Garbage to gold: How Yahoo unethically sells your spam email | Computing
(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.
According to a report from the Wall Street Journal, Yahoo’s parent company, Verizon, knows you don’t use that old AOL or Yahoo inbox. It knows they’re just full of spam. Yet strangely enough, it’s selling data pulled from it without telling you — and staying alive by doing so.
All your mail are belong to us
The beans were spilled by a leaked Yahoo sales pitch. It detailed the tactics Yahoo uses to collect and sell personal data gained from its email accounts. It’s all laid out in explicit description, outlining not only how Yahoo mines email accounts for data, but why.
“This isn’t a new practice,” Theresa Payton told Digital Trends. Payton is a cybersecurity expert and the former Chief Information Officer at the White House. “What they do is scan emails, and then group similar users together for targeting. For example, if you have receipts from purchases you’ve made on Netflix or Hulu or Amazon Prime, they will group you and other email users that have similar receipts into a group, and then sell your data to media companies, TV outlets, and the movie industry.”
On paper, Yahoo isn’t doing anything unlike what Google has done in the past. For thirteen years, Google scanned the email of Gmail accounts and sold that data to advertisers on its Google Ads platform. Considering the amount of people that use Gmail, the amount of relevant data that could be mined was mind-boggling.
That practice has since been halted due to public outcry, but companies with less to lose — like Yahoo — have picked up on the idea and run with it.
Payton believes the Yahoo situation might be more sinister. Part of the problem is the raw capability of technology, which grows year by year, both in terms of processing power and maturity. According to Payton, behavioral-based, big data analytics are at a higher level of sophistication than they were just a few years ago. They can handle more data, so they collect more data.
“That human curation is maybe where the secret sauce is.”
Yet the biggest difference in Yahoo’s implementation is the human element. “There’s also the automated scanning process and then there’s a human curation process,” she said. “That human curation is maybe where the secret sauce is. Things are going to be done to this data that are going to be unique and different from how Google used to treat email accounts in the past.”
There’s no way to know exactly what human eyes scan at Yahoo, but the company’s privacy policies make clear that humans do read some emails. The policy posted by Yahoo’s parent company, Oath, states “when users click on the Spam and Not Spam buttons, information is sent to our anti-spam team or other spam compliance service providers for manual review, and aspects of these messages may be shared […].” The policy also references “manual review” for several other reasons.
Doug Sharp, Oath’s Vice President of Data, Measurements, and Insights, defended the practice when questioned by The Wall Street Journal. “I think it’s reasonable and ethical to expect the value exchange,” said Mr. Sharp, “if you’ve got this mail service and there is advertising going on.
So, Yahoo is reading emails that arrive in the 200 million inboxes it hosts. But who uses their Yahoo or AOL email account as their primary account these days, anyways? You probably don’t use Yahoo Mail as your main account, so it’s not your concern. Right?
Maybe not. Even the junk you’ve left behind in a secondary account is good enough to sell.
Mining spam for gold
“They actually talked about how a lot of people use their platform to forward their spam mail to,” said Payton. “So, they purely use it as an email address to hand out and let a bunch of marketing material go to. And that could be super helpful to marketers.”
Yahoo knows you don’t care about your Yahoo Mail account and has turned that into a selling point for marketers. Using the same scanning, grouping, and human curation described above, Yahoo has found a way to turn junk mail into sellable data. That might not sound bad, but Payton described a situation that could quickly go from harmless to dangerous.
“This could be their survival mode project to give them the cash influx they need.”
“What if you’re subscribing to Wine & Whisky newsletters — and that information is sold to health insurance companies?” she proposed. “I’m not saying that’s what they’re doing, but the question is, once the data is sold to third-party marketers, how do you know how that data is or is not going to be used or safeguarded?”
It gets even more worrisome when you consider the company Yahoo has become. It was acquired by Verizon in 2017, where it was merged with AOL to form an umbrella corporation known as Oath. That means all the data collected from Yahoo and AOL email accounts are not only shared with third-party marketers, but also distributed throughout the massive company. We’re talking about a lot of data, and a lot of ways to put it to use.
Exploiting what few people it has left
We don’t know how successful Yahoo has been at selling people’s spam. In a post-Cambridge Analytica world, it feels a odd for a company to shamelessly mine personal data as if no one cared — and as if regulatory bodies weren’t paying attention.
Still, we shouldn’t be surprised. Yahoo, like most companies, needs to make money to justify its existence. Mining email data is another way to keep the lights on. The consequences could be severe, but anything can look viable to a company with a lot of red ink on its balance sheet.
“Just think about the massive data breach they had and the legal fines that came from that,” said Payton. “This could be them thinking, ‘We’re sitting on a treasure trove of information that we can productize and monetize.’ This could be their survival mode project to give them the cash influx they need.”
Your Yahoo or AOL email accounts may have already been mined for data, but it’s worth heading over to deactivate it if you don’t currently use it. If you do happen to use Yahoo Mail as your primary account, we’d highly recommend disabling access to this kind of invasive scanning. It’s as easy as heading over to the Ad Interest Manager page and clicking on “Opt Out” under the Yahoo banner.
If nothing else, there’s one important lesson we can learn from all this. Data is still the most valuable commodity in the world, even if its out-of-date information tucked away in an abandoned corner of the internet.