ptnphotof - Fotolia
After Yahoo admitted to a hack that compromised 500 million user accounts, a new report is claiming Yahoo created a secret surveillance program under order of the U.S. government. But experts said the report leaves many unanswered questions about the program and the company's involvement.
The Reuters report said Yahoo created a custom search program last year in order to scan all incoming email to users' accounts under the direction of either the National Security Agency (NSA) or FBI, according to anonymous former Yahoo employees cited in the report. Yahoo allegedly received a "classified edict," and CEO Marissa Mayer decided to comply, even though the decision led to the departure of then-CISO Alex Stamos, according to the story. The Reuters report said it was program-searched for a specific "character string," but it was unclear what exactly U.S. intelligence officials were looking for and what data was turned over by Yahoo.
Nate Cardozo, senior staff attorney for the San Francisco-based Electronic Frontier Foundation (EFF), told SearchSecurity there were too many questions to know what really happened.
"I think one of the things to keep in mind here is that there's something that we don't know," Cardozo said. "I don't know what it is, but it's pretty clear to us at EFF that [there are] either some details that are wrong or some details that are missing from Joe Menn's report in Reuters. It doesn't quite line up."
Robert Graham, CEO of Atlanta-based Errata Security, said the report led to confusion over whether incoming emails were scanned or email accounts. "Which is it? Did they 'search incoming emails,' or did they 'scan mail accounts?'" Graham asked in a blog post. "Whether we are dealing with emails in transmit or stored on the servers is a [big detail] that you can't gloss over and confuse in a story like this. Whether searches are done indiscriminately across all emails, or only for specific accounts, is another [big detail]."
Yahoo alleged the report of secret surveillance was "misleading," saying in an email, "We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems."
Rebecca Herold, CEO of Privacy Professor, told SearchSecurity this could have been a well-crafted response that avoids the truth, assuming the claims are accurate.
"Technically, if they created the software specifically to scan incoming emails, it may not exist within or on their systems, but could have been implemented and [could have been] doing scanning just outside their systems," Herold said. "Yahoo is either providing a very carefully worded response, or the four people who are claiming this are trying to damage the Yahoo business even more. I would hope that the reporter validated the veracity of their claims prior to publicizing the article. If the truthfulness was validated, then it is most likely a very carefully worded response."
A separate report from The New York Times may have clarified what happened, but also raised more questions. The report said two anonymous government officials confirmed Yahoo received a Foreign Intelligence Surveillance Act (FISA) order -- something the Reuters article never explicitly stated -- and was barred from disclosing it.
The officials said Yahoo customized a system already designed to scan all incoming email for malware. The system was adapted to search for a specific "digital signature," store results and share pertinent results with the FBI, according to the report.
Cardozo said even if the Reuters report as a whole is assumed to be true as described, the FISA order would have been unconstitutional.
"If we take that report at face value, what Yahoo was asked to do according to the report is obviously illegal," Cardozo said. "There is no possibility that being compelled to scan every incoming email for anything in any context could pass the Fourth Amendment. That's just not conceivable. But if that's not what they were asked to do, or they did it voluntarily, then it could potentially have been legal."
Kevin Bankston, director of New America's Open Technology Institute, based in Washington, D.C., said on Twitter this should spur FISA reform.
This is why we need FISA Amendments Act reform next year. Wiretapping every Yahoo user isn't even close to OK.https://t.co/1w9cfhBdaA— Kevin Bankston (@KevinBankston) October 4, 2016
Richard Goldberg, principal and litigator for Goldberg and Clements PLLC, based in Washington, D.C., told SearchSecurity that national security letters (NSLs) like the FISA order have fewer legal requirements and do not involve a judge.
"The fact that companies are entitled to challenge NSLs does not mean that they will challenge them," Goldberg said. "We don't know whether Yahoo fought it at all. We know there was dissension in the ranks, which tells us that some people thought it was either illegal or a brand killer. Given that the demand was reported to be classified, there is a very good chance that it included a nondisclosure order to Yahoo. Such an order would permit Yahoo to challenge the demand in secret, but typically not permit the company to speak publicly about it."
Cardozo said Yahoo has a history of fighting back against FISA orders, and it "is the only company ever to fight back against a FISA order, which [it] did in 2007 [and] 2008," referring to Yahoo's failed attempt to contest the FISA order regarding the PRISM government surveillance program before Mayer took over as CEO.
"Yahoo could not have been compelled to build this tool, but that's not to say they wouldn't have done it voluntarily," Cardozo said, noting arguments of burden to build such a secret surveillance system. "Just because if they fought [and] they would have won doesn't mean that it didn't happen."
Herold noted the burden of building such a secret surveillance system would have been large.
"If it is true, Yahoo spent their own time and resources to create a program specifically to [scan] incoming messages for government agencies. This is much different than in the past, when the ISPs [internet service providers] and email service providers provided messages from their storage, which takes significantly fewer resources for the organizations to accomplish."
Goldberg said he "cannot imagine why anyone would trust Yahoo after this."
"But we could have said that after Verizon -- which just purchased Yahoo -- was reported to have given its customers' metadata to the NSA in bulk. People still use Verizon as an ISP and as a wireless carrier," Goldberg said. "Particular professionals are now on notice that public ISPs may be collecting the content of their email. There are lawyers who have Yahoo email addresses for work. If they did not know before, they now know that their clients' confidential data could be in the hands of the U.S. government."
Cardozo said if the report is true, it "seems like ridiculously bad judgment on Marissa Mayer's part."
"To build anything like this, anything plausibly related to the story, without instantly involving your security team is completely insane. All of the various explanations that make sense that involve building something like an intrusion detection system without the chief security officer's consent or involvement -- that's ridiculously bad judgment, and that falls squarely on Marissa Mayer."
Herold said this story could put other Yahoo practices into question if it is found to be true.
"If the executives making this decision did so with the belief that this activity, [which] demonstrates blatant disregard for their clients' privacy, would never be discovered, then that also shows how out of touch Yahoo is with how easily and quickly news of such activities can be communicated and spread throughout the internet," Herold said. "[This] degrades consumer confidence in the company even more; if they were actually this naïve, how naïve are they with their other digital practices?"
Learn more about the Yahoo hack that left 500 million accounts compromised.
Find out some recommendations for rolling back government surveillance.