Put consumers first
Yahoo is committed to putting our consumers first. We know that our users place their trust in us, and we take seriously their privacy and our role in respecting and promoting free expression.
As part of our commitment to your privacy, security and freedom of expression, we publish our transparency report along with information about our approach to handling requests for user data or to remove content. But it doesn’t stop there. Here are some ways we’re putting this commitment into action.
Our approach in action
Our commitment to put consumers first translates into action in three concrete ways:
When faced with government requests for user data or to remove content, we follow our Global Principles for Responding to Government Requests. This means we consider all appropriate options in order to protect the rights of our users. This can include seeking clarification or modification of the government demands we receive or contesting these demands, such as by challenging them in court. We also work to narrowly interpret such demands and minimize the disclosure of user data or the impact on free expression. We share information about these efforts in our Transparency Report for Government Data Requests and Government Removal Requests.
We’ve encrypted many of our most important products and services to make them more secure for our users. This includes:
Encryption of the traffic moving between Yahoo data centers;
Making browsing over HTTPS the default on Yahoo Mail, Yahoo Homepage, AOL, and many other Yahoo properties;
Implementing the latest in security best-practices, including supporting TLS 1.2 with 2048-bit RSA keys and strong encryption ciphers as well as Forward Secrecy for many of our global properties;
The addition of modern protection mechanisms to many of our products, services, and domains such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), OCSP Stapling, Certificate Transparency, and Certification Authority Authorization (CAA) DNS Resource Records, and;
We are committed to notifying users when we strongly suspect they may have been the target of a state-sponsored attack.
- We have established a first-in-class information security program, which includes written policies, processes, and controls that are annually assessed by an external auditor against well-established industry standards, including the NIST Cybersecurity Framework, PCI, and SOC2. These policies and technical controls allow only a limited number of employees access to user data and limit what they may or may not do with sensitive information. Our Insider Team continuously monitors and enforces these policies.
- We are committed to notifying users when we strongly suspect they may have been the target of a state-sponsored attack.
- We provide resources on how users can protect themselves against fraud or secondary harm. This includes providing customized security recommendations based on the state of your account, such as verifying alternate contact methods and encouraging users to implement two-factor authentication. In the case of a breach, we determine the best course of action to mitigate harm to our users, and immediately notify you, via email and in-app notifications, and reset passwords if we believe malicious actors have gained unauthorized access to user accounts.
- Upon detection, or otherwise learning of a suspected data compromise, our incident response team is immediately deployed to determine who, what, when, where, and how our systems may have been compromised. In accordance with our incident response plan we work on two primary parallel tracks: (1) to immediately contain and remediate the incident to limit potential harm, and (2) to meet tight regulatory timelines to notify regulators and users, without undue delay.
As a global internet company, Yahoo is committed to respecting our users’ rights to privacy and freedom of expression across the globe. Our Global Public Policy team advocates for public policy solutions that protect our users, including by advocating in favor of surveillance reform consistent with these principles, working with partners to develop smart policies for the flow of data across borders, and supporting laws and regulations that protect our users data and right to freedom of expression, as well as our platforms.
We are committed to respecting and promoting free expression and privacy on the internet. Yahoo’s Business & Human Rights Program coordinates and leads our efforts to make responsible business decisions in the areas of free expression and privacy.
Yahoo is a member of the Global Network Initiative, and currently serves on the organization’s Board of Directors. This multi-stakeholder coalition of information and communications technology companies, human rights organizations, academics, investors and other experts aims to collectively address the challenges we and other companies face in the critical areas of privacy and free expression when bringing transformative communications technologies to markets around the world.