Yahoo Secretly Scanned Millions of Customer Emails for U.S. Authorities [Updated]

Yahoo secretly built a custom software program to search all of its customers' incoming emails for specific information at the behest of U.S. intelligence authorities, according to people familiar with the matter.

Reuters spoke to three former Yahoo employees who revealed the existence of the custom code, apparently written in compliance with a classified U.S. government demand. The program scanned hundreds of millions of Yahoo Mail accounts for the NSA or FBI, said the former employees and a fourth person with knowledge of the events.

Surveillance experts say the revelation represents the first case to surface of a U.S. internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

According to two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive did not sit well with some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos. Stamos now holds the top security job at Facebook, which incidentally just completed the rollout of end-to-end encrypted privacy features for its hugely popular Messenger app.

"Yahoo is a law abiding company, and complies with the laws of the United States," the company told Reuters in response to the claims, but stopped short of denying them. It declined any further comment. The NSA referred questions to the Office of the Director of National Intelligence, which also declined to comment.

According to Andrew Crocker, an attorney with the Electronic Frontier Foundation, it's likely the request invoked Section 702 of the Foreign Intelligence Surveillance Act, which permits the bulk collection of communications for the purpose of targeting a foreign individual. But rather than having a non-U.S. target, every single person with a Yahoo email inbox was placed under surveillance, regardless of citizenship.

Speaking to The Intercept, Crocker said the Yahoo program seems "in some ways more problematic and broader" than previously revealed NSA bulk surveillance programs like PRISM or Upstream collection efforts. "It's hard to think of an interpretation that doesn't mean Yahoo isn't being asked to scan all domestic communications without a warrant or probable cause. The Fourth Amendment implications of that are pretty staggering."

It's unclear what data Yahoo may have handed over to the authorities, if any, and if intelligence officials had approached other email providers besides Yahoo with the same kind of request.

Contacted by The Intercept, an Apple spokesperson said: "We have never received a request of this type, and if we were to receive one, we would oppose it in court." The spokesperson also pointed to a section from a recent public letter by CEO Tim Cook, which he said was still accurate:

Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.

Facebook, Google, and Microsoft separately said on Tuesday that they had not conducted such email searches. "We've never received such a request, but if we did, our response would be simple: 'No way'", a spokesman for Google said in a statement. Twitter also said it has never received such a request.

In related news last month, Yahoo revealed that "state-sponsored" hackers had gained access to 500 million customer accounts in 2014. The revelations come at a sensitive time for the company as it tries to complete a deal to sell its core business to Verizon for $4.8 billion.

Update: Yahoo has disputed parts of the Reuters report, saying that "the article is misleading" and that the email scanning outlined in the report "does not exist on our systems."

“The article is misleading,” Yahoo said in a statement. “We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.