Yahoo scanned incoming emails on behalf of US intelligence

In 2015, Yahoo created custom software for covertly scanning their customers’ incoming emails, and deployed it on behalf of a US intelligence agency, Reuters reported on Tuesday.

Reuters’ sources include three former employees and a fourth person apprised of the events,” and this is what they say:

• Yahoo received the request to build such a tool from a US intelligence agency – it’s unknown if it’s the FBI or the NSA – and to use it to search incoming emails for a specific “set of characters”.
• It is unknown if Yahoo found anything and whether they handed over any data.
• Yahoo CEO Marissa Mayer decided to comply with the request and asked the company’s email engineers to create the software, without informing the security team.
• Alex Stamos, who was the Yahoo CISO at the time, found out about the program a few weeks after it was deployed. After ascertaining that it was not the work of hackers and discovering that he was not consulted on a matter that affects users’ security, he resigned and accepted Facebook’s offer to become the company’s CSO. Apparently, he also pointed out that the software in question sported vulnerabilities that could be misused by hackers to access users’ stored emails.

Yahoo’s only comment regarding this report was that it is “a law abiding company, and complies with the laws of the United States.”

Who else did the same?

The report raised a few questions, such as which other US-based service providers received the same demand and complied with it?

Google stated that they’ve never received such a request and would not comply with it if they did. Microsoft said they have have never engaged in the secret scanning of email traffic like what has been reported about Yahoo, but declined to say whether they have been asked to so.

Twitter also said they’ve never received such a request, and if they ever do, they would challenge it in court.

Alex Stamos has declined to comment on the news.

Legal base for the request?

It is unknown which law the intelligence agency invoked to get access, but Cato Institute privacy researcher Julian Sanchez believes it’s likely that section 702 of the Foreign Intelligence Surveillance Act was used (it is the same one that was used to set up PRISM).

American Civil Liberties Union’s staff attorney Patrick Toomey categorized the request as “unprecedented and unconstitutional.”

“The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit,” he noted.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court. If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency.”

This is the first known instance of a US service provider providing access to all incoming messages in real-time. Previous requests were aimed at finding evidence in stored emails.

It’s also an indication that the US intelligence community has decided to fight widespread use of encryption by compelling US-based companies to “break” it for them.