Yahoo isn’t happy that a detailed menu of the spying services it provides law enforcement agencies has leaked onto the web.

Shortly after Threat Level reported this week that Yahoo had blocked the FOIA release of its law enforcement and intelligence price list, someone provided a copy of the company’s spying guide to the whistleblower site Cryptome.

The 17-page guide describes Yahoo’s data retention policies and the surveillance capabilities it can provide law enforcement, with a pricing list for these services. Cryptome also published lawful data-interception guides for Cox Communications, SBC, Cingular, Nextel, GTE and other telecoms and service providers.

But of all those companies, it appears to be Yahoo’s lawyers alone who have issued a DMCA takedown notice to Cryptome demanding the document be removed. Yahoo claims that publication of the document is a copyright violation, and gave Cryptome owner John Young a Thursday deadline for removing the document. So far, Young has refused.

Yahoo’s letter was sent on Wednesday, within hours of the posting of Yahoo’s Compliance Guide for Law Enforcement at Cryptome. In addition to copyright infringement, the letter accuses the site of revealing Yahoo’s trade secrets and engaging in “business interference.” According to the letter, disclosure of its surveillance services would help criminals evade surveillance.

The Compliance Guide reveals, for example, that Yahoo does not retain a copy of e-mails that an account holder sends unless that customer sets up the account to store those e-mails. Yahoo also cannot search for or produce deleted e-mails once they’ve been removed from a user’s trash file.

The guide also reveals that the company retains the IP addresses from which a user logs in for just one year. But the company’s logs of IP addresses used to register new accounts for the first time go back to 1999. The contents of accounts on Flickr, which Yahoo also owns, are purged as soon as a user deactivates the account.

Chats conducted through the company’s Web Messenger service may be saved on Yahoo’s server if one of the parties in the correspondence set up their account to archive chats. This pertains to the web-based version of the chat service, however. Yahoo does not have the content of chats for consumers who use the downloadable Web Messenger client on their computer.

Instant message logs are retained 45 to 60 days and includes an account holder’s friends list, and the date and times the user communicated with them.

Young responded to Yahoo’s takedown request with a defiant note:

I cannot find at the Copyright Office a grant of copyright for the Yahoo spying document hosted on Cryptome. To assure readers Yahoo’s copyright claim is valid and not another hoary bluff without substantiation so common under DMCA bombast please send a copy of the copyright grant for publication on Cryptome.

Until Yahoo provides proof of copyright, the document will remain available to the public for it provides information that is in the public interest about Yahoo’s contradictory privacy policy and should remain a topic of public debate on ISP unacknowledged spying complicity with officials for lucrative fees.

—–

Note: Yahoo’s exclamation point is surely trademarked so omitted here.

The company responded that a copyright notice is optional for works created after March 1, 1989 and repeated its demand for removal on Thursday. For now, the document remains on the Cryptome site.

Threat Level reported Tuesday that muckraker and Indiana University graduate student Christopher Soghoian had asked all agencies within the Department of Justice, under a Freedom of Information Act (FOIA) request, to provide him with a copy of the pricing list supplied by telecoms and internet service providers for the surveillance services they offer government agencies. But before the agencies could provide the data, Verizon and Yahoo intervened and filed an objection on grounds that the information was proprietary and that the companies would be ridiculed and publicly shamed were their surveillance price sheets made public.

Yahoo wrote in its objection letter that if its pricing information were disclosed to Soghoian, he would use it “to ’shame’ Yahoo! and other companies — and to ’shock’ their customers.”

“Therefore, release of Yahoo!’s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies,” the company added.

The price list that Yahoo tried to prevent the government from releasing to Soghoian appears in one small paragraph in the 17-page leaked document. According to this list, Yahoo charges the government about $30 to $40 for the contents, including e-mail, of a subscriber’s account. It charges $40 to $80 for the contents of a Yahoo group.

Verizon took a different stance. It objected to the release (.pdf) of its Law Enforcement Legal Compliance Guide because it might “confuse” customers and lead them to think that records and surveillance capabilities available only to law enforcement would be available to them as well — resulting in a flood of customer calls to the company asking for trap and trace orders.

“Customers may see a listing of records, information or assistance that is available only to law enforcement,” Verizon writes in its letter, “but call in to Verizon and seek those same services. Such calls would stretch limited resources, especially those that are reserved only for law enforcement emergencies.”

Other customers, upon seeing the types of surveillance law enforcement can do, might “become unnecessarily afraid that their lines have been tapped or call Verizon to ask if their lines are tapped (a question we cannot answer).”

Verizon does disclose a little tidbit in its letter, saying that the company receives “tens of thousands” of requests annually for customer records and information from law enforcement agencies.

Soghoian filed his records request to discover how much law enforcement agencies — and thus U.S. taxpayers — are paying for spy documents and surveillance services with the aim of trying to deduce from this how often such requests are being made. Soghoian explained his theory on his blog, Slight Paranoia:

In the summer of 2009, I decided to try and follow the money trail in order to determine how often Internet firms were disclosing their customers’ private information to the government. I theorized that if I could obtain the price lists of each ISP, detailing the price for each kind of service, and invoices paid by the various parts of the Federal government, then I might be able to reverse engineer some approximate statistics. In order to obtain these documents, I filed Freedom of Information Act requests with every part of the Department of Justice that I could think of.

The first DoJ agency to respond to his request was the U.S. Marshals Service (USMS), which indicated that it had price lists available for Cox Communications, Comcast, Yahoo and Verizon. But because the companies voluntarily provided the price lists to the government, the FOIA allows the companies an opportunity to object to the disclosure of their data under various exemptions. Comcast and Cox were fine with the disclosure, Soghoian reported.

He found that Cox Communications charges $2,500 to fulfill a pen register/trap-and-trace order for 60 days, and $2,000 for each additional 60-day-interval. It charges $3,500 for the first 30 days of a wiretap, and $2,500 for each additional 30 days. Thirty days worth of a customer’s call detail records costs $40.

Comcast’s pricing list, which was already leaked to the internet in 2007, indicated that it charges at least $1,000 for the first month of a wiretap, and $750 per month thereafter.

But Verizon and Yahoo took offense at the request.

Yahoo objected on grounds that its pricing constituted “confidential commercial information” and cited Exemption 4 of the Freedom of Information Act and the Trade Secrets Act.

Exemption 4 of the FOIA refers to the disclosure of commercial or financial information that could result in a competitive disadvantage to the company if it were publicly disclosed. The company claims its pricing is derived from labor rates for employees and overhead and, therefore, disclosing the information would provide clues to its operating costs — regardless of whether these same clues are already available in public records, such as those the company files with the Securities and Exchange Commission. The company also claims that since Soghoian is trying to determine the actual amounts the Marshals Service paid Yahoo for responding to requests, the price lists are irrelevant, since “there are no standard prices for these transactions.”

But equally important to Yahoo’s objections was the potential for “criticism” and ridicule. Yahoo quoted Soghoian on his blog writing that his aim was to “use this blog to shame the corporations that continue to do harm to user online privacy.”

Yahoo also objected to the disclosure of its letter objecting to the disclosure of pricing information saying that “release of this letter would likely cause substantial competitive harm” to the company. The company added, in a veiled threat, that if the Marshals Service were to show anyone its letter objecting to the disclosure of pricing information, it could “impair the government’s ability to obtain information necessary for making appropriate decisions with regard to future FOIA requests.”

If anyone out there has a copy of Verizon or Yahoo’s law enforcement pricing list and wants to share it, feel free to use our anonymous tip address.