Report: Yahoo scanned users’ email for U.S. intelligence agencies

Yahoo’s trust with users is damaged today by a Reuters report that claims the company developed a custom program to search all users’ incoming email for specific queries given by U.S. intelligence officials.

“We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it,” Yahoo CEO Marissa Mayer says in the opening to the company’s transparency report, in which it documents government requests for user data. But it appears that Yahoo subverted user trust by creating the custom program, and excluded information about it from its transparency report.

The dragnet surveillance of Yahoo’s email customers was initiated last spring and was confirmed to Reuters by former employees. The former employees claimed that the software was developed in response to a classified government order and led to the June 2015 resignation of Yahoo’s then-Chief Information Security Officer, Alex Stamos. Mayer and Yahoo General Counsel Ron Bell directed email engineers to create the program, which was discovered by Yahoo’s security team in May 2015, Reuters reports. Stamos and other security team members initially thought hackers had compromised the company’s email security, and Stamos resigned when he learned that Mayer had approved the program.

“Yahoo is a law abiding company, and complies with the laws of the United States,” a Yahoo spokesperson told TechCrunch. A spokesperson at Facebook, where Stamos is currently Chief Security Officer, declined an interview request for Stamos.

The surveillance program has already been condemned by lawyers for the American Civil Liberties Union and members of Congress, who have called the government order received by Yahoo unconstitutional.

“This is big brother on steroids and it must be stopped,” Congressman Ted Lieu said in a statement. “If true, the government’s directive to Yahoo to write a software program and search all of its customers’ incoming emails for certain content is a gross abuse of federal power.”

Between January and July 2015, the period in which Yahoo allegedly implemented the program, the company says content from 21,000 – 21,499 user accounts was requested under the Foreign Intelligence Surveillance Act, and content from 0 – 499 accounts was requested via National Security Letters. (Until the passage of the USA Freedom Act last year, companies were only allowed to disclose FISA and NSL requests in ranges of 500. Now, companies may disclose more detail on FISA requests, with a tradeoff of an additional six months’ reporting delay.) Yahoo says that it requires “valid legal process” in order to turn over user data, except “in the rare instance where we conclude that disclosure without delay is necessary to prevent imminent danger of death or serious physical injury to any person.” It’s not clear whether the scope of the email-scanning program is much smaller than reported by Reuters, or if Yahoo purposefully withheld information about the program from its transparency report.

The most accounts Yahoo said it ever turned over since it began publishing biannual transparency reports in 2013 was 51,000 – 51,499 accounts between July and December 2013. But even those numbers pale in comparison to the hundreds of millions accounts that may have been accessed by the customized program.

It’s not the first time that Yahoo has been accused of providing customer data to U.S. intelligence agencies. Documents leaked to the Guardian by former NSA contractor Edward Snowden in 2013 revealed that Yahoo provided access to the content of users’ emails and other data through the NSA’s PRISM program, beginning in 2008. Yahoo’s general counsel, Bell, later revealed that the company had resisted joining PRISM because it thought the government’s demands for user data were “unconstitutional and overbroad.” However, Yahoo was threatened with $250,000-per-day fines if it did not comply, with that fine set to double each week until compliance began.

“Forcing a private sector company to search emails is even worse than the NSA’s bulk collection program because now the federal government is seizing and searching content, not just meta data, without a warrant,” Congressman Lieu said.

Mayer reportedly did not believe that Yahoo would win a legal challenge against the demand to develop the custom program, and chose not to fight it. But Yahoo has previously had some success in fighting to make NSLs public, and became the first tech company to publish NSLs when it released three such letters in June. Apple also had notable success in this area earlier this year, when it fought the FBI’s demand that it create a custom program to help investigators unlock in iPhone.

Yahoo has also recently struggled with cybersecurity, disclosing last month that data from at least 500 million users was stolen by a hacker. The announcement stirred speculation that the breach could cause trouble in Yahoo’s sale to Verizon (Verizon is the parent company of TechCrunch) and Senator Mark Warner has called on the Securities and Exchange Commission to investigate whether Yahoo properly disclosed the breach to its users and its buyer. The delay in disclosing the breach to users and initiating a password reset was reportedly motivated by Mayer’s fear that any mention of a breach would drive users away from Yahoo’s already-faltering email service.

As independent journalist Marcy Wheeler notes, the demand for a search on Yahoo users’ email coincides with an executive order issued by President Obama that categorized cyber attacks by individuals outside the U.S. a national emergency, and the executive order may have been used as justification for the program.

It’s worth noting that Yahoo and other free email providers scan users’ email for their own business purposes — Gmail, for instance, serves ads to users based on keywords found in their email. Still, allowing all email data to be accessed in real-time by an intelligence agency is a shocking move.