X

Did Yahoo spy on its users for the US government?

CEO Marissa Mayer complied with a government directive to scan hundreds of millions of incoming messages, according to Reuters.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
Watch this: Time to quit Yahoo? Site reportedly spied on emails for US government
gettyimages-539583462.jpg
Enlarge Image
gettyimages-539583462.jpg

Yahoo CEO Marissa Mayer reportedly chose to obey the government's demand.

ChrisFarina, Corbis via Getty Images

Yahoo built surveillance tools last year after the National Security Agency or the FBI issued a secret directive to scan all customers' incoming emails, according to a Reuters report.

The agencies asked the internet company to search for "a set of characters," according to the report, which cited anonymous former Yahoo employees. That could be a phrase, for example, or an attachment, sources told Reuters.

Yahoo CEO Marissa Mayer chose to obey the directive, Reuters reported, a decision that prompted then-Chief Information Security Officer Alex Stamos to leave the company in June 2015. Stamos reportedly told people working for him that a programming flaw could give hackers access to customers' stored emails. He is now Facebook's security chief.

Reuters was not able to confirm whether any other company had faced the same secret directive Yahoo complied with.

"Yahoo is a law-abiding company and complies with the laws of the United States," a Yahoo spokesman said in an email Tuesday. The FBI and NSA didn't respond to requests for comment.

Even so, the company disputed the Reuters report.

"The article is misleading," Yahoo said in a statement Wednesday. "We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems."

Yahoo's alleged acquiescence would be in stark contrast with the tech industry's public stance on consumer privacy. In January, Apple showed a willingness to defy an FBI request to write custom code that would break encryption on an iPhone tied to the San Bernardino, California, terrorist attack. In March, more than 40 top tech companies signed amicus briefs supporting Apple in a court case that was resolved without a final ruling.

'We would fight it'

Stamos declined to comment on the reasons behind his departure from Yahoo, but Facebook said it has never seen a directive like the one allegedly served to Yahoo.

"Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it," a Facebook spokesman said in a statement.

Others among tech's biggest names echoed that sentiment, often emphatically.

"We have never received a request of this type," an Apple spokesman said in a statement. "If we were to receive one, we would oppose it in court."

Twitter noted that it is suing the US government for the ability to share more about government demands for information.

"We've never received a request like this, and were we to receive it we'd challenge it in a court," a Twitter spokesman said in a statement. "Separately, while federal law prohibits companies from being able to share information about certain types of national security related requests, we are currently suing the Justice Department for the ability to disclose more information about government requests."

Microsoft has fought gag orders that would stop it from telling users when the government asks for their information.

"We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo," Microsoft said in an emailed statement.

Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in an emailed statement that the government directive appeared to be "unprecedented and unconstitutional."

Further, he criticized Yahoo for apparently complying without a fight. "It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order," Toomey said, "because customers are counting on technology companies to stand up to novel spying demands in court."

The government's wide net

Not everyone felt Yahoo deserved all the arrows it was receiving. Michael Sutton, chief information security officer at cybersecurity firm Zscaler, said it's highly likely other companies received the classified directive.

"Such a broad directive suggests that the intelligence community needed to cast a wide net, which likely included other providers," Sutton said. "Unfortunately, the very process of such directives precludes transparency and prohibits others from even revealing the existence of such a request."

Stewart Baker, who served as the general counsel of the NSA from 1992 to 1994 and who critiqued privacy advocates in his book "Skating on Stilts: Why We Aren't Stopping Tomorrow's Terrorism," said it's not surprising that intelligence agencies would ask Yahoo for assistance like this.

As companies encrypt user communications more, it becomes harder for the US government to intercept internet traffic and search it on its own. Baker said he prompts the governments to tell companies, "Well, you still have this information and you're capable of going through the selectors, so we're going to give you an order to do that."

Baker is now an attorney at law firm Steptoe & Johnson who focuses on national security, privacy and computer security.

Yahoo previously lost a court battle that forced it to comply with a secret surveillance program called Prism. That program, later revealed by Edward Snowden, let the NSA grab emails, video chats, photos and documents.

Yahoo fought that court order before Mayer became CEO in 2012.

The company is still recovering from a 2014 data breach, revealed in September, that affected half a billion Yahoo users in the world's biggest hack. Verizon in July announced plans to buy the internet pioneer for $4.8 billion.

Verizon declined to comment for this story.

Fatemeh Khatibloo, a privacy analyst with tech research firm Forrester, said she thinks the news of the email scanning combined with the news of the hack could give Verizon a reason to back away.

"It changes the calculus around the Verizon acquisition," Khatibloo said. "Taken together, the asset is the users as Yahoo services. And, are there going to be any users left after this?"

First published October 4 at 10:37 a.m. PT.
Updated throughout October 4 and again October 5 at 9:22 a.m. PT:
Details added, along with Yahoo's response to the Reuters article and with comments from Apple, Facebook, Google, Microsoft, Twitter, Michael Sutton of Zscaler, Patrick Toomey of the ACLU, National Security Attorney Stewart Baker and Forrester analyst Fatemeh Khatibloo.

Podcast