Yahoo is being accused of helping U.S. officials perform a broad sweep of all of its users’ email accounts. In an exclusive report, Reuters states that last year, the internet company built a secret custom software program to search all emails coming into the accounts of its users. The media outlet cites unnamed sources familiar with the matter.
Yahoo said to comply with classified order
According to Reuters’ sources, two of whom are former employees and a third of whom knew of the situation, Yahoo was complying with a classified directive from either the FBI or the National Security Agency. Intelligence officials reportedly ordered the company to scan hundreds of millions of email accounts in real time. It’s unclear exactly what they were looking for, other than that they ordered Yahoo to look for a certain character set, which might mean a phrase or an attachment.
Reuters said it could not determine what, if any, data the company might have given to officials in the case. The media outlet was also unable to determine if the intelligence agencies had gone to any other internet companies with the same request.
Fallout from Yahoo’s decision
The former Yahoo employees told Reuters that Yahoo CEO Marissa Mayer decided to bey the order, which angered some high-level executives. The issue also resulted in the departure of Alex Stamos, the company’s chief information security officer at the time, in June 2015. Stamos now heads up security at Facebook. Yahoo said in a statement sent to the media outlet that it abides by the law, but it did not comment on the report any further.
The order to search hundreds of millions of Yahoo Mail accounts was in a classified directive that was sent to the company’s legal department.
An unusual request sent to Yahoo
Some surveillance experts told Reuters that this is the first case in which a U.S. internet company complied with a spy agency’s demand to search all incoming messages rather than looking at messages that it was storing or just scanning a relatively small number of email accounts in real time. Experts emphasized that this order sounds different than any other directives that have been uncovered before.
While some internet and phone companies in the U.S. have given intelligence officials access to bulk data belonging to their customers, experts and former government officials are not aware of such a broad order for real-time collection of internet data. They had also not ever heard of an order that required a company to create a new piece of custom software.
U.S. agencies still conducting broad searches
Experts believe the FBI or NSA must have gone to other internet companies with the same directive because the broad nature of it demonstrates that they had no idea which email addresses were being used. Because the NSA requests domestic surveillance through the FBI, it’s unclear which of the two agencies is the actual source of the directive.
Since former NSA contractor Edward Snowden revealed the NSA’s massive electronic surveillance schemes, U.S. agencies have scaled back some of their programs as watchdog groups clamored on behalf of the privacy of ordinary Americans. However, the Yahoo case demonstrates that broad orders are still going on. Internet and phone companies have challenged some authorities’ attempts at surveillance. Yahoo is among those that have challenged officials before the secret Foreign Intelligence Surveillance Court.
Some experts on FISA said Yahoo might have tried to push back against the classified directive last year based on two issues: the breadth of the search and the need to write a special software program to search all of its users’ incoming email.
The privacy debate rages
Officials ordered Apple to write a special program to unlock the iPhone used by one of the shooters in the San Bernardino massacre last year. The company fought back against the order on the grounds that it was ordered to write special software, but the FBI dropped its order after a third party was able to help it unlock the iPhone. As a result, there wasn’t any precedent set on cases such as these.
Other experts sided with Yahoo on the case, saying that the surveillance court was legally able to order a search for a set phrase rather than looking at a specific email account. They noted that “upstream” bulk data collection from phone companies based on content was ruled as legal, and thus the same logic could be applied to emails.
Mayer and other Yahoo executives reportedly agreed to comply with the order because they thought they would lose the case. The internet company fought a FISA order in 2007 demanding a search of certain email accounts without a warrant, but it lost the case.