At the request of the US government, Yahoo engineers last year secretly built custom software to scan all of its users' incoming email in real time — and then made that data available to US intelligence officials. Just how secret was this program? According to Reuters, Yahoo's Chief Information Security Officer Alex Stamos didn't even know about it. The siphoning off of user data was apparently so egregious that when Stamos's security team discovered it, they initially thought the company had been hacked.
While Yahoo's involvement (along with Facebook, Microsoft, and Google) with NSA spying program PRISM is well documented, this marks the first such time (that we are aware of) that a tech company has agreed to search all incoming messages — as opposed to a specific group of stored messages — as they come in.
According to the report, Yahoo scanned hundreds of millions of incoming emails for either the FBI or the NSA — searching for specific keywords provided by government officials. The company was instructed to do so via a classified directive. Yahoo Chief Executive Marissa Mayer reportedly decided to obey the order, rather than fight it, and had a small group of engineers create special software to meet the government's needs — without involving Yahoo's security team.
In fact, the team only found out about it by accident — thinking that hackers had gained access to Yahoo.
When your own IT staff thinks you've been hacked because you gave remote access to the NSA... #Yahoo https://t.co/1ge9j5a35w pic.twitter.com/YY8OkzH1aY
— Mirko Hohmann (@mirkohohmann) October 4, 2016
What's more, when the program was discovered, Stamos reportedly told those involved that it had been constructed with a security flaw — possibly allowing (non-US government) hackers access to users' data.
Yahoo also recently made the news by admitting that over 500 million user accounts had been breached.
Following his discovery of Yahoo's bending over to the feds' commands, Stamos resigned and went to work for Facebook. Interestingly, it is likely that the government approached other tech giants, including Facebook, with a similar request, as Reuters reports that officials "evidently did not know what email accounts were being used by the target."
Use @Yahoo? They secretly scanned everything you ever wrote, far beyond what law requires. Close your account today. https://t.co/dJrJUyyxk6
— Edward Snowden (@Snowden) October 4, 2016
Other companies, however, may have decided to fight the government's request in court — a fact we do not know as under the Foreign Intelligence Surveillance Act the battle would have taken place at a secret tribunal. A more public battle was waged earlier this year when Apple refused to comply with a government order to create special software to hack the work phone of the San Bernardino shooter. In that case, officials ended up breaking into the phone on their own, by means several news orgs are still trying to figure out.
The ACLU, for its part, sees Yahoo's action as likely unconstitutional. “Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional," explains ACLU staff attorney Patrick Toomey. "The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit."
And what does Yahoo have to say about all this? Basically, that they do as they're told as a "law-abiding company."
Orwellian statement re this NSA email scanning story: "Yahoo is a law abiding company, and complies with the laws of the United States"
— Shane Dingman 👌 (@shanedingman) October 4, 2016
This story has been updated to include the ACLU's response.
Related: Facebook, Google, Other Tech Companies Reveal Vague Outlines Of NSA Surveillance Requests