Yahoo to face class action lawsuit over email spying claims
Naked Security Naked Security

Yahoo to face class action lawsuit over email spying claims

Yahoo will face a class action lawsuit for allegedly violating users' privacy by scanning email messages for targeted advertising purposes.

Yahoo to face class action lawsuit over email spying claimsA US District judge has given the go ahead to a class action lawsuit which accuses Yahoo of illegally accessing and scanning emails – sent to and from its estimated 275 million Yahoo Mail subscribers – without consent.

The suit claims Yahoo intercepted and parsed the content of emails, including attachments, sent to Yahoo Mail customers from non-Yahoo accounts for the purpose of delivering targeted ads.

The non-Yahoo Mail users, who claim the sharing of that data with third party advertisers is a violation of federal and California state laws, are seeking an injunction that would block the alleged interceptions.

They also seek a damages settlement, something that is significantly enhanced through class action status. In all, it’s estimated that there could be more than 1 million members of the lawsuit.

According to District Judge Lucy Koh’s 44-page ruling, Yahoo must answer claims that it breached the Stored Communications Act (SCA) and California’s Invasion of Privacy Act (CIPA).

The Stored Communications Act affords Fourth Amendment-like protections to online communications, effectively limiting the ability of commercial entities to share the content of messages sent via the internet, unless the sender has granted their explicit consent.

California’s Invasion of Privacy Act was enacted to prohibit wiretapping of any conversation where there is a reasonable expectation that it is not being overheard or recorded. While it will be for a judge to interpret the meaning of “reasonable expectation” in this case, the alleged lack of consent is likely to be a crucial factor in their decision-making process.

Yahoo attempted to prevent class action being assigned on the same grounds as a similar case in March 2014 involving Google – i.e., that it was unclear who had or had not given consent. On that occasion, Koh ruled against class action.

Koh also ruled against Yahoo’s argument that “once Plaintiffs discovered that their emails to Yahoo subscribers were being intercepted, stored, and used by Yahoo, Plaintiffs then consented to Yahoo’s actions by continuing to email Yahoo subscribers” because the company failed to explain how users could avoid giving consent while at the same time establishing that their emails were at risk of being intercepted by the company.

In summing-up, Koh approved a nationwide class to non-Yahoo Mail subscribers who sent emails to or received emails from Yahoo Mail subscribers since 2 October 2011, saying they may sue as a group under the federal Stored Communications Act for alleged privacy violations.

In respect of the Invasion of Privacy Act claims, Koh limited the claim to California as the court would otherwise have to take wiretapping laws in all 50 states into account when making its decision. This action, she ruled, will be limited to non-Yahoo Mail subscribers who swapped emails with Yahoo Mail subscribers from 2 October 2012 onward.

Should a court ultimately rule in favour of the non-Yahoo Mail users, the damage to Yahoo’s business model could be significant – the BBC reports that 79% of the company’s revenue came from search and display advertising in 2014.

Irrespective of any future judgments by the court, Koh suggested that changes to Yahoo’s practices would be unavoidable, writing:

Yahoo may have to, as a practical matter, adjust its scanning practices on an individual basis. That does not, however, change the fact that plaintiffs seek uniform relief from a common policy that Yahoo applies to all class members.

Image of Yahoo courtesy of Ken Wolter / Shutterstock.