Skip to content
Naked Security Naked Security

Yahoo ordered to show how it recovered ‘deleted’ emails in drug case

In spite of what its own policy says, Yahoo managed to hand over 6 months of messages that conspirators in a drug trafficking case thought had been deleted.

A judge has ordered Yahoo to explain how it recovered deleted emails in a drug case.

On the face of it, Yahoo shouldn’t have been able to do so since “Yahoo! is not able to search for or produce deleted emails,” according to its policies.

Yet somehow, the company handed over 6 months of messages that conspirators in a drug trafficking case thought had been deleted.

As Motherboard reports, defense lawyers are speculating that the emails were collected through real-time interception or a National Security Agency (NSA) surveillance program.

US Magistrate Judge Maria-Elena James granted the defense’s motion for discovery in an order filed on Wednesday in a San Francisco court.

The case surrounds Russell Knaggs, from Yorkshire, UK, whose Yahoo account was used to set up and discuss a deal to import 5 tons of cocaine from Colombia in 2009. Knaggs was already serving a 16-year prison sentence.

One of his conspirators would log into the email account “slimjim25@ymail.com” and write a draft email. Then, an accomplice based in Europe would read the draft, delete it from both the “draft” and “trash” folders, and write his own draft.

It was an attempt to keep the messages out of the hands of the law, but obviously, it didn’t work out that way.

Sukhdev Thumber, a lawyer representing Knaggs in the UK proceedings, had previously told Motherboard that the conspirators would sometimes simply remove the text in the draft by backspacing over it, rather than actually deleting the email.

Knaggs reportedly didn’t use the account himself.

At the request of UK police and the FBI, Yahoo took several snapshots of the email account in September 2009 and April 2010. Those snapshots preserved the email account’s contents and revealed the messages.

The defense would like to know how.

For its part, Yahoo has explained to the court that there’s deleted, and then there’s deleted. In other words, there are a series of steps between when a user hits delete and when a given email actually disappears off the company’s servers.

That has to do with Yahoo automatically saving copies of email drafts – autosaved to the “draft” folder on Yahoo’s email server “at periodic intervals” – even though a user hasn’t actively hit “save.”

As a user updates or changes the draft, the new version of the email is auto-saved. Previous versions don’t stay in the draft folder. However, they do remain on Yahoo’s email server, albeit invisible to a user, for an unknown period of time.

And that’s the window of time when Yahoo grabbed the snapshots of the drug traffickers’ emails, according to court documents:

There is a multistep process that must be completed before the previous drafts are permanently deleted from the email server system – and the user updating, changing, or even deleting the draft is only the first step in the deletion process…

Even if the user deletes their draft email, the previous versions of the draft are not automatically removed from the email system; the user cannot see previous versions of the draft in their email account, but the previous versions remain in the email system and on Yahoo’s servers until the entire removal process is complete…

And until the entire removal process is complete, the draft can still be captured in the account snapshots created by Yahoo.

That may well make sense but, the defense says, Yahoo has filed declarations on the matter from some of its staff that contradict each other. Indeed, the defense team says that they can’t even understand Yahoo’s explanation.

Thus, the defense team wants a whole lot more documentation: about Yahoo’s email and retention system, a copy of the retention software source code, and instruction manuals for the equipment Yahoo used to retrieve the emails.

The defense also wants a half day of deposition.

Yahoo resisted, calling it a fishing expedition. After all, the company said, it’s not even a defendant in the case.

The judge was at least partly sympathetic to Yahoo’s protestations.

Judge James trimmed the list of demanded documents down and told Yahoo to get a witness in to talk about just the email account in question.

Yahoo has until 31 August to produce the witness and the documents.

8 Comments

This should be really interesting. I seem to remember several years ago Yahoo, or maybe another email service, said that they retain deleted emails for 6 months. But that was a long time ago. I will enjoy reading the update, thanks!

Given Yahoo’s ability to refuse my new password for being too similar to my old, I’d speculate they’re not properly storing passwords, either

Does the password change dialog require you to enter your old password to set the new one? (That’s common, even if you are logged in already, so that someone who uses your computer while your back is turned doesn’t get almighty powers for everything.)

If so they can be compared without either being stored…

One system we wrote keeps an encrypted log of the users past x passwords and uses a list of the most common passwords e.g. the 1234… type that occasionally get published and also uses things such as LIKE in order to try to ensure that passwords are not reused, common or similar to the previous one. After all, if your old password is known to a hacker, there is a high chance that the new one will be a variation e.g. last character added or changed, or a number incremented. With collaborative systems, security is only as good as the security of the weakest user on the system. People tend to forget that there may be folders in OneDrive, Google Drive or Dropbox that they have shared with others and these are only as secure as the passwords of others.

Three years ago, someone hacked my Hotmail account and deleted everything. I discovered the hack about 3 or 4 days after the fact. I phoned Microsoft immediately and asked if I could get back the deleted emails, but their representative told me no.

Was the representative incorrect or possibly lying to me?

I’m curious to know how the police / NSA / whoever “intercepted” unsent e-mails… ?

@Adam, the electronic data still goes back and forth from Yahoo while the user is composing it.

I understand that there is a transatlantic undersea cable that comes ashore in Cornwall and that electronics may be attached to it to eavesdrop.

If it is transmitted by satelite then it may just be a case of plucking it out of thin air…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?