Each year, EFF’s Who Has Your Back campaign assesses the policies and practices of major Internet companies as a way to encourage and incentivize those companies to take a stand for their users in the face of government demands for data. Normally, when a company demonstrates it has a policy or practice that advances user privacy, like fighting for its users in courts, we award the company a gold star. Sometimes, even when companies stand up for their users, they're forbidden from telling us about it because of unduly restrictive secrecy laws or court orders prohibiting them from doing so.
Which, for the past six years, is exactly what happened to Yahoo. In honor and appreciation of the company’s silent battle for user privacy in the Foreign Intelligence Surveillance Court (FISC), EFF is proud to award Yahoo with a star of special distinction in our Who Has Your Back survey for fighting for its users in (secret) courts.
In 2007, Yahoo received an order to produce user data under the Protect America Act (the predecessor statute to the FISA Amendments Act, the law on which the NSA’s recently disclosed Prism program relies). Instead of blindly accepting the government’s constitutionally questionable order, Yahoo fought back. The company challenged the legality of the order in the FISC, the secret surveillance court that grants government applications for surveillance. And when the order was upheld by the FISC, Yahoo didn’t stop fighting: it appealed the decision to the Foreign Intelligence Surveillance Court of Review, a three-judge appellate court established to review decisions of the FISC.
Ultimately, the Court of Review ruled against Yahoo, upholding the constitutionality of the Protect America Act and ordering Yahoo to turn over the user data the government requested. The details of the data turned over, and even the full opinion of the Court of Review, remain secret (a redacted version of the court’s opinion was released in 2008). Indeed, the fact that Yahoo was involved in the case was a secret until the New York Times revealed it earlier this month. Following the Times article and a new motion for disclosure by Yahoo, the government acknowledged that more information could be made available about the case, including the fact that Yahoo was involved.
After six years of silence, Yahoo is finally able to speak publicly about its fight.
Yahoo went to bat for its users – not because it had to, and not because of a possible PR benefit – but because it was the right move for its users and the company. It’s precisely this type of fight – a secret fight for user privacy – that should serve as the gold standard for companies, and such a fight must be commended. While Yahoo still has a way to go in the other Who Has Your Back categories (and they remain the last major email carrier not using HTTPS encryption by default), Yahoo leads the pack in fighting for its users under seal and in secret.
Of course, it's possible more companies have challenged this secret surveillance, but we just don't know about it yet. We encourage every company that has opposed a FISA order or directive to move to unseal their oppositions so the public will have a better understanding of how they've fought for their users.
Until then, we hope Yahoo's star will serve as a beacon for all companies: fighting for your users' privacy is the right thing to do, even if you can't let them know.