In an astounding and "unprecedented" new account of U.S. government surveillance, Reutersreported Tuesday that Yahoo secretly scanned all of its customers' incoming emails for a specific set of characters, per request of the National Security Agency (NSA) or FBI.
"The order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit."
--Patrick Toomey, ACLU
The news agency broke the investigation after speaking with "two former employees and a third person apprised of the events," who described how the email giant complied with the vast government directive and built a custom software program to scan hundreds of millions of accounts for a "specific set of characters."
The classified directive was reportedly sent to the company's legal team last year. "It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters," Reuters reported. "That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified."
Reporter Joseph Menn said that he was "unable to confirm whether the 2015 demand went to other companies, or if any complied." Further, it is not known "what data Yahoo may have handed over, if any.">
Private surveillance experts consulted by the news outlet said they had "never seen" such a such a "broad directive for real-time Web collection or one that required the creation of a new computer program," Reuters reported.
According to the reporting, the decision by Yahoo chief executive Marissa Mayer to comply with the government order inflamed some executives. Menn wrote:
They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
Rights groups were instantly outraged over the report.
Sherif Elsayed-Ali, head of technology and human rights at Amnesty International, minced no words when he declared that, "If true, this news will greatly undermine trust in the internet. For a company to secretly search all incoming email of all its customers in a response to a broad government directive would be a blow to privacy and a serious threat to freedom of expression."
"I wonder how the candidates feel about Yahoo spying on every single customer's emails for NSA/FBI. Will they defend this shameful practice?"
--Edward Snowden
"If true," he continued, "this would demonstrate the failure of U.S. government reforms to curb NSA's tendency to try and indiscriminately vacuum up the world's data. The NSA has clearly not changed its spots."
And Patrick Toomey, a staff attorney with the American Civil Liberties Union (ACLU), said the order issued "appears to be unprecedented and unconstitutional."
"The government appears to have compelled Yahoo to conduct precisely the type of general, suspicion-less search that the Fourth Amendment was intended to prohibit," he said in a press statement.
"It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court," Toomey continued. "If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency."
Outcry was swift on social media:
And Mike Masnick noted at TechDirt that the news "comes out less than a week after the NY Times had a big report on how Mayer de-prioritized security, despite having built up a great team of computer security experts called 'The Paranoids'."
"Mayer apparently downplayed or blocked their efforts," Masnick wrote, "leading many to go elsewhere."
He continued:
Now, there are still a number of open questions about this: chief among them if others, such as Google, Microsoft, Facebook, and Twitter were similarly compelled to create similar software.
[...] It seems clear that Yahoo either didn't think it could win a legal fight over this (certainly a possibility), or that it just didn't want to. At the very least, this seems like yet another example of totally secretive rulemaking by the US government on what surveillance capabilities are legal, without any public review or adversarial process designed to make sure that civil liberties are protected. I know that many of the more paranoid folks out there think that the NSA already had deals with the big companies to scan all content, but they weren't supposed to, and as far as we knew they did not as of a few years ago. But if that changed last year, that's a big, big deal, and much more information needs to become public on this.
"This is a clear sign that people can trust neither their government nor their service providers to respect their privacy," added Elsayed-Ali. "Free speech online, and in society in general, cannot thrive in a world where governments can pry into our private lives at will."