Policy Analysis
YAHOO! Privacy Policy

INLS 187: Information Security
Allyson Silver
Assignment 2
February 26, 2003

Introduction

 About a year ago, my sorority sisters and I decided to create a listserv for those of us on campus and in the area to communicate with one another on an easier basis than playing phone tag and trying to contact each other with other means of communication.  The one stipulation we set was that everyone must create an off-campus email address to be added to the listserv.  I decided to go with YAHOO! to create and manage an email account.  Prior to this incident, I had only used my account with UNC and with America Online, so I was not sure what to expect with YAHOO!.  Prior to creating the account I took a look at Yahoo's Privacy Policy regarding email accounts, to see exactly what privacy Yahoo was able to offer its customers.

Summary

 Basically, this Privacy Policy is very similar to other online privacy policies regarding email accounts and registering with a particular website, generally speaking "it defines the aims and goals" of the application (Schneier, 308).  It discusses the information that YAHOO! collects from its users and how the company uses and distributes this information.  Additionally, it reviews the account policy for children under the age of 13, stating that a parent must create this account under the Yahoo! Family Account plan.  Yahoo! also details the instances in which it may "rent, sell or share" a user's personal information, stating that it will only do this pertaining to information the user has requested and under certain listed circumstances.  Yahoo! sets and accesses cookies on users machines, and it allows its partnering companies and advertisers to access there cookies on user machines. Users have the right edit their personal information and to completely delete their account information and preferences.  Yahoo! protects user information from employees who do not need to see it, and protects personal information with SSL-encryption, password protection, and other safeguards, to ensure user privacy.  Also, Yahoo! reserves the right to update and make changes to this policy as they see fit.

Criteria

 1.  Identification and Authentication (Schneier): Does this privacy policy allow user's to have individual accounts that are password protected?  Are the emails/preferences/contacts of a users account protected by a username and user selected password that can be changed as needed?

2.  Protection of Personal Information:  Does the privacy policy give a detailed account of the conditions of the use and distribution of the user's personal information?  How and why is the information collected, and what good does it actually provide to the user?  Additionally, does sharing personal information doe more harm than good for the user?

3.  Security Against Attackers:  Based on the Schneier reading, does this policy protect users from being attacked?  Not necessarily from viruses that the user may have contracted outside of the application, but from attackers who attempt to "eavesdrop" or manipulate the users email account?  Can we ensure that all email we send and receive are safe and are from the stated "sender"?

4.  Ease of Deletion of Account:  If I am not satisfied with the account or the policy, how easy is it for me to rid myself of the created account?  Are there any stipulations attached with deleting the account if I am unsatisfied?

Analysis

 Identification and Authentication
Yahoo's Email Accounts and Privacy Policy successfully passes this criteria.  As every Yahoo! user is given an account that is under his/her selected username.  Additionally Yahoo! states in its privacy policy that "your Yahoo! Account Information is password-protected", meaning that essentially no one can access you account without the proper username and password.

Protection of Personal Information
Yahoo! gives a lengthy explanation of how it uses users' personal information in its Privacy Policy.  It states that it receives that personal information when you first register and give basic information (address, zip code, birth date, interests, etc.), visit any Yahoo! pages or advertisements, make any transactions, or purchases via Yahoo's site, or enter any of Yahoo or its business partners sweepstakes or promotions (Yahoo.com).  Additionally, Yahoo! states the following as to its uses of the personal information : "Yahoo! uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients."  Overall, I guess that the importance of this criteria is relative to the user as I personally do not like to have pop-up windows and advertisements pertaining to being a 21 year old female.  I would much rather not have this information collected and have the annoying advertisements and offers spared.  I have also noticed that this information really does clog up the "Bulk" mailbox in Yahoo! as I sometimes receive up to 70 junk emails a day pertaining to college loans, online degree programs, and sweepstakes that I have never entered.

Security Against Attackers
Yahoo! does not explicitly state how it will work to prevent any types of hacking or security issues, however it does state the following:  "We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs. We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you. Your Yahoo! Account Information is password-protected. In certain areas Yahoo! uses industry-standard SSL-encryption to protect data transmissions".  It would be nice to know exactly what steps are taken on Yahoo's end to prevent any types of hacking from taking place.

Ease of Deletion of Account
Yahoo! states specifically the terms of deleting an account on its Account Deletion page.  It states that "In most cases your account will be deactivated and then deleted from our user registration database in approximately 90 days. This delay is necessary to discourage users from engaging in fraudulent activity. Additionally, due to the limited number of names available, we may allow other users to sign up for and use your current Yahoo! ID and profile names after your account has been deleted."
Yahoo! also explains what data will remain after the account is deleted on their Data Storage: Account Information page.

Recommendations

 Overall, I think that Yahoo's Privacy Policy meets the criteria that I selected for such a policy.  The accounts created are password and user protected, and they are easily able to be deleted at the user's discretion.  Yahoo! also states how a user's personal information is protected and or used, but it does not give details as to how much marketing and promotions a user will encounter as a result of the shared data.  As a user who is strictly using Yahoo! for email, the advertisements, promotions, junk email, and pop-up windows becomes very annoying after a while.  Additionally, if you accidentally click on a pop-up window as your screen is opening or read one of the junk emails, it only opens your account up to more marketing tactics.  Although, Yahoo! does in some way explain this in the Privacy Policy, I think that it is slightly unclear to me as user exactly how I will be effected by the information sharing.  I think that the biggest recommendation for Yahoo's Privacy Policy would be to add a clause stating how the user will be effected by the personal information that Yahoo collects and shares with its business partners.