Yahoo's Headquarters In Sunnyvale, California.

Mass Surveillance Is Part and Parcel of Yahoo’s DNA

By Elaine Ou | 7:10 am, October 11, 2016

Yahoo has been getting a lot of attention lately for its failures to protect personal information. What’s perhaps more remarkable, though, is how little privacy American internet users demand.

First came news that hackers stole personal data on more than 500 million Yahoo users. Now the company is dealing with reports that it helped the Justice Department conduct mass surveillance by scanning e-mail traffic for signs of a terrorist organization. One has to wonder: When Verizon finally completes its planned acquisition of Yahoo, will there be any users left to acquire?

Yet if there’s one thing Americans value more than freedom, it’s free stuff. Thanks to decades of conditioning, people have this notion that online services — e-mail, news, porn, search engines — should be available without charge, like Yahoo. The employees of internet companies are magically compensated in starlight and dreams, so everything they produce should be gratis

The unfortunate truth is that internet companies need revenue. And if users don’t want to pay, that revenue has to come from advertisers. Yahoo, Google, Facebook, Snap(chat), and Twitter all make money by selling ads. It’s not an easy business model. Online advertising is a highly competitive market with low barriers to entry; all it takes is an app and a paying advertiser.

Cutthroat competition has led platforms to differentiate themselves with targeted advertising — the ability to show ads relevant to a user’s interests. Effective targeting means collecting as much personal data as possible. As a result, we have “free” e-mail products that scan message contents, “free” news sites that track us all over the internet, and “free” search engines that display ads based on our queries as well as our browsing history.

Verizon acquired AOL, and plans to acquire Yahoo, not for the aging user base but for the ad technology. You know how advertisers display creepy re-targeted ads based on the sites you visit? Verizon now has the ability to add cellular location information to bring that delightful experience into the physical world.

Users might complain that invasive advertising is a violation of privacy, but online service providers don’t promise any privacy. In fact, Yahoo explicitly states the opposite in its Privacy Policy: “Yahoo analyzes and stores all communications content, including e-mail content from incoming and outgoing e-mail.”

Yahoo scans all of its e-mail traffic. Not just to filter out malware and illegal stuff, but also to deliver targeted advertising. So monitoring e-mails for terrorist communications wouldn’t be much different from what it already does.

Situations like this led the European Commission to adopt new data protection laws. Europeans take the protection of personal data seriously, a view no doubt influenced by memories of the Gestapo, Stasi, Estado Novo, Francoist Spain, and Italian Fascism. Continental Europe understandably has very well-founded fears of a surveillance state.

In the U.S., people seem to care more about freedom from excessive legislation. Data privacy is left largely to the market, the idea being that consumers will allocate their attention to service providers that respect their privacy needs. In practice, the relationship is highly asymmetric: Nobody reads company privacy policies, and companies are exceptionally vague in describing their reach.

Apple was held up as an exemplar of civil liberties when it fought the Justice Department’s order to help the FBI unlock an iPhone. It was able to extract itself from the order largely because the technology to break into a user’s phone did not exist. Apple has a strong history of protecting the privacy of its customers, but it is also in the unique position of having convinced people to pay for its products. Most internet service providers don’t have this luxury.

Before resigning, Yahoo’s chief information security officer, Alex Stamos, pushed for the company to adopt end-to-end encryption. This would have made it impossible for third parties to eavesdrop on user communications. It didn’t happen. Apparently, protecting e-mails was not a priority for a company whose business model depends in part on searching and indexing them so it can target advertising.

Non-paying users should realize that they are not customers. They are products that internet companies sell to advertisers. No one wants to be treated as a commodity, but businesses need money to feed their employees and pay the rent. The technology that makes online services free and convenient just happens to be the same technology that enables mass surveillance.