Security And Privacy Concerns Not Just A Yahoo Problem

Published in Online Spin, October 21, 2016.

“Yahoo: Time of death, oh about a week ago,” said the headline in the IT Professionals newsletter I just got. The reason? The hacking that compromised up to a billion accounts. The secret backdoor access so the company could scan every email coming through the system, looking for certain keywords flagged by the Feds. The general “aimless wandering” of the company.

These reasons certainly seem legitimate, and create a tempting opportunity for those who care about Internet security and privacy to get up on our high horses and sneer derisively about how far one of the original titans of the Web has fallen.

But to do so, I believe, would be missing the point.

The point is not that Yahoo is terrible, or that it’s past its prime. The point is not actually about Yahoo at all.

Let’s start with the hacking. Sure, with Yahoo the hackers hit the mother lode: the main user database, or UDB, containing the credentials for all of its active customers -- and there are a lot of them. But Yahoo isn’t the first to fall prey to bad actors. It’s not even the only major hacking news this week. Yesterday, a Russian citizen was arrested in association with the 2012 hack of LinkedIn, which saw over 100 million login credentials stolen. Yesterday also brought confirmation of a hack earlier in the year on Weebly and FourSquare; over 43 million accounts were stolen.

(If you really want to freak yourself out, watch this guy crack thousands of encrypted passwords in seconds.)

Hacking is not a Yahoo problem; it’s an everyone problem. Any site can be hacked, which is why things like end-to-end encryption should be commonplace and opt-out. (Facebook launched end-to-end encryption for Messenger in the past few weeks, but it’s opt-in, which virtually guarantees most people won’t use it.) And we should all be using services like LastPass, which lets us easily manage different, robust passwords for each site.

OK, but what about the backdoor email scanning? It sounds pretty terrible, and more focused on Yahoo as a culprit. As Nicky Woolf reported in The Guardian, other tech companies wouldn’t have rolled over quite so easily for the Feds: “[If Google had] received a similar spying request from the request from the US government… its response would be: ‘No way.’ Microsoft, whose email service also is larger than Yahoo, also said it has ‘never engaged in the secret scanning of email traffic.’ Twitter… likewise said it has never received such a request and would challenge it in court if it did. “A Facebook spokesperson said: ‘Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it…’ [Apple] said: “We have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.’”

It’s all pretty comforting. Until you remember that all of these companies were named in the documents leaked by Edward Snowden as participating in the PRISM program (although Twitter apparently didn’t make it easy for the government). And of course, a backdoor created for one party -- like the government -- can be exploited by another, like a hacker.

In the end, the issues of security and privacy don’t belong to Yahoo alone. They belong to every single person who uses the Internet, and to every company that provides us with services. Time for all of us to stop sneering, climb down off our high horses, and do our bit to work toward solutions.