Yahoo built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials, according former employees of the company.
The custom software program was secretly built last year to comply with a classified US government directive. The program scanned hundreds of millions of Yahoo Mail accounts, according to revelations first reported by Reuters.
It is not known whether the directive, which was sent to the company’s legal team, came from the National Security Agency or the FBI, according to the two former Yahoo employees. It is also not known what the intelligence officials were seeking, except wanting the company to search for a set of characters, which could mean a phrase in an email or an attachment.
The former employees said Yahoo CEO Marissa Mayer’s decision to follow the directive angered some senior executive and led to the departure of Alex Stamos, the company’s chief information officer.
When Stamos discovered Mayer had authorized the program, he told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them, hackers could have accessed the stored emails.
Yahoo said in a statement issued to Reuters about the intelligence demand that it “is a law abiding company, and complies with the laws of the United States.”
Surveillance experts told Reuters this is the first case to surface of an US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to requests for stored messages or scanning a small number of accounts in real time.
US phone and internet companies are known to have handed over bulk customer data to intelligence agencies.
Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask American phone and internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.
But it wasn’t until the disclosures by NSA whistleblower Edward Snowden and others who exposed the extent of electronic surveillance on the public, and forced the US government to scale back its program to protect privacy rights.
Senator Ron Wyden (D-Oregon), who has led the fight in Congress to address the intelligence community's reliance on secret interpretations of surveillance law, expressed dismay over the Yahoo revelation in an email.
“The FISA court has publically stated that tens of thousands of wholly domestic communications are caught up under 702 collection every year and that the potential number of Americans impacted is even larger than that,” Wyden wrote to Ars Technica. “The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public.”
It is not known if the NSA or FBI approached other internet companies. Last year, Apple became embroiled in a showdown with the FBI over its unwillingness to hack its encrypted software on an iPhone belong to the 2015 San Bernardino mass shooter, in defiance of a court order. The FBI dropped the case when it announced it had paid a third party to hack the phone.
Representative Ted Lieu (D-California)told Ars that this type of forced government request was "flat out unconstitutional."
"The continuing revelation of our law enforcement and these agencies violating the Constitution shows that there is a break down in oversight," he said. "The [Foreign Intelligence Surveillance Court] has shown repeatedly that they do not have the ability to protect the Constitution or the rights of Americans, we need another system ‒ thank God we have freedom of the press."
Yahoo is trying to complete a deal to sell its core business to Verizon for $4.8 billion.
In September, Yahoo said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014 which provoked concerns about its security practices.