Oath, Verizon’s online content subsidiary, which owns both Yahoo and Aol, has published a new privacy policy. The policy waives users’ rights to sue the company in a class action lawsuit. Oath also notes that this new change is “an important part” of its relationship with you. The company's new terms will also give it the right to fully analyze all of your emails and share "individually identifiable" data with Verizon and hundreds of third-party companies.
Yahoo And Aol Are Merging Infrastructures
Oath recently announced that it will be merging the email infrastructure of Aol and Yahoo. The company will use Yahoo’s back-end infrastructure to power the Aol email system, too.
Last year, we learned that Yahoo suffered the largest data breach in history, which exposed three billion user accounts. We also know from previous reports that Yahoo’s former CEO, Marissa Mayer was often in conflict with the company's security team, so the infrastructure was likely not as secure as it could have been.
Reuters also reported that Yahoo’s leadership may have also allowed an NSA backdoor to reside on its servers, giving the NSA search access to its email database.
Oath Waives Right To Launch Class Action Lawsuit
Oath’s new terms and policies disallow users from suing the company in a class action lawsuit, if they agree to these terms. However, if they don’t agree, the users will soon no longer be able to use their Yahoo accounts (Aol had already instituted a similar policy before Verizon purchased it). For the moment, users can skip the message, but it seems to appear on almost every interaction with the Yahoo Mail service.
In its new Terms of Service (ToS), Oath included the following:
You understand that by agreeing to these terms, arbitration or a small claims action will be the sole and exclusive means of resolving any dispute between us. You also understand that by agreeing to these terms, you and Oath are giving up the right to bring a claim in court or in front of a jury (except for matters that may be brought in small claims court), and that you and Oath are giving up the right to proceed with any class action or other representative action.
Oath arbitrations will be handled by the American Arbitration Association. Collective arbitration will not be allowed, which means each user will have to make their case against Verizon/Oath’s top lawyers and hope to win. In some cases, companies are not allowed to force users into arbitration. Therefore, Oath also says in its ToS that if the dispute proceeds in court, the users will agree that there will not be a jury trial--only a trial by court.
Although the new changes will affect users that now agree with the terms, a federal judge had already ruled last month that a class action lawsuit over the previous data breach must still go through. In that lawsuit, Yahoo is being sued for negligence in handling user data, breach of contract, and failure to disclose the breach in a reasonable amount of time. The breach happened in 2013, but Yahoo didn't disclose it until 2016. The users suing Yahoo also argued that the breach put them at risk of identity theft, which required them to spend money on credit freeze, monitoring, and other protections.
Oath To Share “Individually Identifiable” Data
The new privacy policy will give Oath permission to mine your Yahoo and Aol emails for advertising purposes. Yahoo had to settle a lawsuit in 2016 over its similar practices at the time. However, the company agreed to only analyze emails that were opened by users. Oath is taking all of that back, and will analyze every email, including information you get from your bank and the EXIF data of images and videos, location information, and more.
Additionally, Oath’s new ToS says that your Yahoo/Aol data will be shared within Oath, with Verizon and its affiliates, and over 100 third parties such as analytics companies, social widget companies, advertising technology companies, content and video content providers, game developers, and others.
The new privacy policy and ToS looks quite aggressive in terms of how little control it gives users, so it remains to be seen how the EU will respond once the GDPR passes. In the United States, the CONSENT Act may protect users against most of the potential abuses, if it passes. Although Oath is owned by Verizon, it’s still an “edge provider” itself, so it should still fall under the same regulations.
