TechViews News …..
Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information at the request of US intelligence officials.
The company complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI, two former employees and a third person who knew about the program told Reuters.
Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources.
According to the two former employees, Yahoo CEO Marissa Mayer’s decision to obey the directive troubled some senior executives and led to the June 2015 departure of the chief information security officer, Alex Stamos, who now heads security at Facebook.
“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.
Andrew Crocker, staff attorney with the Electronic Frontier Foundation, said that the use of the word “directive” to describe the program indicated that the request may have been ordered under the section 702 of the 2008 Fisa Amendments Act, which allows the government to target non-US citizens abroad for surveillance.
Revelations by Edward Snowden about the Prism and Upstream programs – of which the Yahoo program looks like a hybrid, Crocker said – show that US citizens were also subject to mass surveillance.
“The fourth amendment and attendant privacy concerns are quite staggering,” Crocker said. “It sounds like they are scanning all emails, even inside the US … the fourth amendment protects that fully. It’s hard to see how the government justifies requiring Yahoo to search emails like that; there is no warrant that could possibly justify scanning all emails.”
Yahoo security initially ‘thought hackers had broken in’
Sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. Staff initially thought hackers had broken in.
The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.
The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company’s legal team, according to the three people familiar with the matter. US phone and internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad directive for real-time web collection or one that required the creation of a new computer program.
Experts said it was likely that the NSA or FBI had approached other internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to discern which agency is seeking the information.
Apple fought a legal case against a similar request by the US government in February after refusing to give access to the phone used by one the attackers in the 2015 San Bernardino massacre.
In a statement, the company said: “We have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.”
Companies are obliged to comply with government requests
Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask US phone and internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.
Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led US authorities to modestly scale back some of the programs, in part to protect privacy rights.
ACLU staff attorney Patrick Toomey said that the demand made on Yahoo was “unprecedented” and potentially unconstitutional. He said it represented “a new surveillance paradigm, one in which computers constantly scan our communications for information of interest to the government”.
“It is deeply disappointing that Yahoo simply chose to comply with this sweeping surveillance order,” Toomey said. “In the post-Snowden world, customers are counting on technology companies to stand up to novel spying demands in court, because customers themselves have no opportunity to challenge these invasions of their privacy.”
Marissa Mayer ‘did not involve the security team’
Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.
Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said. They were also upset that Mayer and Yahoo general counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon for $4.8bn.
Source Credit: http://bit.ly/2dIByiP
Be Safe – Backup Your Data Regularly!
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.