Spark is doing the right thing checking with Yahoo whether Xtra customers may have had their emails snooped on by United States security agencies, privacy commissioner John Edwards says.
It was revealed overnight in the US that Yahoo complied with a secret US government directive to scan the accounts of hundreds of millions of its email customers to search for terms provided by the US National Security Agency or the FBI.
Spark outsourced about 500,000 Xtra email accounts to Yahoo in 2007 but Yahoo has not said whether they were among the accounts scanned on behalf of US security services.
Spark spokeswoman Michelle Baguley said on Wednesday morning that Spark was seeking information from Yahoo in Sydney.
Yahoo’s US-based senior director of corporate communications, Suzanne Philion, has since told Spark that Yahoo was “a law abiding company, and complies with the laws of the United States”.
Baguley said Spark would continue to ask Yahoo for more information.
Edwards said he would be “very concerned indeed” if the emails of New Zealanders had been scanned without proper warrants, legal authority and judicial oversights.
“It is completely unacceptable for these quiet deals to be made for access,” he said.
That kind of activity was leading to demands for data to be held locally and not moved across borders, he said.
But Edwards said that under New Zealand’s current legal settings there would be nothing to prevent a similar arrangement here.
“A host in New Zealand could provide that kind of service to the intelligence and security agencies if they were asked because those agencies have an almost total exemption from the Privacy Act.
“But under the reforms that have been proposed to the security agencies that have been introduced to Parliament that would change,” he said.
Early next year Spark will transfer all its Xtra email accounts off Yahoo, to a new email system supplied by New Zealand company SMX.
Spark has provided an important reassurance to Xtra customers about a massive hack on Yahoo in 2014 than came to light last month.
Information was stolen from about 500 million accounts, including Xtra accounts, in an attack Yahoo blamed on a foreign government.
Yahoo reported the stolen information in some cases included unencrypted security questions and answers, as well as people’s names, email addresses, telephone numbers, dates of birth and encrypted passwords.
But Baguley said Spark had since been assured by Yahoo that no security questions or answers were among the information stolen from Xtra users.
The loss of unencrypted security questions and answers could have had serious implications for Xtra users as they could potentially have been used for identity theft or to gain access and change passwords to a variety of online accounts.
“We do not believe any secret question information for Spark Xtra customers is at risk,” Baguley said. “Secret questions for primary account holders have been encrypted and stored locally by Spark for the last nine years as part of the sign-up process.
“There are a very small number of ‘legacy’ customers, prior to the Yahoo relationship 2007, whose encrypted secret questions were provided to Yahoo at the time of the migration and Yahoo have confirmed that these are stored on a different platform than the one at risk,” she said.
Edwards said that was significant, but companies should be moving to two-factor authentication to secure accounts. “Relying on security questions and username and password is just not good any more I think.”