Yahoo allowed NSA and FBI to rifle through customer emails
Yahoo has been accused of secretly building a custom software program that allows US intelligence officials to search all of its customers’ incoming emails for specific information.
The internet company conducted the surveillance last year, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI after receiving a classified demand from the US Government, according to three former employees and a fourth person apprised of the events.
Some surveillance experts said this represents the first time the public has been made aware of a US internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources who were unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
The decision to allow US intelligence agencies such access was reportedly agreed upon by Yahoo chief executive Marissa Mayer.
Her decision apparently agitated some senior executives including Yahoo’s chief information security officer Alex Stamos who left in June 2015 and now holds the top security job at Facebook.
“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said, declining any further comment. The NSA also declined to comment.
The request to search Yahoo Mail accounts reportedly came in the form of a classified edict sent to the company’s legal team.
US phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. However, some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time Web collection or one that required the creation of a new computer program.
“I’ve never seen that, a wiretap in real time on a ‘selector’,” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.
“It would be really difficult for a provider to do that,” he added.
Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.
Google and Microsoft, which are both major email service providers, separately said on Tuesday that they had not conducted such email searches.
“We’ve never received such a request, but if we did, our response would be simple: ‘No way’,” a spokesman for Google said.
A Microsoft spokesperson said in a statement, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” The company declined to comment on whether it had received such a request.
Data from 500 million Yahoo users was stolen last month in what was described as the largest hack of its kind to date.
Yahoo was later sued over negligence due to its handling of private data, while questions arose as to whether the company had known about the massive data breach much longer than it claimed.