Report: Yahoo secretly scanned emails for US government

After a massive security breach two years ago, a new report says Yahoo complied with NSA surveillance demands to screen its users.

|
Denis Balibouse/Reuters/File
The Yahoo logo as seen in front of a building in Rolle, Switzerland. A new report says the comapny complied with US government demands to screen millions of emails.

Yahoo’s compliance in 2015 to scan hundreds of millions of emails is the first known case of a US internet company agreeing to a spy agency’s request to search all incoming messages.

In response to a classified edict from the National Security Agency (NSA) or FBI, Yahoo built a custom software program to search all incoming messages for a set of characters, which could have been a phrase in an email or an attachment, three former employees and a fourth person aware of the events told Reuters in a story that broke Tuesday.

US phone and internet companies are known to have had handed over bulk customer data to intelligence agencies. But companies that offer email or messaging services, including Yahoo, have previously fought other government orders in court or said they would have if they were faced with such a request. In this case, however, it appears Yahoo acted differently, apparently because its leadership didn’t think it could win.

Yahoo ultimately decided to comply rather than fight the order in front of the Foreign Intelligence Surveillance Court, a secret tribunal, people familiar with the matter told Reuters. In 2007, Yahoo fought a demand to conduct searches on specific email accounts without a court-approved warrant. A partially redacted published opinion shows Yahoo’s challenge was unsuccessful at the time.

In 2015, responding to a classified edict from the intelligence officials or law enforcement to Yahoo’s legal team, company leadership instructed its engineers to build a custom software program to search all incoming messages for a string of letters, numbers, or characters in the text of an email or an attachment. It was not known what information intelligence officials were looking for.

Under US laws, including 2008 amendments to the Foreign Intelligence Surveillance Act (FISA), intelligence agencies can ask US phone and internet companies to provide customer data to aid foreign-intelligence gathering for reasons that include prevention of terrorist attacks.

“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to questions from Reuters about the demands.

But some civil liberty and security experts disagreed with Yahoo’s actions.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

Mr. Toomey called Yahoo’s actions “unprecedented and unconstitutional.”

The decision by Yahoo Chief Executive Marissa Mayer to build a custom program also upset some employees including Alex Stamos, the Yahoo’s former information security officer. Mr. Stamos, who now holds the top security job at Facebook, resigned shortly after his team found the custom program in May 2015. The team initially thought hackers had broken in.

Stamos later told his subordinates he had been left out of a decision that hurt users’ security, the sources told Reuters. He told them that a programming flaw could have allowed hackers to access stored emails.

It’s unknown whether other US phone and internet companies have received similar orders. While Reuters reported it was likely, several email providers and other companies told the Associated Press they have not received such requests. And many of them said they would fight it if they had.

Google, the world’s largest email service, said it hadn’t received a similar spying request from the US government, but if it had its response would have been “no way.”

Microsoft, whose email service is larger than Yahoo’s, said it has never secretly scanned emails.

Twitter, which doesn’t have an email service, but offers users private, direct messages, said it hadn’t received a similar request. If it had, it would fight it in court.

Facebook also said it would fight such a request should it receive one.

The news about Yahoo comes just weeks after it was announced Yahoo was the victim of the largest breach of an email provider ever. Sometime in late 2014, state-sponsored hackers stole the names, email addresses, phone numbers, birth dates, passwords and security question of 500 million user accounts.

“[It] raises worrisome questions about the continued vulnerability of America’s digital networks to increasingly sophisticated adversaries,” writes the Christian Science Monitor’s Jaikumar Vijayan. “Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.”  

This report contains material from the Associated Press and Reuters. 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Report: Yahoo secretly scanned emails for US government
Read this article in
https://www.csmonitor.com/Technology/2016/1005/Report-Yahoo-secretly-scanned-emails-for-US-government
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe