The Great Yahoo! Data Slurp

10th October 2016

So anyway, it turns out that Yahoo have been acting a little bit naughty, snooping on their customer’s e-mails on behalf of the US Government. This potentially affects me directly even though I’m in the UK, since I use a BT e-mail account, and BT outsourced management of their e-mail customers to Yahoo some years ago.

I have tried twice to engage BT on Twitter to find out more. Although they usually respond this way, they didn’t reply, so I tried contacting BT support via web chat. Below is a transcript of our conversation.

As an aside, it took nearly an hour on hold to commence the web chat, and then after the BT representative phoned me, it took another 45 minutes or so to transfer me to second line support, where I had to explain everything again from scratch. The whole process was about 2.5 hours from beginning to end.

In brief, BT appear be giving me three reasons why I needn’t be concerned about whether Yahoo were slurping my e-mail traffic.

  1. I can change my password.
  2. If there were a security breach, my account would automatically be locked.
  3. Despite the Yahoo logo, Yahoo don’t actually manage any of BT’s e-mail.

There are serious problems with all three of these reasons, to put it mildly. Firstly, since this was an internal process created by Yahoo themselves, passwords are irrelevant. They don’t need any passwords to access their customers’ mail traffic, and changing your password isn’t going to stop them. Secondly, since this was an internal process – an access by design – then it wouldn’t have been viewed as a security breach. Yahoo themselves did it deliberately.

Thirdly, the T&C’s for BT’s e-mail customers are Yahoo T&Cs, and make clear that it is Yahoo processing the data.

I wouldn’t normally publish a chat transcript in this way, but I think there’s a public interest here. Yahoo’s behaviour is being reported in the press as “a new chapter” in the public debate over privacy, and it seems to me that BT staff may be misleading their customers over the matter, at least inadvertently. Anyway, here’s the chat.

Question: Given you’ve handed responsibility for email to Yahoo, and in light of this news: http://mobile.reuters.com/article/idUSKCN1241YT  – Can you confirm whether my BT Internet e-mail was part of this scanning programme, please?

Chat:

Status: Connected

BT: Hello. I’m (BT Rep’s name).Thanks for that information, I’ll check it and get back to you in a moment.
Me: Thank you.
BT: I’m really sorry about that, let me see what I can do to help.

[Identity confirmation]

BT: Thanks for that information.
BT: Can you please elaborate your issue?
Me: As per the link I sent, it’s all over the tech press that Yahoo have created a scanning tool with which they scanned millions of e-mail accounts for the US security services. Since BT have handed responsibility for their e-mail accounts to Yahoo, it seemed likely to me that btinternet.com accounts may also have been scanned. I’m looking for BT’s position on whether this is in fact the case.
Me: Here’s another article http://www.theregister.co.uk/2016/10/04/yahoo_was_nsa_stooge/
BT: Don’t worry just change your password once then everything will work fine.
Me: That’s not the issue. I want to know whether my btinternet.com account e-mails have been scanned by Yahoo as part of the programme outlined in that article. Changing my password will not prevent this happening, because it is Yahoo themselves doing it.
BT: Yes your email account is safe and working with us and don;t worry if in case any problem arrives we will get in touch with you.
Me: Are you saying that Yahoo have not accessed and scanned my BT Yahoo e-mail? Is that a categoric denial that the scanning took place on BT accounts held by Yahoo?
Me: Do I have BT’s complete assurance on this matter?
BT: [Teacake] I need to inform you that the email is working fine from our end, and still if there is a problem we will get in touch with you, can you please confirm if it is also working fine from your end as well?
Me: I am not reassured that you have understood the concern I have raised. I am not asking whether my e-mail is working. I am asking whether your partner – Yahoo – have been scanning my e-mail. Do you understand this question?
Me: Please – if you are unsure what I am asking you – please can you escalate this matter to the next line?
BT: No as such the yahoo had a scam early in the 2014 and for that they have sent an email to everyone, and for your answer to the question they have not been scanning any of the emails
Me: The 2014 hack is not the problem I am raising here. I have supplied two links to articles which state that Yahoo have been scanning their customer’s e-mails on behalf of the US Government. This is not a hack or a scam. This is the company themselves accessing their customers’ e-mails.
Me: To be clear: are BT denying that Yahoo scanned any e-mails, or denying that BT customers were affected by the programme?
BT: No I am not denying that, that the BT email customer were not affected by this, but there were a set bunch of people (not known) were there that were affected, and as such I have seen the email it is working correctly from our end, and no Yahoo have not been scanning any of the emails.
Me: Your response appears to be contradictory, or you’re still assuming I’m talking about the 2014 hack. I’m not asking about the hack.
Me: Please can you escalate this query to the next level support?
BT: Yes I will surely do that for you. I will raise this issue with our level 2 team, please stay connected.
Me: You are very kind. Thank you.
BT: Okay.Fro this I can call you and can transfer you to our team they will help you with the same.
Me: Thanks very much.
BT: Can I call you on this number – [phone number]?
Me: Yes, I’m on that number now.
BT: Okay.

I was then transferred to wait on the phone for a second line engineer. Since it was spoken, I don’t have a transcript of that conversation, but it went much the same way, ending in me suggesting the BT rep do a Google search for “yahoo email fbi” and him assuring me that BT Yahoo mail is not Yahoo mail.

It was clear to me when talking to BT that their staff had no knowledge about the Yahoo revelations and had not been briefed, despite it being covered by the BBC, Reuters, NY Times, Guardian, Daily Mail (not linking those bastards, sorry), USA Today, and widely in the tech press. As you will see from the chat transcript, it’s clear they thought I was concerned about the recent news that Yahoo account details had been hacked.

It seems to me there’s a good chance this problem extends beyond US customers of Yahoo and may have affected the many thousands of customers who use BT email services in the UK.BT need to be much clearer about their potential involvement.

 

Advertisements
%d bloggers like this: