoo and other technology companies have been pressuring the government for the ability to report those letters in more specific detail.
In addition to the transparency data, Yahoo also provided an update on its efforts to protect users from attacks by governments and other attackers.
“We’ve encrypted many of our most important products and services to protect against snooping by governments or other actors. This includes encryption of the traffic moving between Yahoo data centers; making browsing over HTTPS the default on Yahoo Mail and Yahoo Homepage; and implementing the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We’ve also rolled out an end-to-end (e2e) encryption extension for Yahoo Mail, now available on GitHub. Our goal is to provide an intuitive e2e encryption solution for all of our users by the end of 2015,” the company said in the report.
Yahoo released the end-to-end encryption extension last week, something that was the result of an effort that Alex Stamos, the company’s CISO, announced at Black Hat last year.
“Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos wrote on Yahoo’s Tumblr. He said that Yahoo’s extension will satisfy users’ needs to share sensitive information securely. “Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.”
Yahoo, like its counterparts at Google, has been investing in encrypting more and more of its services and infrastructure. Much of this has come in the wake of the Edward Snowden revelations, but some of the efforts were in motion before the leaks about NSA capabilities against the companies’ services began to surface.
