In 2015, Yahoo allegedly developed a system that enables it to search all of its Yahoo Mail user accounts for information requested by the U.S. government, according to a Reuters report published on Oct. 4.
Yahoo has responded to media outlets requesting comment on the allegation with a terse one line comment: “Yahoo is a law-abiding company and complies with the laws of the United States.”
According to the report, Alex Stamos, Yahoo’s former chief information security officer, left the job in June 2015 as a result of the company’s compliance with the alleged U.S. government directive to enable email searches. Stamos had joined Yahoo in March 2014 and notably directly challenged National Security Agency Director Admiral Mike Rogers at a February 2015 event about security backdoors for U.S. intelligence agencies in consumer software and services.
When Stamos officially left Yahoo in June 2015 to join Facebook as the company’s chief security officer, eWEEK reported on the move, which at the time appeared to be just about having a greater impact.
“There is no company in the world that is better positioned [than Facebook] to tackle the challenges faced not only by today’s internet users but for the remaining two-thirds of humanity we have yet to connect,” Stamos wrote at the time.
There was no public indication in June 2015 that Stamos was in some way displeased with Yahoo’s security or management. Also of note during Stamos’ tenure at Yahoo is the recently confirmed data breach of 500 million Yahoo user accounts, which occurred in 2014.
The new revelation that Yahoo had its own system to help government requests for email scanning is somewhat different than past disclosures about U.S. government surveillance of Yahoo users. In October 2013, as part of the cache of documents leaked by NSA whistleblower Edward Snowden, were details on the Muscular program, an effort to intercept traffic from both Yahoo and Google. What happened in 2015, according to Reuters, is that a classified edict was sent to Yahoo’s legal team for Yahoo Mail account scanning.
“Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional,” Patrick Toomey, a staff attorney with the American Civil Liberties Union (ACLU), said in a statement. “The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit.”
The Electronic Frontier Foundation (EFF) sees some similarities between the alleged Yahoo Mail surveillance effort and one with AT&T.
“Mass surveillance of Yahoo’s emails is unconstitutional for the same reasons that it’s unconstitutional for the government to copy and search through vast amounts of communications passing through AT&T’s network as part of Upstream,” the EFF wrote in a blog post.
While Yahoo allegedly complied with a request to help U.S. intelligence agencies, other firms have had different reactions to government requests. On Oct. 4, The ACLU released documents related to a secret government subpoena for information on customer information from encrypted communication provider Open Whisper Systems. The U.S. Justice Department sent the subpoena to Open Whisper seeking information on two phone numbers. Additionally, the government placed a gag order on the request, restricting Open Whisper from revealing that it had ever been the subject of a government information request. The ACLU on behalf of Open Whisper argued against the gag order, with the government agreeing to lift the order on Oct. 4.
“This case shows that the government is hiding its requests for Americans’ records using extreme secrecy, even where it is plainly unwarranted,” Brett Max Kaufman, a staff attorney with the ACLU, said in a statement. “The First Amendment protects companies like Signal who want to communicate basic information about government requests for customer data.”
The contrast between Yahoo and Open Whisper is noteworthy as both received some form of request from the government, but they reacted in different ways. While Open Whisper complied with the government request, it did seek to be transparent with its users. The full scope and official confirmation of the Yahoo email scanning operation has yet to be publicly disclosed, and no doubt, further revelations and details will emerge in the weeks and months ahead. What is clear, though, is that further damage has likely been done to the already tarnished security reputation of Yahoo. In contrast, a small upstart like Open Whisper is growing its solid security reputation.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.