In shocking news, it turns out that last year, Yahoo built a piece of software that let them scan their users’ email in real time.
Yahoo complied with a classified order from the U.S. government. They scanned hundreds of millions of Yahoo Mail accounts for the NSA or FBI. Usually, the NSA makes requests for domestic surveillance through the FBI. According to surveillance experts, this marks the first time an American internet company colluded with the government to such an extent. Yahoo scanned all incoming messages, instead of stored messages.
It’s not clear exactly what the company looked for, except to search for a particular set of characters. But this could mean anything from an email signature, phrase or attachment. We also don’t know if Yahoo actually handed any data over to the government, or if the NSA approached other email providers.
According to two unnamed Yahoo employees, CEO Marissa Meyer’s decision to obey the government order angered senior executives of the company. The move even caused Alex Stamos – former Chief Information Officer of Yahoo – to resign. He now works at Facebook.
In a statement to Reuters, Yahoo said,
“Yahoo is a law abiding company, and complies with the laws of the United States…”
It’s common for phone and internet companies in the United States to give bulk customer data to government agencies. But certain former government officials, as well as private surveillance experts, say that they have never seen such a big demand for data collection before. This also seems to be the first time that a company created a unique program to carry out this collecting.
It’s likely that either the NSA or FBI approached other internet companies too. It seems that the government didn’t know which email service the target used. Albert Gidari, a lawyer who represents phone and internet companies, said,
“I’ve never seen that, a wiretap in real time on a ‘selector’. It would be really difficult for a provider to do that.”
A selector is a type of search term that a company uses to find accurate information. In contrast, both Google and Microsoft said that neither company carried out this email search. A Google spokesperson said, “We’ve never received such a request, but if we did, our response would be simple: ‘No way.'”
A Microsoft spokesperson said, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” However, Microsoft refused to say whether the company received such a request.
Under certain laws, like the 2008 amendments to the Foreign Intelligence Surveillance Act (FISA), intelligence agencies can ask U.S. phone/internet companies to give them customer data. The government uses this data to help foreign intelligence-gathering efforts. Information from Edward Snowden and others revealed how much electronic surveillance takes place.
Private companies, including Yahoo, have in the past challenged classified surveillance before the Foreign Intelligence Surveillance Court, which is a secret tribunal. FISA experts say that Yahoo could have tried to fight the government order on at least two grounds:
- The broad span of the directive
- The necessity of writing a unique program to search emails
Earlier this year, we saw how Apple resisted the FBI’s demand for specialized software to break iOS encryption. Eventually, the FBI gave up and purchased a hacking tool from a third party company. There isn’t a legal precedent for this yet.
Patrick Toomey, an attorney with the American Civil Liberties Union (ACLU), release a statement:
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court.”
Other FISA experts defended Yahoo’s decision to obey. They said nothing prevented FISA from ordering a search for a specific phrase, instead of a specific account. Phone carriers that perform this kind of bulk collection are doing so legally. The same logic, the experts argue, can also apply to email.
But if tech companies take encryption more seriously, it’s probably that the government will send them more requests. Former NSA General Counsel Stewart Baker said that email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”
Apparently, the main reason Yahoo executives agreed to the demand was that they thought they would lose. In 2007, Yahoo fought a FISA request ordering the company to conduct searches on specific email accounts. This happened without a warrant. Although the case is sealed, a partially redacted piece showed that Yahoo’s challenge wasn’t successful.
Employees were upset that Marissa Meyer and Yahoo General Counsel Ron Bell didn’t involve the company’s legal team. Instead, they went straight to the engineers to write the spy program. However, the security team discovered the program within weeks of its installation. At first, they thought it was the work of hackers.
When Alex Stamos, head of the security team, found out that Marissa Meyer ordered the program, he resigned. He told his subordinates that he wasn’t part of a decision that hurt users’ security. Stamos didn’t mention the reason why he quit when he joined Facebook.
Ultimately, you can try to prevent governments and companies from scanning your emails. By using an email provider like Protonmail, a Swiss-based company that offers end-to-end encryption of your emails, your data is much safer.
Do you have a yahoo account? Are you still using it? Let us know in the comments.