Tuesday, November 13, 2012
Despite continuous warnings Yahoo! refuses to introduce the encrypted connections to its web-mail service. Yahoo! continues to expose its users to danger, being the last major web-mail provider not using https. 'Yahoo!'s web-mail is often used by activists in countries with repressive regimes. There is proof of national security police using email copies as evidence during interrogation sessions', says Niels ten Oever of Free Press Unlimited. In an open letter the Electronic Frontier Foundation and Free Press Unlimited urge the multinational to hurry with the implementation of the secure https encryption.

Open letter to Yahoo! calls for action

Stubborn

Throughout the years experts have warned Yahoo! numerous times for the security hazards. Repeatedly, Yahoo! has ignored their urgent advice. The stubborn attitude of this multinational is especially severe because Yahoo! is widely used in countries ruled by repressive regimes. Activists and other critical citizens are regularly being arrested, because their Internet activities can be easily screened by national security police.

Conflicting ideals
This insecure situation, daily affecting citizens around the world, is in conflict with the promises CEO Jerry Yang earlier made to the US Congress. He stated that Yahoo! is committed 'doing to right thing' and globally 'protecting human rights'. The multinational also says to believe in 'free expression' and 'privacy'. The open letter stresses both the urgent need to implement the SSL encryption and the fact that Yahoo! undermines its own goals as a consequence of its stubborn attitude.

November 13, 2012

Marissa Mayer CEO Yahoo!, Inc.
701 First Avenue Sunnyvale, CA
94089

Cc: Patrick Robinson Interim Director, Business and Human Rights
Program

Dear Ms. Mayer:

As privacy and security advocates from around the world, we are
writing to you to express our deep concern with Yahoo!'s continued
delay in supporting encrypted connections to its vital
communications services. As individuals who engage with at-risk
communities targeted for surveillance and censorship, we see on a
daily basis how this negligence endangers human rights activists
who fight in some of the most repressive environments to protect
the basic freedoms that we take for granted. Five years ago, in
response to serious concerns about Yahoo!'s human rights record,
Yahoo! founder and then-CEO Jerry Yang promised to the US
Congress:

“Yahoo! is a company committed to doing the right thing and to
protecting human rights globally. We are a company founded on
openness, the exchange of information and user trust, and we
believe deeply in free expression and privacy.”

We want to see Yahoo! live up to those commitments in the
implementation of its services, and we regard the use of transport
encryption as a fundamental security requirement for e-mail.
Yahoo's principal direct competitors in the web-based e-mail
market, Microsoft and Google, have implemented HTTPS by default to
protect their users against hacking and spying. This leaves Yahoo!
Mail as the only major web-based e-mail service that continues to
rely on insecure connections.

Over the last several years, Yahoo! has repeatedly been urged by
security experts to adopt HTTPS, but has taken no visible steps to
do so. Unfortunately, this delay puts your users at risk, which is
particularly disturbing since Yahoo! Mail is widely used in many
of the world's most politically repressive states. There have been
frequent reports of political activists and government critics
being shown copies of their email messages as evidence during
interrogation sessions, underscoring the importance of providing
basic measures to protect the privacy of e-mail. Where online
communications platforms are essential channels for the the free
flow of information and outlets for expression, offering HTTPS by
default is a critical step that Yahoo! must take to blunt some of
the effects of mass surveillance and censorship.

Some of us have already been compelled to recommend that users
avoid Yahoo! Mail because of its continued lack of essential
security protections. For example, a recent video by the prominent
security training organization Tactical Technology Collective,
entitled 'Hey Yahoo! HTTPS my Emails!'
<https://onorobot.org/yahoo/email/security/https>, warns the
public to select only web mail services that can be accessed via
HTTPS. In an age of pervasive, inexpensive survillance, we believe
this is reasonable and appropriate advice.

We urge you to act as quickly as possible to act on this
commitment to user trust and security by taking the long overdue
step of deploying HTTPS for all Yahoo! communications services.

Please find all signatories here: https://www.eff.org/document/letter-marissa-mayer