The Mercury News
Yahoo scanned users’ emails for U.S., report says
Internet giant complied with federal request to search all incoming messages
In a revelation that could damage the already fragile trust between the struggling tech firm and its users, Yahoo reportedly created secret software last year to search all of its customers’ incoming emails for information requested by U.S. intelligence officials.
Reuters, citing two former employees and another per-
son familiar with the matter, reported that the Sunnyvale tech firm agreed to a classified U.S. government directive from the National Security Agency or FBI. Sources told the news outlet that intelligence officials wanted the company to search for “a set of characters,” but didn’t know what information they were seeking.
Yahoo neither confirmed nor denied reports that it scanned hundreds of millions of Yahoo Mail accounts at the request of the government.
“Yahoo is a law-abiding company and complies with the laws of the United States,” the company said in a statement emailed to this newspaper.
But the reports surfaced less than two weeks after Yahoo said data from at least 500 million accounts may have been stolen in 2014 in one of the largest cybersecurity breaches ever. It also highlights the challenges tech firms face as they try to balance helping law enforcement catch criminals with protecting users’ privacy, cybersecurity experts say.
“On the heels of the Yahoo security breach, they sound really negligent and that they’re backstabbing customers,” said Avivah Litan, a Gartner analyst who covers cybersecurity and fraud. “But most companies that host millions of individuals with potential terrorists and bad actors use automated software to scan email content.”
Yahoo was among the major internet companies linked to Prism, the NSA’s clandestine data-collection program whose existence was leaked in 2013 by former agency contractor Edward Snowden, who on Tuesday took to Twitter to encourage Yahoo users to delete their accounts.
Some security experts and civil liberties groups argued that if the reports are true, Yahoo went too far, adding that such a collaboration with government could be unconstitutional.
“There’s still much that we don’t know at this point, but if the report is accurate, it represents a new and dangerous expansion of the government’s mass surveillance techniques,” Mark Rumold, senior staff attorney for the Electronic Frontier Foundation, said in a statement. “This is the first public indication that a U.S.-based email service provider was compelled to conduct surveillance against all its customers in real time.”
The groups said the reported surveillance flies in the face of the Fourth Amendment, which protects citizens against unreasonable search and seizure, and that the company should have done more to challenge the government’s request. The NSA and FBI did not immediately return calls or emails.
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.
On Tuesday, some of the world’s largest tech companies swiftly denied that they ever engaged in behavior similar to what Yahoo reportedly did in 2015.
“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” Microsoft said in a statement.
Google also said in a statement that it never received such a request from U.S. intelligence officials but if it had, the company’s response “would be simple: No way.”
Earlier this year, Apple drew a line in the sand when it refused to create software to break into an encrypted iPhone used by a gunman in the 2015 San Bernardino terrorist attack. Apple CEO Tim Cook said in interviews that it would be the “software equivalent of cancer.”
But unlike Apple, Yahoo has been facing financial struggles and agreed this year to be acquired by Verizon for $4.83 billion.
Some investors have raised concerns about whether the tech firm’s security blunders will prevent its deal with Verizon from closing. Verizon declined to comment.
“It’s really a matter of financial prowess and the personal passion of a CEO,” Litan said.
Yahoo CEO Marissa Mayer’s decision to obey the government request apparently troubled some of the company’s employees, including former Chief Information Security Officer Alex Stamos, who left in June 2015 to join Facebook, Reuters reported. A Facebook spokesman said Stamos isn’t commenting on his departure, but the social media giant has never received a request like the one described by Reuters and would “fight it” if it did.
Mayer and other Yahoo executives didn’t think they could successfully challenge the directive, Reuters reported, but some experts said the tech firm could have fought it based on the breadth of the demand. The Foreign Intelligence Surveillance Act gives intelligence agencies the authority to request that U.S. phone and internet firms provide customer data in an attempt to prevent a terrorist attack, among other reasons.
Nonetheless, Yahoo’s actions are yet another reminder to consumers that their messages might not be as secure or private as they think. In 2015, Yahoo received 29,354 government data requests and disclosed content for 2,962 of those requests, global data from its government transparency reports show.
“The lesson for consumers is you’ve really got to be careful about which providers you use if you’re worried about security and privacy,” Litan said.