Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information at the request of US intelligence officials, according to a report.
The company complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI, two former employees and a third person who knew about the program told Reuters, reports The Guardian.
Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources.
Reuters was unable to determine what data Yahoo may have handed over, if any, and whether intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to the two former employees, Yahoo CEO Marissa Mayer’s decision to obey the directive troubled some senior executives and led to the June 2015 departure of the chief information security officer, Alex Stamos, who now heads security at Facebook.
“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.
Andrew Crocker, staff attorney with the Electronic Frontier Foundation, said that the use of the word “directive” to describe the program indicated that the request may have been ordered under the section 702 of the 2008 Fisa Amendments Act, which allows the government to target non-US citizens abroad for surveillance.
Revelations by Edward Snowden about the Prism and Upstream programs – of which the Yahoo program looks like a hybrid, Crocker said – show that US citizens were also subject to mass surveillance.
“The fourth amendment and attendant privacy concerns are quite staggering,” Crocker said. “It sounds like they are scanning all emails, even inside the US … the fourth amendment protects that fully. It’s hard to see how the government justifies requiring Yahoo to search emails like that; there is no warrant that could possibly justify scanning all emails.”
Sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. Staff initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, sources said. Due to a programming flaw, he told them, hackers could have accessed the stored emails.
Stamos declined a request by the Guardian for an interview.