How 'Deleted' Yahoo Emails Led to a 20-Year Drug Trafficking Conviction

Yahoo has provided statements from staff and other information explaining what happened, but the defense says it’s not enough.

|
Jun 21 2016, 1:15pm

Photo: Shutterstock

In 2009, Russell Knaggs, from Yorkshire, England, orchestrated a plan to import five tonnes of cocaine from South America hidden in boxes of fruit. Somehow, he did this all from the cell of a UK prison, while serving a 16-year sentence for another drug crime.

As part of the plan, a collaborator in Colombia would log into a Yahoo email account and write a message as a draft. Another accomplice in Europe would read the message, delete it, and then write his own. The point of this was to avoid creating any emails that could be found by law enforcement.

Knaggs didn't use the email account himself, but when Yahoo provided copies of the inbox contents to the authorities, he was convicted and sentenced to another 20 years in prison. The emails certainly aren't the only pieces of evidence used to bust Knaggs (the plot was foiled after officers found a piece of paper with transfer routes and other details during a cell search), but it's one that the defense is scrutinizing.

In its law enforcement guide, Yahoo says it "is not able to search for or produce deleted emails." But, lawyers of Knaggs claim that Yahoo did just that, and handed over 6 months worth of erased communications, leading them to say something might be afoot: at minimum, that Yahoo has not been forthcoming with how the emails were obtained, or that perhaps—speculatively—they came from an NSA surveillance program.

Yahoo, meanwhile, says that the emails handed over to law enforcement were obtained because of the company's "auto-save" feature. Although the existence of this feature isn't a revelation, it's unlikely many users are aware that different versions of their draft emails are stored on Yahoo's servers and are available for recovery by law enforcement, even if the user deletes their final draft.

A section of Yahoo's recent filing. Yahoo says that auto-save drafts are available for preservation if they have not yet been purged from its servers.

In November of last year, Knaggs' team filed discovery orders with Yahoo in the US in an attempt to get more information about how the allegedly deleted emails were recovered; including documentation on how Yahoo Mail works and arrange depositions of Yahoo employees. Yahoo has provided statements from staff and other information explaining what happened, but the defense says it's not enough.

According to a written statement from Michele Lai, a custodian of records and the operations manager of the US Law Enforcement Response Team for Yahoo, the company received two requests from law enforcement in Knaggs' case. One was a preservation request from UK police, received in September 2009. The other was a search warrant in April 2010. These requests resulted in four snapshots being taken: two containing email account contents, and another two containing only email headers, and these all related to the account "slimjim25@ymail.com," the address used by the collaborators.

A snapshot is a copy of an email account's contents at the time. It is not retroactive, so a snapshot can't reveal properly deleted emails, and it's not proactive either, so it can't obtain any new emails that are written after the request.

"If a user deletes a communication from his or her account, the communication becomes inaccessible to the proprietary tools Yahoo uses to gather communications data in response to preservation requests and search warrants," Lai's statement reads.

Illustration: Shaye Anderson

According to Sukhdev Thumber, a solicitor representing Knaggs in the UK proceedings, in most communications the conspirators removed emails from both the 'draft' and the 'trash' folder. But sometimes they would simply remove the text in a draft with the backspace key, rather than deleting the email itself.

Based on the premise that the majority of the emails were properly deleted, the defense posits there was, "Some sort of bulk-data gathering, live monitoring, interception, continuous monitoring of the account which has allowed this data to be produced," Thumber told Motherboard.

Yahoo's explanation is that the mail service's auto-save function, which periodically saves data in case of an interruption in connectivity, recorded the emails that were eventually handed over to law enforcement.

"Because auto-save drafts remain on the Yahoo Mail server for some time after the draft message is removed from the user's view of his mailbox, multiple drafts of a single email could remain on the Yahoo mail server, and accessible to Yahoo's snapshot tool, even though the user had deleted the final draft," Yahoo wrote in a filing earlier this month. (Emphasis theirs.) In other words, even if a user has deleted their draft, auto-saves of the message could still be present on Yahoo's servers and just not visible to the user, according to the company.

A section of Yahoo's recent filing, in which the company writes that drafts of an email can remain on Yahoo's servers even though the user deleted the final draft.

It's not clear how long these auto-saves are kept by Yahoo—the filing adds that the auto-saves can be available for preservation before they have been purged from the company's servers by its proprietary processes, but doesn't say when that actually happens. Yahoo declined multiple requests for comment.

"Although automatic saving of draft emails is intended to be a feature for the user's benefit, and no doubt helps people in many cases, there are edge cases that can lead to surprises, essentially where the actions of the company clash with user expectations and privacy," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call.

The defense, however, is not satisfied with Yahoo's explanation. Carlos Colorado, a US based attorney representing Knaggs told Motherboard in an email, "If Yahoo! has nothing to hide, it should agree to our reasonable request for a deposition. A deposition would be far less burdensome than the painstaking and laborious path we have been pursuing at Yahoo!'s insistence for the past six months and it is the preferred method of taking discovery in international proceedings."

In court filings, Yahoo has described the request for a deposition and documents as a "baseless fishing expedition."

The original investigation into Knaggs was carried out by the UK's Serious Organised Crime Agency (SOCA), which has since been transformed into the National Crime Agency (NCA). An NCA spokesperson told Motherboard in an email, "We are vigorously defending this claim against our precursor agency SOCA. We believe that all activity was conducted in accordance with UK and international law in addition to human rights obligations. It would be inappropriate to comment further while legal proceedings are ongoing."

Knaggs' defense is expected to file a reply to Yahoo's latest filing shortly.