Did Yahoo spy on its users’ emails for the NSA?


Just when Yahoo email users thought they had settled their long-running privacy dispute with the company, Reuter’s Joseph Menn has revealed that those users’ emails weren’t just being scanned to improve targeted advertising:

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials, according to people familiar with the matter.

Some of those people – three or four former employees – have revealed that the company complied with a classified US government demand to scan hundreds of millions of Yahoo Mail accounts for the NSA (National Security Agency) or FBI.

It is understood that the request came in the form of a classified edict sent to the company’s legal team that asked Yahoo to search incoming correspondence for something specific (it isn’t clear what though.)

Reuters was unable to determine what, if any, data was handed over. Yahoo did, however, offer a brief – though not very insightful – statement:

Yahoo is a law abiding company, and complies with the laws of the United States.

The decision by Yahoo to spy on its users on behalf of the US government is also alleged to have led to the hitherto unexplained departure of Chief Information Security Officer Alex Stamos, who is now at Facebook.

A first

This seems to be the first case of a company being asked to search emails in real time, although US agencies have in the past asked US internet companies to search stored correspondence. One example of that is the Microsoft vs the US Department of Justice case, when Microsoft was deemed as being in contempt of court for not handing over the information requested.

It seems that this kind of surveillance might be an unintended consequence of tech companies’ rush to better encrypt their communications following the discovery of PRISM, XKeyscore and the rest of the NSA bag of tricks revealed by Edward Snowden. According to former NSA General Counsel Stewart Baker:

…with that [encryption] comes added responsibility to do some of the work that had been done by the intelligence agencies.

Yahoo was actually something of a latecomer to the email encryption party, and Menn cites intelligence experts who note that it’s “likely that the NSA or FBI had approached other internet companies with the same demand.”

The other tech giants

Yahoo’s peers have reacted with what the The Wall Street Journal describes as overwhelming denial. Here’s the rundown:

Google has firmly denied even receiving such a demand:

We’ve never received such a request, but if we did, our response would be simple: ‘No way’

Microsoft denied any secret scanning without commenting on whether it had received any demands:

We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.

Meanwhile, Twitter referred to its transparency lawsuit when it spoke to TechCrunch:

We’ve never received a request like this, and were we to receive it we’d challenge it in a court. […] we are currently suing the Justice Department for the ability to disclose more information about government requests.

Apple, who famously declined to help the FBI crack a dead terrorist’s iPhone earlier this year said:

We have never received a request of this type. If we were to receive one, we would oppose it in court.

And when it asked Facebook, TechCrunch reports that the company responded:

Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it.

Was information shared?

We took a look at Yahoo’s transparency report for around the time this scanning would have taken place: the spring of 2015.

The actual number of accounts shared was relatively low at 21,000 to 21,499 for the six months from January 1 2015 to June 30 2015. Just one year earlier, an additional 6,000 accounts were shared and two years earlier an additional 9,000 accounts were shared.

While we may never know whether Yahoo did actually share any data as a result of this reported US government request, the company isn’t making the same strong public denial of being involved in secret government email scanning that its competitors are.

This latest revelation comes after a disastrous month for a company that remains huge despite giving the appearance of almost perpetual decline since the 1990s.

In September, the company revealed that “at least” half a billion user accounts had been stolen in a security breach in 2014. Not only did the company take two years to disclose the breach, it also declined to offer its users the most basic protection of a password reset in its aftermath, apparently for fear of losing customers.