October 6, 2016
In response to a classified edict from the National Security Agency or the FBI, Yahoo scanned all of its users’ incoming emails for a specific “set of characters,” keeping the scans and the software system it built to do so a secret. Millions of emails were scanned, but neither federal agency nor Yahoo will say if they found what they were looking for. Experts say this is the first case of a U.S. Internet company agreeing to search all arriving emails, rather than stored messages or a small number of email accounts.
Based on information from inside sources, Reuters broke the story, noting that Yahoo chief information security officer Alex Stamos’ June 2015 departure from the company was due to chief executive Marissa Mayer’s decision to obey the federal demand. In its defense, Yahoo says it “is a law abiding company, and complies with the laws of the United States.”
Security experts say the call for the “real-time Web collection or one that required the creation of a new computer program” is unprecedented. Attorney Albert Gidari, who represented Internet and phone companies on surveillance issues for 20 years, notes that he’s never seen “a wiretap in real time” focused on a search term to find specific information. “It would be really difficult for a provider to do that,” he said.
The Wall Street Journal reports that, “Google, Microsoft, Twitter and Facebook denied scanning incoming user emails,” and that “Twitter, Apple and Facebook said they hadn’t received requests” and would oppose them. A Google spokesman said the company has “never received such a request, but if we did, our response would be simple: No way.” Microsoft wouldn’t comment on whether it had received a request, but affirmed it has “never engaged in the secret scanning of email traffic.”
Criticism from government officials and privacy advocates has been swift. Senator Ron Wyden, a member of the Senate Intelligence Committee, notes that, “the NSA has said that it only targets individuals … by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public.”
Foreign Intelligence Surveillance Court (FISA) experts believe that Yahoo could have pushed back against the demand based on “the breadth of the directive and the necessity of writing a special program to search all customers’ emails in transit.”
The New York Times notes that the Feds asked Open Whisper Systems, whose encryption app Signal is widely used, for information about “two telephone numbers, including Web browsing histories and data stored in the tracking ‘cookies’ of the Web browsers attached to those accounts.” But Signal is popular because “it does not collect most of that information,” and uses an end-to-end- encryption that keeps the service from “gaining access to the contents of its users’ messages.”
Lawyers are arguing that the “request fell well outside the bounds of what is typically covered by a subpoena” and they are also fighting the associated gag order.