Reports from Reuters on Tuesday reveal that Yahoo has been spying on customers emails on an unprecedented level. According to three former employees, the company built custom software to allow US officials to search customer emails.
According to the employees, FBI and NSA scanned “hundreds of millions of Yahoo Mail accounts” in a huge invasion of privacy. The compliance was unpopular with some executives, allegedly leading to the 2015 departure of Chief Information Security Office Alex Stamos.
According to those familiar with the matter, Yahoo CEO Marissa Mayer went behind Stamos’ back to implement the solution. The company’s security team discovered a week later, and a coding flaw could have left the emails vulnerable to hackers.
A ‘Set of Characters’
What exactly the US government was looking for never became clear to the employees. The department ran queries on a “set of characters” though exactly what these remains unclear.
The natural assumption is that the NSA was looking for certain keywords to do with terrorism and other practices. However, the agency is unlikely to comment on the matter, so we’ll probably never find out.
Yahoo’s only response was that it’s “a law-abiding company, and complies with the laws of the United States.” No doubt the company was put under considerable pressure by the government and would risk much by denying the request.
Microsoft, Google, and Twitter Response
Of course, the two biggest email services are Gmail and Outlook. In response to questions, both company’s were forthcoming.
“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” said a Microsoft spokesperson.
However, the Redmond giant did not reveal if the US Government had ever made such a request. It’s possible that authorities have forbidden mentioning anything.
Google was more outspoken in its denial, stating, “We’ve never received such a request, but if we did, our response would be simple: ‘No way’.”
Twitter proceeded in a similar way, saying “We’ve never received a request like this, and were we to receive it we’d challenge it in a court.”
Encryption – The only Solution?
According to some FISA experts, Yahoo could have fought the request. Companies can challenge both necessity and mass nature of such a request.
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” said Patrick Toomey, attorney at the American Civil Liberties Union.
With such widespread practices, end-to-end encryption is beginning to look like the only solution. By obscuring data when it is sent, providers would be unable to see emails and could not turn them over. Of course, this would cut agencies from accessing in a particular case, which would stop a useful line of inquiry.
Whatever the argument, things aren’t looking good for Yahoo. Just a couple of weeks ago a data breach of 200 million accounts came to light. This new revelation has the potential to alienate users further and encourage them to move to competitors.