I thought you might all appreciate this exchange between me and Yahoo. In essence, I was trying to get them to take down a website with sensitive information. The owner was nowhere to be found. The registered owner of the domain was a company who pointed me to Yahoo, since Yahoo was the host. Yahoo kept stonewalling me with incorrect form letters. I’ve edited a little for brevity.
Original Message Follows:
————————-
To Yahoo Abuse:
My name is Aaron Titus. I am the Information Privacy Director for the Liberty Coalition.
In September 2007, a file containing around the names, social security numbers, scores, grades, and other information of about 60 students. Though the file had already been removed from your site when it was discovered on September 13, the information was available until September 18, 2007 through a Google Cache.
The file was available online:
[hyperlink omitted]
In addition, the file was available through at least one major search engine.
You should consult legal counsel to determine whether your state has applicable breach notification laws. We trust that you will take action to remove the sensitive files, clear search engine caches, and notify internet archives such as http://web.archive.org, as soon as possible.
This apparent breach will be reported to the FBI through ic3.gov. It will also be documented at SSNBreach.org, once the file becomes unavailable to the public, and it appears as though cached versions have been removed from major search engines.
…
Do not hesitate to contact me if you have any additional questions.
-Aaron Titus
—–Original Message—–
From: Yahoo! Domains [mailto:domains-abuse@cc.yahoo-inc.com]
Sent: Friday, November 09, 2007 12:27 PM
To: Aaron Titus
Subject: Re: Scratchpad50.com Personal Information Breach
(KMM60105393V28300L0KM)
Hello Aaron,
Thank you for writing to Yahoo! Domains.
We appreciate your reporting this instance of abuse. Please write back with a more detailed description of the issue in question and include as much of the following information as you can:
1. A more detailed description of the complaint or issue.
2. Any other information that may help us investigate and take the appropriate action.
Please include the requested information in the body of your email response, and do not send attachments as we are unable to open them.
Additionally, you may want to review the Yahoo! Domains Terms of Service at:
http://smallbusiness.yahoo.com/tos/tos.php
Thank you again for contacting Yahoo! Domains.
Regards,
Stan
Yahoo! Customer Care
41624814
For assistance with all Yahoo! services please visit:
http://help.yahoo.com/
Original Message Follows:
————————-
Yahoo Abuse,
In response to your “more detailed description of the complaint or issue,” I invite you to read my original e-mail, which reports the issue with painstaking detail. As a courtesy, I have included the original detailed report [in this] e-mail.
Next time, please at least try to pretend that you’re not sending a form letter.
-Aaron Titus
—–Original Message—–
From: Yahoo! Domains [mailto:domains-abuse@cc.yahoo-inc.com]
Sent: Saturday, November 10, 2007 9:45 AM
To: Aaron Titus
Subject: RE: Scratchpad50.com Personal Information Breach
(KMM60147527V5861L0KM)
Hello Aaron,
Thank you for writing to Yahoo! Domains.
We appreciate your inquiry and are sorry for the issues you are experiencing with Google search results. Unfortunately, we are not affiliated with Google and are not able to address any concerns that you may be experiencing with their services.
If you have issues with Google’s search services, we recommend that you contact them directly to have these issues addressed. You can do so by visiting the following page:
http://www.google.com/intl/en/contact/index.html
Thank you again for contacting Yahoo! Domains.
Regards,
Stan
Yahoo! Customer Care
41624814
For assistance with all Yahoo! services please visit:
http://help.yahoo.com/
Original Message Follows:
————————-
Boy, you guys really are dense.
Please note that the title of this e-mail is “Scratchpad50.com Personal Information Breach.” As described in my original e-mail, the domain, Scratchpad50.com had exposed several people to increased risk of identity theft. Yahoo is the host for Scratchpad50.com, and should therefore 1. Investigate, and 2. Take appropriate action to eliminate the files mentioned.
If you insist on continuing to reply with irrelevant form letters, next time try to pick one that has some bearing on reality. Or, you can save us both some time and simply say outright,
“Because we get a high volume of e-mails, we do our best to stonewall as many questions with non-answers as possible. This policy keeps our work levels a manageable level. In addition, even though this e-mail address is ‘abuse@yahoo.com,’ Yahoo, Inc. has not empowered us to take any action of a substantial nature to actually fix problems. We are only permitted to answer low-level customer questions, and make sure that customers are not able to penetrate too far into the organization.”
Please consider adding such a form letter to your repertoire.
-Aaron Titus
—–Original Message—–
From: Yahoo! Domains [mailto:domains-abuse@cc.yahoo-inc.com]
Sent: Sunday, November 11, 2007 6:18 AM
To: Aaron Titus
Subject: RE: Scratchpad50.com Personal Information Breach (KMM60186560V79817L0KM)
Dear Aaron,
Thank you for writing to Yahoo! Domains.
Yahoo! Domains is evaluating your request, however, Yahoo! Domain is unlikely to remove the page for the reasons explained below.
Although you have objected to material posted on this Yahoo! Domains user’s page on defamation grounds, Yahoo! Domains is not in a position to know the truth or falsity of the statements at issue and therefore cannot take a position on claims, if any, you may have against this user. Your complaints may be directed more appropriately to the individuals who posted the allegedly objectionable statements. If you are not aware of the identity of this individual, please be advised that Yahoo! Domains complies with third-party subpoenas seeking information that pertains to the identities of given subscribers, within the limits of the federal Electronic communications Privacy Act, 18 U.S.C. ? 2701 et seq., and state law.
We recognize that you may be disappointed with this response, however, it is consistent with federal law. Congress enacted the Communications Decency Act of 1996 (“CDA”), which provides that online service providers may remove, edit or not remove or edit content, in their sole discretion, in recognition of the unique role of online service providers such as Yahoo! Domains. Simply stated, this federal statute protects online service providers from any liability for third-party statements, or for the removal or failure to remove such statements. See also, Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997), cert. denied, ___ U.S.___ (1998).
Should you have further questions regarding this matter, you may direct them in writing to:
Legal Department
Yahoo! Inc.
701 First Ave.
Sunnyvale, CA 94089
Thank you again for contacting Yahoo! Domains.
Regards,
Miller Daniels
Yahoo! Customer Care
41624814
—–Original Message—–
From: Aaron Titus
Sent: Sunday, November 11, 2007 3:05 PM
To: ‘Yahoo! Domains’
Subject: RE: Scratchpad50.com Personal Information Breach (KMM60186560V79817L0KM)
Yahoo Domains,
Thank you for finally finding the [almost] correct form letter! Good Job! [except, I wasn’t talking about “defamation”]
-Aaron Titus