It never rains but it pours! With public trust in freefall over the delayed announcement of a large-scale Yahoo account hack, the company’s decision to scan clients’ email accounts on behalf of US authorities has fuelled discussions in Europe over the thorny issue of privacy.
According to Reuters, Yahoo is facing criticism over its compliance with a classified US government request to comb through customers’ incoming emails for information specified by US intelligence officials. European politicians have since called on the European Commission (EC) to investigate the incident – which could derail the progress of the transatlantic data sharing deal agreed earlier this year.
‘Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern,’ commented Ireland’s Data Protection Commissioner in a statement.
Yahoo’s only response was that it ‘complies with the laws of the United States’, declining to confirm whether it scanned users’ emails or to say if Europeans’ emails were intercepted during the operation. The episode is likely to touch a nerve with Europeans who fear that the ‘Privacy Shield’ data sharing deal doesn’t offer enough protection against mass surveillance by US intelligence agencies.
Yahoo hasn’t yet recovered from a large-scale attack by hackers which compromised personal information from around a half billion Yahoo accounts, making it the biggest data breach in history. Although the hack took place in 2014, Yahoo didn’t release details till earlier this year.
The hack harvested names, email addresses, phone numbers, birth dates and, in some cases, security questions and encrypted passwords. Yahoo blamed a ‘state-sponsored actor’, although no country or agency has yet been identified.
The company has 1 billion monthly active users and the hack demonstrates the inherent vulnerability of password-protected account access. It’s thought that while Yahoo was able to mitigate the effects of the hack for its own accounts, the passwords and personal information stolen could have facilitated fraud in users’ other accounts. It could take a while to rebuild users’ trust in the brand.
The timing’s not great
All of which is bad news for Yahoo, which is currently in the process of being acquired by telecommunications giant Verizon for a reported $4.83 billion. Verizon has previously said that it will evaluate the ongoing investigations ‘through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities’.
As with most things, timing is crucial. Yahoo filed documents with the SEC at the beginning of September indicating that there had been no security breaches that would adversely impact its business. If it turns out that senior figures at Yahoo knew it had been hacked before that filing – or indeed before Verizon agreed to buy Yahoo – the $4.8 deal could hang in the balance.
At the very least, Verizon may feel that a discount off Yahoo’s buy price is in order. Analysts have indicated that $1 billion wouldn’t be unfair, though it does amount to a 20 percent reduction. Much will depend on how confidently Verizon can negotiate – and how badly Yahoo needs to sell.