Yahoo Persists in Scanning Emails for In-Depth Ad-Targeting

While the rest of the U.S. tech industry is taking steps to assuage consumer concerns over privacy and data-harvesting, Yahoo is selling off the ability to scan more than 200 million Yahoo Mail inboxes for rich user data that might be used for marketing purposes.

Verizon’s Oath unit, which owns Yahoo and sister company AOL, is making a push for the capability and actively positioning the service to advertisers, according to the Wall Street Journal. It’s not necessarily a new tactic: Citing company employees and “people who have attended Oath’s presentations” – i.e., prospective users of the service – the outlet reported that Yahoo has been scouring mailboxes for clues as to users’ product preferences for at least a decade.

For now, the need to make the business model work is winning out. Yahoo is the only U.S. email provider that data-harvests consumer details from inboxes – Microsoft has never done it, it told the WSJ, and Google discontinued using email data for targeting last year, when the demand for better consumer privacy began to find its voice.

Oath however sees the practice as one of its “most effective methods” for improving ad targeting, according to Doug Sharp, Oath’s vice president of data, measurements and insights.

He told the WSJ that consumers prefer targeted ads, so they’re more effective, and effective ads allow better monetization for the email service that’s free to consumers. As such, the practice is justifiable, he argued.

“Email is an expensive system,” Sharp said. “I think it’s reasonable and ethical to expect the value exchange, if you’ve got this mail service and there is advertising going on.”

Electronic Frontier Foundation (EFF) senior staff Attorney Lee Tien told Threatpost that it’s not a practice it condones, but that so far, the legal and regulatory framework is on the side of advertising and the internet economy.

“We don’t like it, and we have been fighting this fight for years,” he told us. “This is being driven by targeted advertising, and that’s what our Do Not Track and Privacy Badger work has been all about. But this is the downside of ‘free’ services. If you get it for free, you are paying for it in some way with your data. There have been lawsuits, but given past history [of settlements], I would let consumer class-action lawyers or attorneys general try. This is also why good privacy legislation matters.”

That said, Yahoo said that it does set boundaries – Yahoo only combs through “commercial emails” from organizations and mass-mailing servers, Sharp said – so it insists that it doesn’t pry into personal correspondence. Email addresses and other personal information is also stripped out of what advertisers can access, the company said.

However, some may be uncomfortable with the process. Yahoo flags mails as commercial using a set of algorithms and a database of known commercial senders and mail types. From there, it uses cookies to keep track of users’ preferences, and to allow marketers to follow users across the web, using the data in their email to serve targeted messages across a range of sites.

Specifically, the service gleans information from receipts for products and services, travel itineraries, confirmation messages for various accounts and services, and promotions. The data includes everything from trade confirmations for online brokerage accounts to Uber receipts to auto loan and mortgage notifications.

There’s no indication that Yahoo plans to back off on the data-harvesting anytime soon, and despite assurances of anonymity, some point out that the data provides valuable fodder for potentially creating a rich picture of individual users, especially give the cross-web tracking capability. This includes by bad actors: Yahoo, after all, is no stranger to data breaches, and tracking cookies have their share of leak problems.

“This [still] feels like an invasion of privacy,” Dan Goldstein, president of Page 1 Solutions, told Threatpost. “Users receive promotional emails from companies with which they do business. That information could be incredibly useful to advertisers and has the potential to help consumers by presenting them with competing products and services that are of interest. On the other hand, if that information is sold to third parties it can be used to create a comprehensive picture of each Yahoo mail user and that has the potential to be abused by malicious actors.”