Citing a few unnamed sources familiar with the matter, Reuters reported that the software could search any incoming email to a Yahoo account for specific sequences of characters sought by the US government. The software could also store the information for later retrieval by US spy operatives. It's still unclear whether this software searched only US citizens' email accounts, or if its scope was more broad. Reuters notes that it is likely that the government demanded that other email providers comply with its spying directive as well.
Yahoo's compliance with government spying at this scale seems to be previously unheard of, especially because it built the customized software for the government's spying purposes. Earlier this year, Apple successfully fought a publicized battle with the FBI after the agency demanded that Apple develop software to break encryption on an iPhone owned by one of the San Bernardino shooters.
Yahoo denied the existence of the software in a prepared statement: “The [Reuters] article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”
The ACLU responded in a prepared statement: “The order issued to Yahoo appears to be unprecedented and unconstitutional...It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court."
Sherif Elsayed-Ali, head of technology and human rights at Amnesty International, said in a prepared statement, "This news will greatly undermine trust in the internet...This would demonstrate the failure of US government reforms to curb NSA’s tendency to try and indiscriminately vacuum up the world’s data. This is a clear sign that people can trust neither their government nor their service providers to respect their privacy: only end-to-end encryption that keeps their communications away from prying eyes will do."
And after the Snowden leaks uncovered the PRISM scandal in 2013, tech companies, from Yahoo to Google to Apple, denied their involvement in the NSA's surveillance and emphasized how they had fought the government over orders for data from the Foreign Intelligence Surveillance Court. In 2007, Yahoo did wage a scrappy fight against a Foreign Intelligence Surveillance Act demand for the company to search specific email accounts without a warrant, but it was ultimately unsuccessful.
Cybersecurity and legal experts are not, to say the least, pleased with Yahoo's latest news.
Cardozo also told BuzzFeed News, "This has enormous constitutional implications. There's no way this would satisfy the Fourth Amendment. It's much more intrusive than PRISM, and the fact that Marissa Mayer gave them 'direct access' is insane. Was Verizon aware of what they bought?"
In response to a request for comment, an Apple spokesperson told BuzzFeed News, “We have never received a request of this type. If we were to receive one, we would oppose it in court.”
A Microsoft spokesperson said, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”
A Google spokesperson told BuzzFeed News, "We've never received such a request, but if we did, our response would be simple: no way."
And Twitter said in a prepared statement: “We've never received a request like this, and were we to receive it we'd challenge it in a court." Twitter is currently suing the Justice Department to be able to disclose information about the government's requests.
Reuters also reported that Yahoo’s security team, which was not informed about the company's development of the spying software, discovered the program in May 2015, just weeks after its installation, and thought it was a hack. Yahoo’s email engineers developed the program.
Yahoo’s Chief Information Security Officer, Alex Stamos, left the company after discovering the compliance with US intelligence. According to Reuters, he advised Yahoo that hackers beyond simply US spies would be able to access the stored emails due to a programming flaw. Recently, news broke that Yahoo endured a hack of 500 million user accounts in 2014, which does not seem to be related the installation of the email spying software.
The company also announced a new app, Newsroom, which it called “Reddit for the masses,” on the same day as the spying became public. Yahoo is in the midst of a $4.8 billion sale to Verizon.
Blake Montgomery is a reporter with BuzzFeed News and is based in San Francisco.
Contact Blake Montgomery at firstname.lastname@example.org.
Got a confidential tip? Submit it here.