According to a report by Reuters, Yahoo Inc built a secret custom software program to search all of its customers’ email messages for specific information, at the request of U.S. intelligence officials. The report cites three unnamed former employees and “a fourth person appraised of the events,” saying that the company scanned “hundreds of millions of Yahoo Mail accounts” at the request of the National Security Agency or the FBI.
It’s unclear what information Yahoo passed on to the intelligence agencies. Microsoft, Google and Twitter have all denied conducting similar searches. In a statement provided to media, a Microsoft spokesperson said:
“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”
… but declined to comment on whether or not they had been approached with such a request. Google said that they had “never received such a request.” A Twitter spokesperson told TechCrunch “We’ve never received a request like this, and were we to receive it we’d challenge it in a court.”
The decision to comply with the government’s request was contentious within Yahoo, ultimately causing former Chief Information Security Officer Alex Stamos to leave the company, later landing at Facebook.
Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.
Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.
Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.
They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
That security team, bypassed in the decision to comply, found the program within weeks. They initially thought the company had been hacked (something they were probably already well familiar with). Stamos then resigned, according to Reuters, telling his subordinates that hackers could have accessed the stored emails due to a programming flaw.
As internet companies face increasing scrutiny over their abilities to protect user data from not only hackers but governments, and governments continue to push for more access in order to pursue their enemies, user security of online assets is going to become an ever bigger problem.
Do you trust Microsoft with your data in the cloud? Do you trust anyone?
Further reading: Email, National Security, Yahoo