Yahoo Secretly Scanned Emails For US Intelligence

Uploaded on 2016-10-06 in NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Last year  Yahoo secretly built a custom software program to search all of its customers' incoming emails for specific information provided by US intelligence officials, according to people familiar with the matter.

The company complied with a classified US government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a US Internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to two of the former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

"Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment. Through a Facebook spokesman, Stamos declined a request for an interview. The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company's legal team, according to the three people familiar with the matter.

US phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time Web collection or one that required the creation of a new computer program.

"I've never seen that, a wiretap in real time on a 'selector,'" said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information. "It would be really difficult for a provider to do that," he added.

Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask US phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.

Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led US authorities to modestly scale back some of the programs, in part to protect privacy rights.

Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal. Some FISA experts said Yahoo could have tried to fight last year's demand on at least two grounds: the breadth of the directive and the necessity of writing a special program to search all customers' emails in transit.

Apple made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.

Some FISA (Foreign Intelligence Surveillance Act) experts defended Yahoo's decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called "upstream" bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies' mail.

As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.

Reuters
 

« Something To Hide? Apple Will Share Your iMessages With The Police
Secret Arrest Of A National Security Agency Contractor »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Encode

Encode

Encode delivers a cutting edge Security Analytics & Response Orchestration platform and best of breed Cyber Security Operations and Services.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Cyber 2.0

Cyber 2.0

Cyber 2.0 is the only system in the world that blocks all forms of cyber attack within the organization, including new and unfamiliar attack methods.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

Cyverse

Cyverse

Cyverse is a cyber-security firm which provides corporations with state-of-the-art cyber-security service-based and technological solutions made in Israel.

Netsecurity AS

Netsecurity AS

Netsecurity is a Norwegian owned company focused and specialised within IT security and cybersecurity-as-a service.

Experis

Experis

Experis provide IT resourcing, project solutions and managed services. We enable organizations to cultivate individuals and teams prepared for the digital age.

Client Solution Architects (CSA)

Client Solution Architects (CSA)

Client Solution Architects (CSA) is a leading digital transformation consulting firm focused on the U.S. Defense Department and all U.S. Federal enterprise information technology service areas.

CYSIAM

CYSIAM

CYSIAM provides world-leading expertise in offensive security and critical incident response. We train our clients to be able to protect themselves and respond to attacks and breaches when they occur.

Gatefy

Gatefy

Getfy is a cybersecurity company specialized in artificial intelligence and machine learning. We work to solve challenging issues, especially those involving email security.

Otava

Otava

Otava is a global leader of secure, compliant hybrid cloud and IT solutions for service providers, channel partners and enterprise clients.

BetterWorld Technology

BetterWorld Technology

BetterWorld Technology provides cloud solutions, managed services, SaaS, cybersecurity and virtual CIO, all customized to meet your needs.

RIoT Secure

RIoT Secure

RIoT Secure AB is a technology enabler within the IoT industry - created with a vision to ensure security technology exists in the foundations of software development for IoT solutions.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.

Pontiro

Pontiro

At Pontiro, we are enabling a new era of data-sharing. Bridging the gap between protected data and valuable insights through the use of cutting edge Homomorphic Encryption.

AI EdgeLabs

AI EdgeLabs

AI EdgeLabs is a powerful and autonomous cybersecurity AI platform that helps security teams respond immediately to ongoing attacks and protect Edge/IoT infrastructures.