Photographer: Scott Barbour/Getty Images

Mass Surveillance Is Part of Yahoo's Business Model

Spying for the government isn't all that different from what internet companies do for advertisers.

Yahoo has been getting a lot of attention lately for its failures to protect personal information. What's perhaps more remarkable, though, is how little privacy American internet users demand.

First came news that hackers stole personal data on more than 500 million Yahoo users. Now the company is dealing with reports that it helped the Justice Department conduct mass surveillance by scanning e-mail traffic for signs of a terrorist organization. One has to wonder: When Verizon finally completes its planned acquisition of Yahoo, will there be any users left to acquire?

Yet if there’s one thing Americans value more than freedom, it’s free stuff. Thanks to decades of conditioning, people have this notion that online services -- e-mail, news, porn, search engines -- should be available without charge, like Yahoo. The employees of internet companies are magically compensated in starlight and dreams, so everything they produce should be gratis

The unfortunate truth is that internet companies need revenue. And if users don’t want to pay, that revenue has to come from advertisers. Yahoo, Google, Facebook, Snap(chat), and Twitter all make money by selling ads. It’s not an easy business model. Online advertising is a highly competitive market with low barriers to entry; all it takes is an app and a paying advertiser.

Cutthroat competition has led platforms to differentiate themselves with targeted advertising -- the ability to show ads relevant to a user’s interests. Effective targeting means collecting as much personal data as possible. As a result, we have “free” e-mail products that scan message contents, “free” news sites that track us all over the internet 1 , and “free” search engines that display ads based on our queries as well as our browsing history.

Verizon acquired AOL, and plans to acquire Yahoo, not for the aging user base but for the ad technology. You know how advertisers display creepy re-targeted ads based on the sites you visit? Verizon now has the ability to add cellular location information to bring that delightful experience into the physical world.

Users might complain that invasive advertising is a violation of privacy, but online service providers don’t promise any privacy 2 . In fact, Yahoo explicitly states the opposite in its Privacy Policy: “Yahoo analyzes and stores all communications content, including e-mail content from incoming and outgoing e-mail.”

Yahoo scans all of its e-mail traffic. Not just to filter out malware and illegal stuff 3 , but also to deliver targeted advertising. So monitoring e-mails for terrorist communications wouldn't be much different from what it already does.

Situations like this led the European Commission to adopt new data protection laws. Europeans take the protection of personal data seriously, a view no doubt influenced by memories of the Gestapo, Stasi, Estado Novo, Francoist Spain, and Italian Fascism. Continental Europe understandably has very well-founded fears of a surveillance state.

In the U.S., people seem to care more about freedom from excessive legislation. Data privacy is left largely to the market, the idea being that consumers will allocate their attention to service providers that respect their privacy needs. In practice, the relationship is highly asymmetric: Nobody reads company privacy policies, and companies are exceptionally vague in describing their reach.

Apple was held up as an exemplar of civil liberties when it fought the Justice Department’s order to help the FBI unlock an iPhone. It was able to extract itself from the order largely because the technology to break into a user’s phone did not exist. Apple has a strong history of protecting the privacy of its customers, but it is also in the unique position of having convinced people to pay for its products. Most internet service providers don’t have this luxury.

Before resigning, Yahoo’s chief information security officer, Alex Stamos, pushed for the company to adopt end-to-end encryption. This would have made it impossible for third parties to eavesdrop on user communications. It didn't happen. Apparently, protecting e-mails was not a priority for a company whose business model depends in part on searching and indexing them so it can target advertising.

Non-paying users should realize that they are not customers. They are products that internet companies sell to advertisers. No one wants to be treated as a commodity, but businesses need money to feed their employees and pay the rent. The technology that makes online services free and convenient just happens to be the same technology that enables mass surveillance.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

  1. This web page contains tracking scripts that relay your IP address and browser fingerprint to Google’s ad network. Google’s DoubleClick is the largest ad network in the world, and all major websites use it. I’m sorry.

  2. Yahoo is by no means the worst offender. Google states: “Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection. We may combine personal information from one service with information, including personal information, from other Google services.”

    Here’s Facebook: “We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created.”

  3. Internet service providers are liable for any child pornography hosted on their servers. However, there is a safe harbor affirmative defense if the service provider reports the image to law enforcement, “promptly and in good faith.”

To contact the author of this story:
Elaine Ou at

To contact the editor responsible for this story:
Mark Whitehouse at

Before it's here, it's on the Bloomberg Terminal.