Yahoo Email Scanning May Sink EU Privacy Shield Agreement

from the nsa-fucking-things-up-again dept

After the US/EU “safe harbor” on data protection was tossed out thanks to NSA spying being incompatible with EU rights, everyone had tried to patch things up with the so-called “Privacy Shield.” As we noted at the time, as long as the NSA’s mass surveillance remained in place, the Privacy Shield agreement would fail as well. This wasn’t that difficult to predict.

And there are already some challenges to the Privacy Shield underway, including by Max Schrems, who brought the original challenge that invalidated the old safe harbor. But things may have accelerated a bit this week with the story of Yahoo scanning all emails. This news has woken up a bunch of EU politicians and data protection officials, leading to some serious questions about whether it violates the Privacy Shield agreement.


Johannes Kleis, a spokesman with BEUC, an umbrella group for European consumer organisations, called on other EU data protection authorities to investigate Yahoo.

Fabio de Masi, a German member of the European parliament with the leftist Die Linke party called on the EU high representative for external affairs Federica Mogherini to seek clarification from US authorities about the treatment of EU data.

And elsewhere as well:


“It goes far beyond what is acceptable,” said Johannes Caspar, Commissioner for Data Protection and Freedom of Information in Hamburg, Germany.

Over in the European Parliament, Dutch MEP Sophie in ‘t Veld has asked the EU Commission to investigate:

While some keep arguing that the whole idea of a safe harbor or privacy shield is a problem, that’s not really true. Enabling more easy data flows between countries on a borderless internet is really important for keeping the internet really global. This is a serious issue. The problem is the NSA’s surveillance activities undermining all of this, and continually (rightfully) freaking out people in other countries about what happens to data that flows into the US. The answer is not to dump agreements that enable the free flow of data, but to stop mass surveillance activities.

Once again, it appears that overly aggressive mass surveillance by the US intelligence community is creating massive headaches for American internet companies.

Filed Under: , , , , , ,
Companies: yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yahoo Email Scanning May Sink EU Privacy Shield Agreement”

Subscribe: RSS Leave a comment
26 Comments
Anonymoussays:

Re: Re:

Who gets the direct feed you mean. They all can now spy on everyone’s citizens, its really just a matter of having fresh data along with mountains of prior data to sift through once targets have been identified. Remember everyone, three hops includes delivery pizza places as well as 911 calls or even 411 itself.

Personanongratasays:

Cognitive Dissonance and Glass Houses

Yahoo Email Scanning May Sink EU Privacy Shield Agreement

Some of the countries that comprise the EU are heavily involved with NSA and GCHQ mass surveillance schemes.

Highlighted paragraph below excerpted from theguardian.com report titled GCHQ and European spy agencies worked together on mass surveillance

The German, French, Spanish and Swedish intelligence services have all developed methods of mass surveillance of internet and phone traffic over the past five years in close partnership with Britain’s GCHQ eavesdropping agency.

https://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance-snowden

Screaming is all I can dosays:

Upstream action is where its at

Yahoo never even claimed to encrypt anything as google(dubiously)did so there upstream tap was always in the clear, same with outlook and all other MS domains, so whatever all of these people are not only collaborating, making up 40% of GDP they ARE the state.

lets not even talk about what they are doing they are the NSA, CIA , FBI CBP anyone you want to name. Google is looking for reasons to send a SWAT team to your house, definitely.

Davidsays:

It's Snowden's fault

Once again, it appears that overly aggressive mass surveillance by the US intelligence community is creating massive headaches for American internet companies.

No, this would never have been a problem if nobody had ratted them out.

This really calls for a drone strike on Snowden in order to send a message that it’s inacceptable to endanger the relations of the U.S. government to other nations and its own people by indiscriminately pulling the rug out from over them. There is a reason for the rug, and everybody is aware of what is swept under it.

It’s like bakeries. Every single one has roaches and mice (mice are around anyway, and roach eggs are distributed under the boxes and containers of bakery suppliers and mills, so even a newly built bakery is populated within months). The bakers cope by keeping dough covered and making sure that anything ending up in sales is reasonably safe from access.

But that’s not the story for the customer. Blow the whistle on one bakery and people go elsewhere, shuddering in disgust. Never mind that the stuff running near the food is completely beside the point compared to meat production where the awful bits actually make up your food.

So yes, the messengers are certainly to blame here. You can’t expect people to have realistic expectations, not with what they see in TV (particularly reality TV). People have a right not to have to worry about things they are powerless to change. That’s the sole point of civilization.

Still with me? Creepy.

nomadgroasays:

Re: Re: It's Snowden's fault

Guess I’m a creeper cuz I read your entire comment, David. I learned how to read quite awhile back, so I’m not going to lose my mind if you take more than a paragraph to properly express your ideas. ?

Alas, I can’t agree Snowden’s to blame for the NSA?s wildly illegal behavior. Nor can I agree with your bakery analogy/apology explaining why espionage agencies should be allowed to lie and deceive and sweep highly questionable behavior under rugs so we don?t see the weevils propagating in the?sorry, dude. Can I drop your metaphor? Cuz I?m not sure there?s much difference between the icky bugs that unfriendly foreign powers place in our bread and the maggots the NSA installs there.

People have a right not to worry about things they are powerless to change? That?s a rather odd statement, my friend. Personally, I’m still clinging to this idea called “democracy” and a country whose government represents the will of the people and not the questionable actions of an unelected intelligence community that claims it can only function if it’s accountable to NO ONE AT ALL. Not even a congressional oversight committee. We are NOT powerless to change the tyrannical, belligerent behavior of an espionage community that exploits the very people it claims it?s protecting.

The sole point of civilization is not to live as sheeple, herded this way and that by lying government douchebags. You may choose that for yourself. Most do. I do not. I’m still a life, liberty and the pursuit of happiness kind of girl. Call me na?ve?I?m expecting it, so no worries?but you don’t make the world safe for democracy by usurping it.

You seem to be arguing that in exchange for the illusion of security–because that’s the very best ANY intelligence agency can offer–we should allow our country’s spies to create whatever havoc they please, at home or abroad, free of skepticism, criticism, or oversight from anyone. You know, like Wall Street bankers. With respect, hell?s no. That?s just wacked. As long as the NSA continues to rape American citizens of their constitutional rights, shit all over the rule of law, perjure itself during congressional investigations, and demand the right to do so with impunity, then we have no choice but to rely on whistleblowers like Edward Snowden. Who, btw, has stacked up quite a list of humanitarian awards from pretty much everyone but the US. And don?t be thinking about dissing Sweden, cuz that?ll just make you look like some sort of imperialist throwback.

It’s James Clapper’s fault. Aided by John Kerry, King of the Message Killers.

The answer is end to end encryption for the masses

The answer is not to dump agreements that enable the free flow of data, but to stop mass surveillance activities.

The answer is not to stop mass surveillance. That ship is out of the bag, that cat has sailed.

The answer is to encrypt all data from everyone all the time.

This protocol shows how it can be done: http://eccentric-authentication.org

Anonymoussays:

Re: Re: The answer is end to end encryption for the masses

On first glance, this sounds overly optimistic.
1. DPI will still see the initial handshake and exchange of keys, so it will still be possible to decrypt traffic with a MITM.
2. They don’t mention a key expiration or revoke system, which is always a good thing. Without that a single compromise could last indefinitely.
3. Storage of PKI keys for every site will cause issues for end users. Simply send a user to a link with links to thousands of other sites and you could DoS the users computer by negotiating so many encrypted connections and possibly overload their HD storage.

Could be many more, but I just glanced quickly through his front page.

Anonymoussays:

Re: Re: Re: Re: The answer is end to end encryption for the masses

1) You obviously have no idea how D-H secure key exchange works. Even if there is a MitM on the key exchange, the compute power needed to derive the key would exhaust the heat energy of the entire universe.

2) You are confusing host authentication with public/private keys. They are NOT the same thing.

3) Storage of all public keys is NOT needed. That is why there is a secure exchange of keys AFTER a host has been authenticated.

Anonymoussays:

Re: Re: Re: Re: Re: Re: The answer is end to end encryption for the masses

  1. So A10 doesn’t decrypt SSL traffic?
    https://www.a10networks.com/products/thunder-series/ssl-decryption-encryption-and-inspection-ssl-insight You only need session data usually to decrypt.

    2. It didn’t state who is the private key holder. I assumed it was like SSL where the site has the private key, and the user uses the public key. It it’s like PGP, than even more so would revocation be necessary, as a lost computer or phone could lead to identity theft.

    3. I’m totally confused on this last part:
    “You can write one of these pseudonyms on a business card and everyone can retrieve the correct keys. People can look up the key that belongs to the name and use that to write encrypted messages. Safe against disclosure and tampering. This forms the basis for secure email, without any difficulties.”

    So how do they not have a CA to verify, (think SKS, MIT for PGP) but yet have a public key infrastructure that you can look up and identify the end-user?

Anonymoussays:

Re: Re: Re:2 Re: Re: Re: Re: The answer is end to end encryption for the masses

Yes, A10 does SSL interception. So does Blue Coat. So does F5. So does…..

The way A10 et al do SSL interception is that it is placed on a choke point in the network, a self signed certificate is put on the A10, GPO pushes policy to all of the clients on the domain so the self signed cert is trusted, and then it can do SSL interception by “lying” to the client.

That is NOT how SSL interception works on the open net.

PKI is designed – for the most part – for a single network of group of networks. It was never intended to be an infrastructure used globally.

I work on this stuff all day, every day. Get a clue.

Anonymoussays:

Re: Re: Re:3 Re: Re: Re: Re: Re: The answer is end to end encryption for the masses

SSLStrip MITM: https://moxie.org/software/sslstrip/
use -f for a lock fav icon, and most will think they are talking through SSL to the server.
InfoSec has a good explanation, better than I can probably:
https://www.youtube.com/watch?v=gNhyjPxuy5w

Answer is, hope that the server uses HSTS to ensure that you can’t fall back to HTTP.

BobKernssays:

Re: Re: Re:3 Re: Re: Re: Re: Re: The answer is end to end encryption for the masses

Re: “It (PKI) was never intended to be an infrastructure used globally.”

I’m unclear on what you mean here. Certainly global infrastructure was envisioned even back in the day of the original Diffie-Hellman and Rivest-Shamir-Adelman papers, and the whole Certificate Authority thing has been a global infrastructure from the start.

There are certainly inadequacies…..

Be that as it may… I don’t do this every day all day, but I’ve done it on and off for 35 years or so, and I fully endorse your main points here. The whole point of Diffie-Hellman key exchange is to allow keys to be created such that only the two parties know what the keys are, because the keys themselves were never sent, and can’t be recreated without some information that each party holds secret.

This is basic stuff that anyone setting up a secure web server should know at least the what and why, if not the how.

I just wanted to give you a chance to clarify your point about PKI.

Your eccentric-authentication link looks interesting. Definitely going in the right direction. I do have some concerns about mischief a clever corrupt CA could pull. I think using blockchain technology could prevent those, though. (It still compares favorably with the current situation, where we’ve experienced both corrupt and stupid CAs, and the damage is then widespread and hard to contain). That would also allow for robust revocation (a complicated topic, unfortunately).

But aside from security, my big complaint with the current CA system is that its idea of “identity” can be wildly at variance with what is needed. I ran into difficulty getting a cert for a domain name I own, in the name of a character I own in a MMO. A well-established publicly-known entity that is distinct from my RL identity and to protect other people’s privacy I’d like to keep separate.

There’s a role for strong and deep verification of identity, but it needs to be layered on top of a more robust model of basic unique identity. “We have verified that the identity xxxx is associated with Chase Bank’s online banking services web site, as attested by VP of Operations Jane Opmanager on 9/12/2020, and back this certification with a $10,000 USD warranty of accuracy, insured by YYY Underwriters, Inc.”, all of which can be independently cross-checked. Instead, we have a system where each cert in the chain is a potential point of compromise, and a compromised CA root cert is a global disaster in the making.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow