Kurt Opsahl - EFF
Earlier this week, Yahoo! announced a plan to try to leverage its Yahoo! Mail users' contacts into a social network of friends who will receive your Yahoo! Updates. Once the most visited website in the world, Yahoo! now ranks fourth worldwide, reaching about a quarter of all Internet users each day. Like Google Buzz's ill-fated launch using Gmail contacts, Yahoo! wants to jump start its social networking plans with the hundreds of millions of people who already use its email and messenger services.
While Yahoo! made some effort to avoid the worst aspects of the Facebook and Google Buzz privacy controversies, ultimately the plan conflicts with two principles of the EFF Bill of Privacy Rights for social network users. The program will begin a roll out next week, and Yahoo! users need to opt out if they do not wish to participate.
What Are Your Yahoo! Updates?
Yahoo! Updates are similar to Facebook's news feed and Twitter's tweets. For people who receive your Updates (more on that below), they will be seen on the basic Yahoo! Mail screen, in a category called “Updates” just below where email messages are displayed.
Updates will "include things like comments on message boards, songs you’ve rated, movies you’ve reviewed, articles you’ve Buzzed, photos you’ve uploaded in Flickr, questions you’ve asked or answered on Yahoo! Answers and other similar activities." If you have customized your Yahoo! homepage with apps, these apps may also generate Updates. According to Yahoo!, "Because the majority of events listed within Updates are inherently public activities, our defaults are set to allow anyone to see them."
Here’s the problem: Even though many of these events are indeed available to the public in that they can be found if searched for (often by looking in specific places), this does not necessarily mean that users want all of these activities to be pushed onto the home email screens of other users. Whether or not users will want this publicity depends on who will see the Updates.
Who Will See Your Yahoo! Updates?
You can never know the complete list of those who will receive Updates about your activities on Yahoo!. Previously, your Updates were shared with your Connections, an earlier Yahoo! effort at opt-in social networking that was not widely adopted. More recently, Yahoo! started sharing with your Yahoo! Messenger buddies. Starting next week, your Updates will get posted automatically to anyone who has you in their Yahoo! Mail address book, as opposed to, for example, the people in your address book. Thus, if someone wants to follow your Updates, they can just add you to their address book and you will not know.
What that means is that whenever your doctor, your ex, your stalker, or your plumber include your email address as a Contact in their address book, they will automatically see Updates about your activities on Yahoo!’s many, many websites whenever they log into Yahoo! Mail.
In an effort to avoid Google's gaffe in making Buzz user's email contacts public, Yahoo! Updates will not publicize who is in your address book or who has you in their address book. By publishing Updates only to people who have you as a Yahoo! Contact, rather than to those people whose addresses are in your Yahoo! Contact list, Yahoo! will avoid revealing any information about who is in your address book. This solves one privacy problem but creates another: you can’t make an informed decision about publicizing your activities because you don’t know who will see it.
The EFF Bill of Privacy Rights requires "a clear user interface that allows [users] to make informed choices about who sees their data and how it is used," and that "Users should be able to see readily who is entitled to access any particular piece of information about them." Yahoo!’s system fails to uphold these rights since it doesn’t let you know or control who is getting sent your Updates.
While implemented differently, Yahoo!’s strategy ultimately falls prey to the same underlying problem as Google Buzz: your email contact list and your social network are not the same thing, and in some cases may be quite different – and products that try to turn one into the other are doomed to hurt users. As Newsweek put it "Social networks are about sharing, and e-mail services are intensely private. Like lightning and swimming pools, they just don’t mix."
Google Buzz incited controversy because its Gmail users' contacts were a poor match for their friends. One might email with doctors, lawyers, landlord, bosses, former spouses, and the like, and yet not want to share personal photos and links with them (nor receive updates from them).
Likewise, when it comes to Yahoo! Updates, there will likely be other Yahoo! Mail users who have your email in their address book, but are not actually your friends; you may not even know them at all or you may know them only as your doctor, your child’s teacher or your car mechanic. Yet all of those Yahoo! users who happen to have your Yahoo! email address will soon be getting a constant stream of your online activity, unless you opt out. (They could also choose to block your Updates, if they do not care to see your activities).
Can You Control Who Receives Your Yahoo! Updates?
Not on a person-by-person basis. You can control what categories of content are included in your Updates stream. For example, you can choose to include your comments on Yahoo! News stories but not include the photos you post to Flickr. You will also be able to decide whether or not a particular action is published to the Update stream at all, on a per-post opt-out basis. Or you can decide to just opt-out of Updates completely. However, as noted above, there are currently no controls over who receives your Updates. As a result, Yahoo! Mail users will soon find themselves automatically opted in to a new sharing program without control over with whom they are sharing.
This opt-out program conflicts with EFF’s Bill of Privacy Rights, which provides that "When the service wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user." These contacts were provided to Yahoo! for the purpose of email and messaging, not social networking. If Yahoo wants to use that data for a new purpose, it should only do so on an opt-in basis.
How to Opt Out of Yahoo! Updates
You must opt out if you don't want to publicize your activities with anyone who has your email address in their address book. In the wake of the Facebook privacy settings controversy, Yahoo! has made the opt-out process fairly straight forward.
Yahoo! Updates Sharing Control
To opt-out of the new program, go tohttp://profiles.yahoo.com/settings/updates/ and uncheck the box next to Share My Updates. In addition, to opt out of sharing authorized by your friends, you need to go tohttp://profiles.yahoo.com/settings/permissions, and uncheck "Allow my connections to share my information labeled 'My Connections' with third-party applications." While on this page, you should review your settings, and adjust the privacy levels as appropriate. This page also allows to to hide your profile entirely.