Yahoo! does not rent, sell, or share personal information about you with other people or nonaffiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances: …We respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims; [emphasis added]
On its face, it sounds reasonable. But it is full of holes and ambiguities. Does Yahoo automatically respond to any subpoena it is presented with? Or, does it choose to fight some in order to protect their users’ privacy? What do they mean by “legal process” as an example of acceptable conditions for divulging personal information? Is simply receiving an official letter from law enforcement requesting information a suitable “legal process”? Any e-mail request? Must their lawyers review the request, or can other employees receive and respond to such requests?
These are not just excercises in semantics, but crucial questions with serious implications for the privacy of Yahoo users’ personal information. Here’s why:
In today’s testimony before Congress, Michael Callahan, Yahoo’s general counsel, declined five times to answer if they have turned over information without a court order. He indicated, however, that Yahoo would “only turn over information if it’s required by law.” During one exchange, Callahan acknowledged that if Yahoo received an e-mail from a sheriff in some obscure county to turn over a user’s e-mail, such a general request, in the absence of “proper legal process,” would not be sufficient to compel Yahoo to turn over the information.
But when asked what if such an e-mail came from the NSA, rather than an obscure sheriff’s department, Callahan refused to comment.
Here’s my concern: A letter from a sheriff in Manitowoc, Wisconsin might not compel Yahoo to turn over my e-mails: complying with such a request apparently wouldn’t be “required by law.” But a letter from the NSA might. Or, it might not. We don’t know because they didn’t respond. (Other companies – BellSouth, Comcast, EarthLink, T-Mobile – responded in the negative on previous occasions)