The Mercury News

Yahoo scanned users’ emails for U.S., report says

Internet giant complied with federal request to search all incoming messages

- By Queenie Wong qwong@bayareanew­

In a revelation that could damage the already fragile trust between the struggling tech firm and its users, Yahoo reportedly created secret software last year to search all of its customers’ incoming emails for informatio­n requested by U.S. intelligen­ce officials.

Reuters, citing two former employees and another per-

son familiar with the matter, reported that the Sunnyvale tech firm agreed to a classified U.S. government directive from the National Security Agency or FBI. Sources told the news outlet that intelligen­ce officials wanted the company to search for “a set of characters,” but didn’t know what informatio­n they were seeking.

Yahoo neither confirmed nor denied reports that it scanned hundreds of millions of Yahoo Mail accounts at the request of the government.

“Yahoo is a law-abiding company and complies with the laws of the United States,” the company said in a statement emailed to this newspaper.

But the reports surfaced less than two weeks after Yahoo said data from at least 500 million accounts may have been stolen in 2014 in one of the largest cybersecur­ity breaches ever. It also highlights the challenges tech firms face as they try to balance helping law enforcemen­t catch criminals with protecting users’ privacy, cybersecur­ity experts say.

“On the heels of the Yahoo security breach, they sound really negligent and that they’re backstabbi­ng customers,” said Avivah Litan, a Gartner analyst who covers cybersecur­ity and fraud. “But most companies that host millions of individual­s with potential terrorists and bad actors use automated software to scan email content.”

Yahoo was among the major internet companies linked to Prism, the NSA’s clandestin­e data-collection program whose existence was leaked in 2013 by former agency contractor Edward Snowden, who on Tuesday took to Twitter to encourage Yahoo users to delete their accounts.

Some security experts and civil liberties groups argued that if the reports are true, Yahoo went too far, adding that such a collaborat­ion with government could be unconstitu­tional.

“There’s still much that we don’t know at this point, but if the report is accurate, it represents a new and dangerous expansion of the government’s mass surveillan­ce techniques,” Mark Rumold, senior staff attorney for the Electronic Frontier Foundation, said in a statement. “This is the first public indication that a U.S.-based email service provider was compelled to conduct surveillan­ce against all its customers in real time.”

The groups said the reported surveillan­ce flies in the face of the Fourth Amendment, which protects citizens against unreasonab­le search and seizure, and that the company should have done more to challenge the government’s request. The NSA and FBI did not immediatel­y return calls or emails.

“It is deeply disappoint­ing that Yahoo declined to challenge this sweeping surveillan­ce order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

On Tuesday, some of the world’s largest tech companies swiftly denied that they ever engaged in behavior similar to what Yahoo reportedly did in 2015.

“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” Microsoft said in a statement.

Google also said in a statement that it never received such a request from U.S. intelligen­ce officials but if it had, the company’s response “would be simple: No way.”

Earlier this year, Apple drew a line in the sand when it refused to create software to break into an encrypted iPhone used by a gunman in the 2015 San Bernardino terrorist attack. Apple CEO Tim Cook said in interviews that it would be the “software equivalent of cancer.”

But unlike Apple, Yahoo has been facing financial struggles and agreed this year to be acquired by Verizon for $4.83 billion.

Some investors have raised concerns about whether the tech firm’s security blunders will prevent its deal with Verizon from closing. Verizon declined to comment.

“It’s really a matter of financial prowess and the personal passion of a CEO,” Litan said.

Yahoo CEO Marissa Mayer’s decision to obey the government request apparently troubled some of the company’s employees, including former Chief Informatio­n Security Officer Alex Stamos, who left in June 2015 to join Facebook, Reuters reported. A Facebook spokesman said Stamos isn’t commenting on his departure, but the social media giant has never received a request like the one described by Reuters and would “fight it” if it did.

Mayer and other Yahoo executives didn’t think they could successful­ly challenge the directive, Reuters reported, but some experts said the tech firm could have fought it based on the breadth of the demand. The Foreign Intelligen­ce Surveillan­ce Act gives intelligen­ce agencies the authority to request that U.S. phone and internet firms provide customer data in an attempt to prevent a terrorist attack, among other reasons.

Nonetheles­s, Yahoo’s actions are yet another reminder to consumers that their messages might not be as secure or private as they think. In 2015, Yahoo received 29,354 government data requests and disclosed content for 2,962 of those requests, global data from its government transparen­cy reports show.

“The lesson for consumers is you’ve really got to be careful about which providers you use if you’re worried about security and privacy,” Litan said.

 ??  ?? Mayer CEO’s decision to OK monitoring reportedly troubled some employees.
Mayer CEO’s decision to OK monitoring reportedly troubled some employees.
 ??  ?? Snowden

Newspapers in English

Newspapers from United States