It keeps getting worse for Yahoo users, who recently endured news that their data was stolen in the biggest security breach in history. Now Reuters is reporting that the US government issued a classified legal request for Yahoo to write custom software that scanned Yahoo Mail for specific terms in real time, and Yahoo agreed. The reported cited four anonymous sources with knowledge of the events.
Yahoo’s custom surveillance software, created last year, sifted through hundreds of millions of Yahoo Mail accounts, Reuters said. The program, which detects a string of characters specified by US intelligence officials, was written by Yahoo Mail engineers at the request of chief executive Marissa Mayer and general counsel Ron Bell. Emails containing those characters were then stored for US intelligence to look at. It’s not clear which agency asked Yahoo to do this, or what data was ultimately handed over.When asked by Reuters, Yahoo said only that it complies with US laws. Update: Yahoo sent us a statement saying: “The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”
The case recalls the public fight between the FBI and Apple in February. There too, the government wanted a tech company to write custom software to get a user’s information—in that instance, a custom version of Apple’s mobile operating system to unlock the data contained on an iPhone belonging to a suspected terrorist. Apple refused, and chief executive Tim Cook wrote to customers: “The US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.” A backdoor to Yahoo Mail is essentially what Mayer and Bell had their engineers devise.
Other tech companies, including Microsoft, Twitter, Apple, and Google, told other news media they’ve never received such a request and that they would fight it if they did.
Yahoo’s then head of security, Alex Stamos, was reportedly not even told of the email-scanning program. Instead, Yahoo security engineers discovered it independently, thinking it was left by hackers. In general, Yahoo was behind its rivals in adopting security measures and starved its security team of financial resources, according to a recent New York Times report (paywall), for fear of making its services harder to use or to monetize. Stamos left Yahoo at the end of June 2015 to head security at Facebook, after the government surveillance program was discovered, according to Reuters.
The company’s regular transparency reports, which give some information on data requests by governments, do not shed light on the nature of the surveillance program. The reports list data requests according to how the data was obtained (by the Foreign Intelligence Surveillance Court, by the FBI, or by other law-enforcement agencies), and it’s unclear which agency requested the surveillance software.
For whatever it’s worth, the transparency report for the second half of 2015 does not include intelligence requests made by the FISC. The page says that those data are subject to a six-month reporting delay. Nine months have elapsed.