Yahoo’s compliance in 2015 to scan hundreds of millions of emails is the first known case of a US internet company agreeing to a spy agency’s request to search all incoming messages.
In response to a classified edict from the National Security Agency (NSA) or FBI, Yahoo built a custom software program to search all incoming messages for a set of characters, which could have been a phrase in an email or an attachment, three former employees and a fourth person aware of the events told Reuters in a story that broke Tuesday.
US phone and internet companies are known to have had handed over bulk customer data to intelligence agencies. But companies that offer email or messaging services, including Yahoo, have previously fought other government orders in court or said they would have if they were faced with such a request. In this case, however, it appears Yahoo acted differently, apparently because its leadership didn’t think it could win.
Yahoo ultimately decided to comply rather than fight the order in front of the Foreign Intelligence Surveillance Court, a secret tribunal, people familiar with the matter told Reuters. In 2007, Yahoo fought a demand to conduct searches on specific email accounts without a court-approved warrant. A partially redacted published opinion shows Yahoo’s challenge was unsuccessful at the time.
In 2015, responding to a classified edict from the intelligence officials or law enforcement to Yahoo’s legal team, company leadership instructed its engineers to build a custom software program to search all incoming messages for a string of letters, numbers, or characters in the text of an email or an attachment. It was not known what information intelligence officials were looking for.
Under US laws, including 2008 amendments to the Foreign Intelligence Surveillance Act (FISA), intelligence agencies can ask US phone and internet companies to provide customer data to aid foreign-intelligence gathering for reasons that include prevention of terrorist attacks.
“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to questions from Reuters about the demands.
But some civil liberty and security experts disagreed with Yahoo’s actions.
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.
Mr. Toomey called Yahoo’s actions “unprecedented and unconstitutional.”
The decision by Yahoo Chief Executive Marissa Mayer to build a custom program also upset some employees including Alex Stamos, the Yahoo’s former information security officer. Mr. Stamos, who now holds the top security job at Facebook, resigned shortly after his team found the custom program in May 2015. The team initially thought hackers had broken in.
Stamos later told his subordinates he had been left out of a decision that hurt users’ security, the sources told Reuters. He told them that a programming flaw could have allowed hackers to access stored emails.
It’s unknown whether other US phone and internet companies have received similar orders. While Reuters reported it was likely, several email providers and other companies told the Associated Press they have not received such requests. And many of them said they would fight it if they had.
Google, the world’s largest email service, said it hadn’t received a similar spying request from the US government, but if it had its response would have been “no way.”
Microsoft, whose email service is larger than Yahoo’s, said it has never secretly scanned emails.
Twitter, which doesn’t have an email service, but offers users private, direct messages, said it hadn’t received a similar request. If it had, it would fight it in court.
Facebook also said it would fight such a request should it receive one.
The news about Yahoo comes just weeks after it was announced Yahoo was the victim of the largest breach of an email provider ever. Sometime in late 2014, state-sponsored hackers stole the names, email addresses, phone numbers, birth dates, passwords and security question of 500 million user accounts.
“[It] raises worrisome questions about the continued vulnerability of America’s digital networks to increasingly sophisticated adversaries,” writes the Christian Science Monitor’s Jaikumar Vijayan. “Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.”
This report contains material from the Associated Press and Reuters.