Frequently asked questions

Under what circumstances will Oath disclose information about a user to a government agency?

Globally, Oath may disclose user data in response to valid legal process (such as a subpoena, court order, or search warrant) from a government agency. We carefully review all government requests to determine the appropriate scope of data to be provided and interpret the requests narrowly in an effort to produce the least amount of data necessary to comply with the request. We have previously objected, and will continue to object, to process that is overbroad or inconsistent with applicable law. We may voluntarily disclose user data in the rare instance where we conclude that disclosure without delay is necessary to prevent imminent danger of death or serious physical injury to any person, as permitted by law.

In addition to requiring that all requests for user data comply with applicable laws, we also require that:

  • The legal process specifically identifies the user account that is subject to the request by user ID, email address, screen name or other appropriate identifier. This will help us identify the particular Oath account subject to the request. Requests to identify users based on real names or IP addresses may be declined.

  • All process must be submitted in writing, unless applicable law specifically allows for an oral request. In such cases, we may ask for a written request after the fact.

  • All process must be on official letterhead and contain sufficient information to verify that the request has originated with an entity or individual authorized to make such request.

In the United States:

  • The Electronic Communications Privacy Act (“ECPA”) regulates how U.S. government agencies can use legal process to request user data from companies like Oath. We comply with ECPA when responding to requests for our users’ data that come from U.S. government agencies or foreign governments that obtain a U.S. legal process through diplomatic processes. We require adherence to the requirements of 18 U.S.C. § 2703 relating to the disclosure of basic subscriber information, content, and other customer records. All legal process submitted to us must be valid and comply with applicable substantive and procedural requirements for the issuance of that type of process.

  • A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of user data if a non-U.S. government agency is seeking the data.

  • Subpoenas are limited to non-content data such as basic subscriber information (including information captured at the time of registration, such as an alternate e-mail address, name, location, and IP address), login details, and billing information.

  • Court orders may be used to get additional non-content data, notably transactional information (e.g., “to,” “from,” and “date” fields from email headers)

  • Search warrants may be used to get content that users create, communicate, and store on or through our services. This could include, for example, words in an email or instant message, photos on Flickr, Yahoo Address Book or Calendar entries and similar kinds of information).

  • Our policy is to explicitly notify our users about third-party requests for their information prior to disclosure, and thereby provide them with an opportunity to challenge requests for their data. In some cases, we may be prohibited by law from doing so, such as when we receive a non-disclosure order pursuant to 18 U.S.C. § 2705(b). Additionally, in exceptional circumstances, such as imminent threats of physical harm to a person, we may elect to provide delayed notice. When the circumstance that prevented us from providing notice prior to disclosure is removed, e.g., the non-disclosure order expired or the threat has passed, we take steps to inform the affected user(s) that data was disclosed.

Does this Transparency Report include statistics regarding data requests received by Oath from non-government entities?

No. This Transparency Report only includes Government Data Requests. Oath requires non-government entities (e.g., private civil litigants) seeking user data to follow applicable legal process (e.g., obtaining a valid subpoena or court order) before disclosing any user data. When we receive valid legal process from non-government entities, we carefully review and narrowly interpret such requests in an effort to produce the least amount of data necessary to comply with the request. Except where prohibited by law, our policy is to explicitly notify our users about third-party requests for their information prior to disclosure, and thereby provide them with an opportunity to challenge requests for their data.

I received a notice from Oath that someone is requesting information related to my account. What does this mean?

This means that Oath received legal process (e.g., a subpoena or search warrant) requiring us to disclose information about your account. We sent you the notice because we respect your (and all users’) rights and privacy. It is our policy to explicitly notify users about third-party requests for their information prior to disclosure, and thereby provide users with an opportunity to challenge the request. In some cases, we may be prohibited by law from providing such notice, and in exceptional circumstances (e.g., imminent threats of life) we may elect not to provide notice. These email notices are designed to provide transparency that empowers you, the user, to challenge a request for data. As such, a notice from Oath or one of our brands will never ask for your personal information or require you to sign in to obtain more information. If you received an email notice purportedly from Oath that asks for this information, it is likely a scam. Do not provide the requested information. Instead, report it to us or flag it as a phishing scam.

What properties does this report cover?

This report covers government requests related to the various Oath brands (including Yahoo-branded properties, AOL, Flickr, and Tumblr). For the period prior to 2017, Yahoo (including Flickr), AOL, and Tumblr published separate reports. Archives of those reports can be found here.

Does this report include Government Removal Requests relating to content that violates Oath’s Terms of Service and Community Guidelines?

Yes. If we receive a Government Removal Request relating to content that allegedly violates our Terms of Service and Community Guidelines, we include it in this report. We only include in our numbers requests that we identify as being from a government agency, however. If a government agency used a Report Abuse link, for example, we wouldn’t be able to identify the party making the request to remove content and would not include that request in our statistics. We continue to work to track these requests.

My content was removed, and I disagree with Oath’s decision. How can I appeal this decision?

If you post content that violates our policies, you may receive a notification from us via email. You can request that Oath re-review its decision one time, by following the link provided within the notice, or contacting us through our Help Pages. Each appeal is reviewed by a member of Oath’s support team. For information about Oath’s policies regarding violations of copyright or trademark infringement, please see the Yahoo Copyright and Intellectual Property Policy and Tumblr’s Terms of Service.

Glossary

Content

Data that our users create, communicate, and store on or through our services. This could include words in a communication (e.g., Mail or Messenger), photos on Flickr, files uploaded, Yahoo Address Book entries, Yahoo Calendar event details, thoughts recorded in Yahoo Notepad or comments or posts on Yahoo Answers or any other Yahoo property.

Court order (18 U.S.C. 2703(d))

A court order under 18 U.S.C. §2703(d) of the Stored Communications Act, often known as a “D Order,” which is issued based on an intermediate standard that is less stringent than the probable cause standard for warrants but more demanding than the mere relevance standard required for subpoenas. D Orders are used to compel the disclosure of all forms of NCD.

Government Data Request

Legal process to Oath from a government agency seeking information about users and/or the activity of users within or on Oath products. The Government Data Requests reflected in this report are generally made in connection with criminal investigations, but also include those from government entities in connection with non-criminal matters.

Government Removal Request

Governments make requests to remove publicly-available content and/or information from Oath products, such as Flickr and Tumblr. These requests may be by court order or by a written request from a government official that we remove content from our services or review particular content to determine if it should be removed for violating a product's Community Guidelines or Terms of Service. We include in our numbers those requests that we identify as being from a government agency. If a government agency used a Report Abuse link, for example, we wouldn’t be able to identify the party reporting the request to remove content and we would not include that report in our statistics. Additionally, our policies and systems are setup to identify and remove child pornography whenever we become aware of it, regardless of whether that request comes from the government. As a result, we do not currently track which of those removals were requested by governments, and we haven't included those statistics here. We count requests to remove publicly-available content for other reasons (e.g., harassment, hate speech, impersonation).

Government Specified Accounts

The number of accounts or other identifiers listed in or about which information was disclosed in response to a Government Data Request. This number may not reflect the number of users and accounts actually involved because: 1) a single account may have been included in more than one Government Data Request; 2) an individual user may have multiple accounts that were specified in one or more Government Data Requests; 3) if a Government Data Request specified an account that does not exist, that nonexistent account would nevertheless be included in our count of Government Specified Accounts; and 4) if a Government Data Request demanded information about accounts that satisfy specified criteria (e.g., accounts registered under a particular proper name or accounts associated with a particular phone number) and we determined that it was appropriate to produce data in response to the request, we would report the total number of accounts about which information was produced to the government in connection with that Government Data Request.

No Data Found

Oath produced no data in response to the Government Data Request because no responsive data could be found (i.e., the account didn’t exist or there was no data for the date range specified by the request).

Non-Content Data

Non-content data such as basic subscriber information (including the information captured at the time of registration, such as an alternate e-mail address, name, location, and IP address), login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from email headers).

Pen register/Trap and Trace

The Pen Register Statute (18 U.S.C. §3121 et seq.), governs the use of so-called “pen registers” and “trap and trace devices” to capture prospective or “real-time” non-content information about a target’s communications, such as information indicating who the communication was to or from, the time it was transmitted, and the duration or size of the communication. Pen register orders are issued by courts upon a showing that the information likely to be obtained is relevant to a law enforcement investigation.

Rejected

Oath may have possessed data responsive to the Government Data Request, but none was produced because of a defect or other problem with the Government Data Request (e.g., the request only sought data that could not be lawfully obtained with the legal process provided). This category also includes Government Data Requests that were withdrawn after being received by Oath. We carefully review Government Data Requests for legal sufficiency and interpret them narrowly in an effort to produce the least amount of data necessary to comply with the request.

Search warrant

A search warrant is a court order that is issued based on a showing of probable cause, which means that there is “reasonable ground to suspect that a person has committed or is committing a crime or that a place contains specific items connected with a crime.” Search warrants are used to compel the disclosure of both Content and NCD.

Subpoena

A subpoena is a legal demand issued in a civil or criminal investigation without prior judicial review. Subpoenas are used to compel the disclosure of basic subscriber information, NCD that includes information captured at the time of registration, such as an alternate e-mail address, name, location, and IP address), login details, and billing information.

Title III

The Wiretap Act (18 U.S.C. § 2511 et seq.), sometimes known as “Title III,” governs the interception or collection of the content of a target’s prospective or “real-time” communications. A wiretap order is essentially a search warrant with more stringent administrative review requirements and use restrictions that limit the instances in which law enforcement may seek such an order.