TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Yahoo allegedly scanned emails for US intel, but questions remain Related reading: Notes from the Asia-Pacific region, 3 Dec. 2021



The recent fallout for U.S. tech giant Yahoo continued Tuesday with a potentially damning report from Reuters revealing the company may have scanned or searched millions of incoming emails at the behest of an unnamed U.S. intelligence agency. According to three former, but anonymous, employees and "a fourth person apprised of the events," Yahoo email engineers allegedly custom-built a software program that filtered incoming emails for certain, undisclosed "selectors," or "a set of characters" provided by a government intelligence agency.

Though it is not known what data may have been turned over, the program would be different from previously disclosed surveillance programs that scanned stored emails as opposed to in coming email in real time. 

It is also not clear whether the government demand came from the National Security Agency, the Federal Bureau of Investigation, or another U.S. intelligence agency. Further, questions are now being asked about the accuracy of the report as a whole. 

Two of the unnamed, former employees of Yahoo said the decision to follow the orders came from Yahoo Chief Executive Marissa Mayer in 2015 and "roiled some senior executives," leading, for example, to the abrupt departure of the company's chief information security officer, Alex Stamos. According to the report, Mayer and General Counsel Ron Bell directed the company's email engineers to create software "to siphon off messages containing the character string the spies sought and store them for remote retrieval," all without the knowledge of Stamos and the security team. The sources said the security team stumbled upon the undisclosed program in May 2015, within weeks of the software's installation, and originally thought it was part of an outside hack. 

Stamos, who now heads up security for Facebook, left Yahoo in June 2015, but did not mention any issues with Yahoo. 

In an official first statement, Yahoo said it is "a law abiding company, and complies with the laws of the United States." 

Alphabet's Google and Microsoft each responded to whether they had faced similar requests from the U.S. government. In a statement, a Google spokesman said, "We've never received such a request, but if we did, our response would be simple: 'No way.'"

A Microsoft spokesman said, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo." 

Several lawmakers and privacy advocates immediately criticized the program. Rep. Ted Lieu, D-Calif., said that type of forced government request was "flat out unconstitutional." Sen. Ron Wyden, D-Ore., said, "The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public." 

The ACLU's Christopher Soghoian praised the leak in several posts on Twitter: 

However, in a later statement supplied to Ars Technica reporter Cyrus Farivar, Yahoo said, "The [Reuters] article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems." 

Others have also questioned the accuracy of the Reuters report, pointing out that it claims, at one point, the program "scans" the emails, while at others it refers to "searching" the emails. Recent App co-founder and former security journalist Declan McCullagh presented an alternative theory under the self-generated hashtag, "#AltYahoo." 

He contends that the directive required Yahoo to "'buil[d] a custom software program' because of signatures' SECRET/TOP SECRET/etc. classification levels." This is something, he argues, the government has said they want to do, and since the company had few in-house employees that had security clearances, "they bypassed non-cleared security folks and corralled engineers."   

Similarly, security researcher Robert Graham claims the Yahoo story "is garbage" and points out several areas in the report that are too vague. He also adds several alternative theories of how the program worked. "My point is this," he wrote, "the story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story. The story certainly doesn't say that Yahoo did anything wrong, or that the government is doing anything wrong (at least, wronger than we already know)." 

Though many questions remain, the news is sure to refuel concerns around the world about direct U.S. government involvement in U.S.-based technology companies. 

Photo credit: Christoph Scholz Cloud - E-Mail in Cloud-Center - Serverraum via photopin (license)


If you want to comment on this post, you need to login.

  • comment Giulio di Lernia • Oct 5, 2016
    Yahoo (a.k.a. Verizon) is indeed complying with US Laws, but in this case it's not clear to many if it was abiding to EU Data Privacy Laws. An executive order from NSA or FBI has no jurisdiction in EU (although we all know that de-facto it often works anyway). This new was reported from major newspapers in Italy (e.g.: , and a Snowden comment on Twitter (inviting all Yahoo users to close their accounts) was included.  From a Privacy point of view it's hard to understand in which way EU citizens emails are protected from being scrutinized by this or that agency around the world, given that the jurisdiction is enforceable where the servers reside. Thinking about "the cloud" as well, the head starts spinning... From a Security standpoint, if there is no good and feasible "enforcement" of Privacy Laws, they remain dead letter, good only for Law students to bash their heads during University.
  • comment Jedidiah Bracy • Oct 6, 2016
    Thanks for sharing your thoughts, Giulio. It appears, according to two unnamed U.S. government sources, that Section 702 of the FISA Act is what was used to compel Yahoo to scan the emails. 
    And clearly, voices in Europe are calling on the Commission and Working Party 29 to look into the issue. Ireland's Data Protection Commissioner has said it is "making enquiries." It will be interesting to see how Privacy Shield holds up under this latest news bomb. 
    Also, Section 702 is due for renewal at the end of 2017. I'd imagine that reforming this provision will play a key role in Shield's first annual review.