Yahoo ordered to show how it recovered ‘deleted’ emails in drug case

library
crime | hacking | security

A judge has ordered Yahoo to explain how it recovered deleted emails in a drug case.

On the face of it, Yahoo shouldn’t have been able to do so since “Yahoo! is not able to search for or produce deleted emails,” according to its policies.

Yet somehow, the company handed over 6 months of messages that conspirators in a drug trafficking case thought had been deleted.

As Motherboard reports, defense lawyers are speculating that the emails were collected through real-time interception or a National Security Agency (NSA) surveillance program.

US Magistrate Judge Maria-Elena James granted the defense’s motion for discovery in an order filed on Wednesday in a San Francisco court.

The case surrounds Russell Knaggs, from Yorkshire, UK, whose Yahoo account was used to set up and discuss a deal to import 5 tons of cocaine from Colombia in 2009. Knaggs was already serving a 16-year prison sentence.

One of his conspirators would log into the email account “[email protected]” and write a draft email. Then, an accomplice based in Europe would read the draft, delete it from both the “draft” and “trash” folders, and write his own draft.

It was an attempt to keep the messages out of the hands of the law, but obviously, it didn’t work out that way.

Sukhdev Thumber, a lawyer representing Knaggs in the UK proceedings, had previously told Motherboard that the conspirators would sometimes simply remove the text in the draft by backspacing over it, rather than actually deleting the email.

Knaggs reportedly didn’t use the account himself.

At the request of UK police and the FBI, Yahoo took several snapshots of the email account in September 2009 and April 2010. Those snapshots preserved the email account’s contents and revealed the messages.

The defense would like to know how.

For its part, Yahoo has explained to the court that there’s deleted, and then there’s deleted. In other words, there are a series of steps between when a user hits delete and when a given email actually disappears off the company’s servers.

That has to do with Yahoo automatically saving copies of email drafts – autosaved to the “draft” folder on Yahoo’s email server “at periodic intervals” – even though a user hasn’t actively hit “save.”

As a user updates or changes the draft, the new version of the email is auto-saved. Previous versions don’t stay in the draft folder. However, they do remain on Yahoo’s email server, albeit invisible to a user, for an unknown period of time.

And that’s the window of time when Yahoo grabbed the snapshots of the drug traffickers’ emails, according to court documents:

There is a multistep process that must be completed before the previous drafts are permanently deleted from the email server system – and the user updating, changing, or even deleting the draft is only the first step in the deletion process…

Even if the user deletes their draft email, the previous versions of the draft are not automatically removed from the email system; the user cannot see previous versions of the draft in their email account, but the previous versions remain in the email system and on Yahoo’s servers until the entire removal process is complete…

And until the entire removal process is complete, the draft can still be captured in the account snapshots created by Yahoo.

That may well make sense but, the defense says, Yahoo has filed declarations on the matter from some of its staff that contradict each other. Indeed, the defense team says that they can’t even understand Yahoo’s explanation.

Thus, the defense team wants a whole lot more documentation: about Yahoo’s email and retention system, a copy of the retention software source code, and instruction manuals for the equipment Yahoo used to retrieve the emails.

The defense also wants a half day of deposition.

Yahoo resisted, calling it a fishing expedition. After all, the company said, it’s not even a defendant in the case.

The judge was at least partly sympathetic to Yahoo’s protestations.

Judge James trimmed the list of demanded documents down and told Yahoo to get a witness in to talk about just the email account in question.