Yahoo Secretly Scanned User Emails at Request of Intelligence Officials

The company built a custom software program to search for a certain set of characters in emails

Yahoo Secretly Scanned User Emails at Request of Intelligence Officials
October 4, 2016

In 2015, Yahoo secretly developed a custom software program to search users' incoming emails for a specific set of characters provided by U.S. intelligence officials, reports Reuters.

The company performed this action in compliance with a classified U.S. government directive. Yahoo scanned hundreds of millions of email accounts at the request of the FBI or the National Security Agency (NSA), according to two former employees and a third person knowledgeable about the situation.

Some experts on surveillance believe that this is the first known case of a U.S. Internet company agreeing to fulfill the demands of a spy agency by searching all incoming messages as opposed to stored emails or a small number of user accounts in real time.

A Controversial Decision

The information for which the intelligence officials were searching is unknown. What is known is that they were looking for a specific set of characters, which, according to the sources, could refer to a phrase in an email or an attachment.

Reuters could not determine what data, if any, may have been provided to the officials by Yahoo, whether or not the officials had approached any other email providers with a similar demand, nor whether or not they had complied if they had received such a demand.

Chief Executive Marissa Mayer's choice to comply with the request angered some senior executives at Yahoo, said the former employees, and led to the departure of Chief Information Security Officer Alex Stamos in June 2015. Stamos is now the top security official at Facebook and declined an interview request via a Facebook spokesman.

When Reuters questioned the company about the request, it responded with the brief statement that "Yahoo is a law abiding company, and complies with the laws of the United States." The company declined to comment further on the matter.

The NSA referred related questions to the Office of the Director of National Intelligence, which declined to comment on the situation.

The classified directive sent to Yahoo was directed to its legal team, said the three sources.

"I've never seen that"

It is known that phone and Internet companies in the U.S. have provided bulk amounts of user data to intelligence agencies. However, some former government officials and private surveillance experts claimed not to have previously seen either a directive for real-time Web collection of this scope or one requiring the development of a new software program.

"I've never seen that, a wiretap in real time on a 'selector,'" said Albert Gidari, a lawyer who represented phone and Internet companies regarding surveillance matters for 20 years before moving to Stanford University this year. A "selector" is a type of search term that is used to zero in on specific information. "It would be really difficult for a provider to do that."

Experts stated that the NSA or FBI had probably gone to other Internet companies and made the same demand since they apparently had not known which email accounts were being used by their target. It is difficult to know which is looking for the information because the NSA usually makes its domestic surveillance requests through the FBI.

The law, including the amendments made in 2008 to the Foreign Intelligence Surveillance Act (FISA), enables intelligence agencies to request that U.S. phone and Internet companies hand over customer data to help efforts at gathering foreign intelligence for numerous reasons, including preventing terrorist attacks.

Disclosures or "leaks" made by NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and have led authorities in the U.S. to make a modest reduction in some programs, partly in order to protect privacy rights.

Some companies, including Yahoo, have challenged classified surveillance in a secret tribunal known as the Foreign Intelligence Surveillance Court.

Some experts on FISA claim that Yahoo could have attempted to fight last year's demand as well based on at least two grounds: the extent of the request and the necessity of developing a special program for scanning all of its users' emails in transit.

Apple argued along similar lines earlier this year when it refused to develop a special program to allow law enforcement officials to break into an encrypted iPhone that had been used in the San Bernardino massacre in 2015. The FBI unlocked the phone with third-party assistance and then dropped the case, so a precedent was not set.

However, other FISA experts defended Yahoo's compliance with the demand, arguing that the surveillance court could ordered a search for a particular term rather than a particular account. They said that so-called "upstream" bulk collection from phone carriers on the basis of content was found to be legal, and that the same logic could be applicable to Internet companies' mail.

A Matter of Power and Responsibility

As technology companies get better at data encryption, it is likely that they will receive more such demands from spy agencies.

According to NSA General Counsel Stewart Baker, email providers "have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies."

Yahoo CEO Mayer and other executives ultimately chose to comply with the demand instead of challenging it, partly, said the sources, because they believed they would lose the case.

In 2007, Yahoo fought a FIDA demand for it to search specific email accounts without a warrant approved by a court. Although the case details are still sealed, a partially-redacted published opinion indicated that Yahoo's challenge was not successful.

Some employees at Yahoo were upset that the company had decided to comply, said the three sources, and believed that it could have won a challenge. They were also upset that Mayer and Ron Bell, the company's general counsel, did not include Yahoo's security team in making the decision but instead requested that its email engineers develop a software program that would siphon off emails that contained the desired character set and then store them to be retrieved remotely.

According to the sources, the security team discovered the program in May 2015, a matter of weeks after it had been installed. The team initially thought that the company had been hacked.

Upon discovering that Mayer had authorized the program, Stamos resigned as chief information security officer. He told his subordinates that he had been excluded from that decision that hurt the security of Yahoo users, said the sources, and that hackers could have gained access to the stored messages due to a programming flaw.

In an unrelated incident, Yahoo announced last month that "state-sponsored" hackers had infiltrated 500 million user accounts in 2014. These discoveries have drawn new scrutiny to the company's security practices as it works to finish a deal to sell its core business to Verizon.