The company reportedly searched all users’ incoming emails on behalf of the NSA or FBI. USA TODAY
SAN FRANCISCO — There are some firsts that don’t give you bragging rights — and in Yahoo’s case, that’s particularly true if the claim involves customer emails.
A Reuters report Tuesday that Yahoo secretly agreed to search all its users’ incoming emails for a specific but unknown word or phrase on behalf of either the National Security Agency or the FBI set off shockwaves in the tech sector, particularly on the heels of Yahoo’s disclosure last month that information had been stolen on 500 million customer accounts.
Yahoo didn’t confirm or deny the report, but also said it didn’t break any law. Big consumer tech companies including Google and Microsoft noted they haven’t done anything like the allegations claimed by the Reuters report, which cited unnamed ex-Yahoo employees.
If the charges are true, it would be the first case of a U.S.-based Internet company searching all incoming messages rather than scanning stored messages or focusing on a small number of accounts. It would raise serious questions about Yahoo’s management led by Marissa Mayer, already heavily criticized for a failure to jumpstart Yahoo’s user base and revenue, and could threaten Yahoo’s pending sale to Verizon.
For some lawmakers and digital privacy advocates, it also raises questions about how far the U.S. government is pushing tech companies to gain access to their increasingly deep digital data troves — without the consumers’ knowledge — as tech executives seek to distance themselves from the damning revelations about the NSA’s consumer data spying after the Edward Snowden leaks.
If the assertions are true, “it’s really staggering in its breadth and seems to go beyond the NSA programs we have known about for awhile,” said Andrew Crocker, a staff attorney with the Electronic Freedom Foundation, a cyber rights group based in San Francisco.
“It’s hard to even anticipate what kind of arguments the government could make for the constitutionality or legality of this program,” Crocker said.
The scanning involved hundreds of millions of Yahoo email accounts, former Yahoo employees told Reuters. Persons who were familiar with the matter, Reuters reported, did not know what, specifically, the agencies were searching for beyond that it was a specific set of characters.
Asked to comment, Yahoo told USA TODAY via email, “Yahoo is a law abiding company, and complies with the laws of the United States.”
In a statement, Microsoft said it had never engaged in the secret scanning of email traffic as Yahoo as reported to have done.
Google said it had not been asked to do anything similar but was unequivocal about what its response would have been. “We’ve never received such a request, but if we did, our response would be simple: ‘no way’,” the company said via email.
Others had a similar refrain. Facebook said it has never received a request like the one described in the news reports from any government, and if it had, would have fought it. Twitter said: “We’ve never received a request like this, and were we to receive it we’d challenge it in a court.”
Apple, which fought a highly publicized iPhone privacy battle with the FBI earlier this year, said: “We have never received a request of this type. If we were to receive one, we would oppose it in court.”
Verizon, owner of AOL, declined comment on the developments.
“I would be surprised if other large email providers were not also targeted,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, a Washington D.C.-based non-profit.
Congressional debate likely
The disclosure about Yahoo is certain to spark a debate in the next Congress over the sweeping surveillance powers that allow U.S. intelligence agencies to read the content of Americans’ emails, cellphone conversations and other electronic communication.
That power, which comes from Section 702 of the 2008 Foreign Intelligence Surveillance Amendments Act, was supposed to be aimed at foreign nationals living outside the United States but has ended up being used to collect massive amounts of personal communication from Americans, privacy advocates say.
That data, which can also include photos, texts and instant messages, can be gathered by U.S. intelligence agencies without a warrant as long as it crosses the U.S. border electronically at some point. Given the fluid nature of electronic communications and data storage, that happens all the time, critics in Congress say.
Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee, said U.S. intelligence agencies most likely invoked Section 702 at Yahoo.
“It is public record that this expansive surveillance program is the basis for warrantless searches of Americans’ emails, and that the government has never even counted how many,” Wyden said Tuesday in a statement. “
The government’s surveillance powers under Section 702 are scheduled to expire at the end of 2017.
Security hawks in Congress and the Obama administration say the power must not be allowed to lapse at a time when terrorists threats from the Islamic State and “lone wolf” attackers are on the rise.
Asked about the report at a Tuesday media briefing, White House Press Secretary Josh Earnest said he wasn’t aware of it and “even if I were aware of it I would not be able to comment on it.”
Yahoo in the hot seat
According to the Reuters story, the decision to do the search led to the departure of the company’s chief Information security officer Alex Stamos in June of 2015 after 16 months in the position. Stamos went on to become the chief security officer at Facebook that same month.
In a post on Facebook announcing his move, Stamos said, “the Internet has been an incredible force for connecting the world and giving individuals access to personal, educational and economic opportunities that are unprecedented in human history. These benefits are not without risk, and it is the responsibility of our industry to build the safest, most trustworthy products possible.”
Yahoo in the final months of a sales process that Mayer and the board initially were cool to. A months-long auction concluded in July with Verizon emerging as the winning bidder, paying $ 4.8 billion for Yahoo’s operating business, including its advertising technology and popular online content such as Yahoo Sports, Yahoo Finance and micro-blogging site Tumblr.
But the merging process has been slowed by the revelation two weeks ago that the Net media company was the victim of one of the largest data breaches ever. At least 500 million Yahoo accounts were stolen from the company in 2014 in what it thought was a hack by a state-sponsored actor, Yahoo said. Data acquired may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers.
As Verizon learns more about the breach and this NSA issue, it could sour the deal.
“This deepens concerns about consumer trust in the Yahoo brand — two massive breaches of trust back-to-back would cause stir in the inner circle of any acquisition team,” said Carson Sweet, chief technology officer and co-founder of CloudPassage, a San Francisco cloud cybersecurity firm. “Verizon has to decide how important the trust and goodwill of Yahoo’s users is to the deal. If that’s a primary value component, it probably spells more bad news for the deal.”
Verizon declined comment on the developments.
An unsuccessful outcome in the sale to Verizon could further darken the legacy of CEO Mayer, the former Google exec tapped to turnaround Yahoo more than four years ago. Google and Facebook have cut into Yahoo’s digital advertising business and the sale to Verizon offered a way to get shareholders some value from that core business, while also unlocking Yahoo’s 15% stake in Alibaba, which is worth about $ 40 billion.
Contributing: Erin Kelly and Gregory Korte in Washington D.C.
Read or Share this story: http://usat.ly/2dYND6I