The recent fallout for U.S. tech giant Yahoo continued Tuesday with a potentially damning report from Reuters revealing the company may have scanned or searched millions of incoming emails at the behest of an unnamed U.S. intelligence agency. According to three former, but anonymous, employees and "a fourth person apprised of the events," Yahoo email engineers allegedly custom-built a software program that filtered incoming emails for certain, undisclosed "selectors," or "a set of characters" provided by a government intelligence agency.
Though it is not known what data may have been turned over, the program would be different from previously disclosed surveillance programs that scanned stored emails as opposed to in coming email in real time.
It is also not clear whether the government demand came from the National Security Agency, the Federal Bureau of Investigation, or another U.S. intelligence agency. Further, questions are now being asked about the accuracy of the report as a whole.
Two of the unnamed, former employees of Yahoo said the decision to follow the orders came from Yahoo Chief Executive Marissa Mayer in 2015 and "roiled some senior executives," leading, for example, to the abrupt departure of the company's chief information security officer, Alex Stamos. According to the report, Mayer and General Counsel Ron Bell directed the company's email engineers to create software "to siphon off messages containing the character string the spies sought and store them for remote retrieval," all without the knowledge of Stamos and the security team. The sources said the security team stumbled upon the undisclosed program in May 2015, within weeks of the software's installation, and originally thought it was part of an outside hack.
Stamos, who now heads up security for Facebook, left Yahoo in June 2015, but did not mention any issues with Yahoo.
In an official first statement, Yahoo said it is "a law abiding company, and complies with the laws of the United States."
Alphabet's Google and Microsoft each responded to whether they had faced similar requests from the U.S. government. In a statement, a Google spokesman said, "We've never received such a request, but if we did, our response would be simple: 'No way.'"
A Microsoft spokesman said, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo."
Several lawmakers and privacy advocates immediately criticized the program. Rep. Ted Lieu, D-Calif., said that type of forced government request was "flat out unconstitutional." Sen. Ron Wyden, D-Ore., said, "The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public."
The ACLU's Christopher Soghoian praised the leak in several posts on Twitter:
A useful reminder that we still need whistleblowers and leaks to the press. The surveillance oversight system totally failed to stop this. https://t.co/tMHyTXghWb
— Christopher Soghoian (@csoghoian) October 4, 2016
However, in a later statement supplied to Ars Technica reporter Cyrus Farivar, Yahoo said, "The [Reuters] article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems."
Others have also questioned the accuracy of the Reuters report, pointing out that it claims, at one point, the program "scans" the emails, while at others it refers to "searching" the emails. Recent App co-founder and former security journalist Declan McCullagh presented an alternative theory under the self-generated hashtag, "#AltYahoo."
The #AltYahoo hypothesis: 1. DHS provided Yahoo with classified malware signatures to use when scanning incoming email.
— Declan McCullagh (@declanm) October 5, 2016
He contends that the directive required Yahoo to "'buil[d] a custom software program' because of signatures' SECRET/TOP SECRET/etc. classification levels." This is something, he argues, the government has said they want to do, and since the company had few in-house employees that had security clearances, "they bypassed non-cleared security folks and corralled engineers."
10. Google/Twitter/MS never received a court order to bulk scan emails for content (neither had Yahoo!) so denied it. #AltYahoo
— Declan McCullagh (@declanm) October 5, 2016
Similarly, security researcher Robert Graham claims the Yahoo story "is garbage" and points out several areas in the report that are too vague. He also adds several alternative theories of how the program worked. "My point is this," he wrote, "the story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story. The story certainly doesn't say that Yahoo did anything wrong, or that the government is doing anything wrong (at least, wronger than we already know)."
Though many questions remain, the news is sure to refuel concerns around the world about direct U.S. government involvement in U.S.-based technology companies.
If you want to comment on this post, you need to login.