Governance & Risk Management , Privacy

Report: Yahoo Complied with Government Spying Order

Expect Revelation to Revive Long-Running Surveillance Debate
Report: Yahoo Complied with Government Spying Order
Yahoo CEO Marissa Mayer reportedly authorized the email scanning program. Photo: Magnus Höij (Flickr/CC)

Yahoo complied with a classified U.S. government directive last year by building special software that could scan through hundreds of millions of email accounts for a slice of content of interest to intelligence officials, according to a Reuters report.

See Also: On Demand | 2024 Report Findings: Security & Productivity in the Age of AI

The report will no doubt rekindle debate over whether the U.S. government overstepped legal boundaries to collect electronic intelligence, and whether it has been unduly pressuring technology companies.

The decision to comply with the directive, reportedly made by Yahoo CEO Marissa Mayer, apparently roiled other company executives. The discovery of the software eventually triggered the resignation of CSO Alex Stamos in May 2015, who then became Facebook's CSO the next month, Reuters reports, citing former employees. It adds that insiders believe that either the FBI or the National Security Agency requested the email content interception.

According to the report, Yahoo's own security team independently discovered the software in May 2015, just weeks after it had been secretly installed. The team initially thought hackers had compromised the search giant's network. To make matters worse, the software contained a programming flaw that Stamos contended could have also allowed hackers to access the emails, Reuters says.

Yan Zhu, a senior security engineer who worked at Yahoo until November 2015, wrote on Twitter that the company "may be doomed but I'm still proud of my ex-coworkers on the security team for finding the backdoor quickly and eventually whistleblowing."

"It was a hard job," she wrote in a subsequent tweet. "I'm proud of both those who left over this and those who stayed so they could keep trying to protect 800 million Yahoo users."

Yahoo called the Reuters story "misleading," arguing that "the mail scanning described in the article does not exist in our systems," according to The Hill. And Adm. Michael Rogers, who heads the NSA, called the report "a little speculative" and said the NSA can't get a judge's approval to "blanket" search through "all email," according to the news report.

Surveillance Worries

If the report is accurate, the directive Yahoo received from the government breaks new ground, says the Electronic Frontier Foundation, a digital watchdog that has been critical of U.S. spy agency programs revealed by former NSA contractor Edward Snowden. In particular, it would mark the first public indication that a U.S.-based email provider was compelled to conduct real-time surveillance against its customers.

"It represents a new - and dangerous - expansion of the government's mass surveillance techniques," says EFF Senior Staff Attorney Mark Rumold via email. "This type of surveillance is unconstitutional, and it flies in the face of the Fourth Amendment's prohibition against unreasonable searches."

While the EFF believes the practice to be illegal, it's still unclear exactly what kind of order Yahoo received. Company officials could not be immediately reached for comment. Yahoo told other media outlets that it "complies with the laws of the United States," an oblique statement that was dimly received by some privacy watchers.

"Yahoo before: We fight any requests we deem improper or overbroad," writes Christopher Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, on Twitter. "Yahoo now: We follow the law. Ugh."

Other large technology companies, including Twitter, Apple, Facebook and Microsoft, denied scanning incoming content and said they had not received such a request from the government, The Wall Street Journal reports. Google says there's "no way" it would comply with such a request, while the others maintain that they would oppose any such request.

Just the Latest Bad News for Yahoo

The revelation couldn't come at a worse time for Yahoo.

Verizon announced in July it would acquire the company for $4.8 billion. The acquisition is still pending regulatory and legal reviews, which have been complicated in part by Yahoo's Sept. 22 disclosure of a breach in 2014 that compromised at least 500 million user accounts. Verizon did not learn of the breach until about two days before Yahoo publicly announced the incident, blaming state-sponsored attackers (see Massive Yahoo Data Breach Shatters Records).

The new revelation is also ironic because Yahoo fiercely resisted secret surveillance-related legal orders from the U.S. government in 2007 and 2008. The company maintained that supplying user information for the NSA surveillance program code-named PRISM - and its bulk data collection - violated the Constitution.

PRISM collected data from at least nine technology companies and was one of a number of bulk surveillance programs intended to more closely monitor possible terrorism threats. Intelligence agencies do not need a warrant to collect information about non-U.S. citizens under the Foreign Intelligence Surveillance Act and are supposed to minimize data collection of Americans.

Life After Snowden

But the Snowden leaks highlighted how various collection programs inadvertently scooped up information and metadata relating to U.S. citizens, a practice which should - in theory - have required a well-defined warrant approved by a court. Under the law at the time, technology companies were legally forced to comply with the orders, which came from the Foreign Intelligence Surveillance Court. Its decisions and proceedings are not public.

Given Yahoo's previous, related defeats, Mayer - who joined the company in 2012 - and other company executives complied with the email-scanning directive rather than trying to fight it, Reuters reports, adding that the decision upset many employees who thought the company could have successfully blocked the directive in court.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.