Big news dropped yesterday in Reuters: In 2015, the US government asked Yahoo to scan all incoming email looking for certain, unknown characters in emails or attachments; unfortunately, Yahoo agreed to do it—without putting up a fight. The demand came in the form of a classified “edict,” as Reuters describes it, to Yahoo’s legal department.
According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.
Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.
Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.
Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.
They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
In statements to reporters, other major technology companies denied participating in similar surveillance programs at the behest of the US government. Google released a statement categorically denying any such relationship: “We’ve never received such a request, but if we did, our response would be simple: ‘No way.'” Microsoft, which declined to comment on whether it had received a similar request from the government, issued a carefully phrased denial: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo” [emphasis mine]. Apple, meanwhile, was explicit: “We have never received a request of this type. If we were to receive one, we would oppose it in court.” Facebook and Twitter both also said they’d never received such demands, and would fight them if they did.
It’s not clear what legal authority the government thinks gives it the right to make such demands. But we have a good lead, from Senator Ron Wyden, a privacy stalwart who has access to classified intelligence information because of his position on the Senate Intelligence Committee. Wyden, who has made a habit of dropping public hints about what’s really going on in the spy world, responded to the story with this statement:
It is a fact that collection under Section 702 of the Foreign Intelligence Surveillance Act has a significant impact on Americans’ privacy. It is public record that this expansive surveillance program is the basis for warrantless searches of Americans’ emails, and that the government has never even counted how many. The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public.
Here’s how I interpret that statement, following the Wyden code: The NSA has been lying to the American public, again, about its domestic surveillance activities. The NSA said it only targets certain people under 702 authorities, but in fact, as the Yahoo story shows, it is searching through everyone’s emails. The NSA ought to be straight with the public about that activity. (Reminder: the Foreign Intelligence Surveillance Act Amendments Act (FAA for short) of 2008, the law that contains Section 702, put congress’ stamp of approval on the controversial, widely criticized Bush administration warrantless wiretapping program, disclosed by New York Times reporter James Risen in 2005. The ACLU tried to challenge the constitutionality of Section 702 but was stymied when the Supreme Court held the organization’s clients—human rights attorneys among them—lacked standing to bring the lawsuit.)
ACLU attorney Patrick Toomey called the reported program “unprecedented and unconstitutional”:
The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit. It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court. If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency.
Back in 2013 when we learned, through Edward Snowden’s leaks, about the NSA and FBI’s vast PRISM surveillance partnership with the major technology companies, Yahoo had this to say: “The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false.” The company’s spokesman later clarified to say that it only hands over to the government the private information of an “infinitesimal percentage” of its users.
The program disclosed yesterday appears to differ from PRISM in at least two core respects: First, the email scanning surveillance is achieved through a special program Yahoo email engineers reportedly wrote on the government’s behalf. Second, the recently disclosed program deals with ‘live’ data, whereas PRISM granted the NSA and FBI access to information stored on company servers, not information in transit.
Over the next couple of days, you will likely hear surveillance state defenders talk about how we need to give the intelligence agencies access to “the whole haystack” if we want them to stop terrorist attacks. But mass surveillance doesn’t stop terrorism; it never once has.
Meanwhile, yet another NSA contractor working for Booz Allen Hamilton has been accused of stealing government secrets.
UPDATE 10/7/16: Charlie Savage and Nicole Perlroth of the New York Times published what appears to be the government’s response to the Reuters story, characterizing the surveillance operation as nothing more than the adaptation of an existing “spam filter” to look for communications “signatures” used by alleged terrorists overseas. Based on the claims of anonymous government officials, the Times report says “Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware.”
But a post at Vice’s Motherboard tech site undercuts those claims, reporting instead that, “according to two sources closely familiar with the matter,” the surveillance tool Yahoo installed on its own systems at the behest of the US government was actually “buggy malware” known as a “rootkit” that put the entire system, and all Yahoo users, at great security risk.
The rootkit-like tool was found by Yahoo’s internal security testing team during one of their checkups, according to a source.
“They assumed it was a rootkit installed by hackers,” an ex-Yahoo employee, who requested anonymity to discuss sensitive issues, told Motherboard. “If it was just a slight modification to the spam and child pornography filters, the security team wouldn’t have noticed and freaked out.”
“It definitely contained something that did not look like anything Yahoo mail would have installed,” the source added. “This backdoor was installed in a way that endangered all of Yahoo users.”