The Surveillance Continues: Yahoo Scans Hundreds of Millions of User Emails

It shouldn’t come as a surprise, yet every new revelation about the United States government’s sweeping surveillance of citizens still creates a stir.

On October 4, Reuters broke news that Yahoo was surveilling the email of hundreds of millions of users – on request of the NSA. As if this wasn’t bad enough, it was reported they “secretly built a custom software program” that would search “all customers’ incoming emails” for specific information provided to them by the United States Federal Bureau of Investigation (FBI). The demand for this information was, of course, classified.

Because it was classified, there are limited details on what type of information the FBI was looking for. As Reuters reported, Yahoo was asked to search for a “set of characters” which could be “a phrase in an email or attachment.” The New York Times additionally reported that the information being sought was in connection to a foreign group using Yahoo to communicate, “requiring it [Yahoo] to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization.”

This situation is extremely alarming in general, but what makes it even worse is that experts are reporting it may represent the first time ever that a company scanned all of its customer’s arriving emails in real time. Prior cases of email scanning and surveillance were applied to stored emails, or, if the scanning occurred in real-time, it was only applied to a small subset of users. To scan the emails Yahoo “customized an existing scanning system for all incoming email traffic, which also looks for malware.” Motherboard reported the system was actually found by Yahoo’s internal security team, who thought it was malware put in place by hackers. The tool was apparently poorly installed, and may have put customer emails at risk of being viewed by hackers.

Unsurprisingly, people are up in arms over this revelation – just the latest in a long line of NSA surveillance efforts that occurred without transparency and violated the privacy of countless people. Yahoo’s response was brief: “Yahoo is a law abiding company, and complies with the laws of the United States.” Representatives from both Microsoft and Google said they hadn’t received similar requests, but if they had they wouldn’t have complied.

So how did this happen? How could such widespread and active surveillance take place in secret? The answer, many sources report, is likely FISA – the Foreign Intelligence Surveillance Act. FISA went into effect in 1978, and outlines the procedures for authorizing and conducting surveillance (physical and electronic) to collect “foreign intelligence information.” FISA was likely used to make this request, in the form of a secret court order issued by the Foreign Intelligence Surveillance Court. It also could have come from the FISA 702 amendments, which were used to justify other NSA surveillance programs like prism. However, this type of widespread scanning is a departure from how FISA generally operates, which it much more targeted and specific. The Guardian also suggests the FBI may have been responsible for implementing the order.

In response to the revelations about Yahoo’s spying, as well as their massive hack in 2014, Verizon, who agreed to purchase Yahoo, is now looking for a discount. Verizon is seeking a $1 billion (USD) discount on their purchase of Yahoo leaving some, including Edward Snowden, commenting that the “cost” of spying on your users is 1 billion dollars.

Golden Frog’s Stance

Golden Frog was founded in response to NSA surveillance on AT&T’s network via Room 241A, so we are both alarmed and frustrated by the continued reports of invasive surveillance practices. We’ve expressed strong concern over the NSA’s partnerships with telcos to spy on emails sent over their networks. We’ve fought for reform on legislation including the Patriot Act and its controversial section 215, the USA Freedom Act and the FISA 702 amendments. We believe US intelligence agencies have operated without oversight for far too long, and this warrantless surveillance and information collection must end.

While it’s important to investigate criminal activity, this should never come at the expense of privacy for United States citizens and others around the world. The Yahoo situation once again illustrates the sweeping and unchecked powers granted by current legislation, and the scope of surveillance taking place. Everyone has a right to privacy, and it’s essential we push for reform to ensure due process is followed and privacy protections are in place when investigations occur.

“The Yahoo situation again illustrates the importance of selecting trustworthy third-party providers,” said Sunday Yokubaitis, President of Golden Frog. “While it may be difficult (or impossible) to know when a company like Yahoo receives a court order, you can select your providers wisely and look for a past precedent or strong stance on privacy. ‘Does the company use encryption? Do they have a history of respecting user privacy? What does their privacy policy say?’ – these are all very important questions to ask. It’s also essential to consider the technology in place; even if a company claims to protect your privacy, if they don’t implement strong encryption it’s pretty much impossible for them to do so.” 

For example, Apple recently set a strong precedent in respecting user privacy when they refused to break the end-to-end encryption on their iPhones. Yahoo actually fought a FISA demand in 2007 but also suffered a massive hack in 2014, making their security less clear. It should also be noted that the underlying technology implemented by Yahoo previously existed for a different purpose (malware and other scanning), illustrating an important point — if technology exists, so does the opportunity for abuse or misuse. This argument was made in the recent Apple v. FBI case, when we joined others in arguing that if we create technology to break encryption (a backdoor), the powers granted by this technology might be misused or abused down the road.

At Golden Frog, we continue the fight for online privacy by seeking legislation reforms and transparency into information collection. View the news resources below to learn more about the Yahoo case, and read our positions on related legislation and our Vision paper.

Also feel free to share your thoughts in the comments below. Verizon says the cost of spying is 1 billion dollars – but what is your privacy worth to you? 

Resources

All information in the top section of this article comes from the following sources.

• Reuters: This is the initial report on the topic, and provides a good overview of situation.
• New York Times: This offers additional details on technology and system Yahoo used to scan emails.
• Guardian: This provides insight into the FISA legislation, as well as historical information on surveillance laws and requests.
• The Intercept: This provides information on how the surveillance program could have given hackers access to email.
• Motherboard: This provides information into how the internal security team found the tool, and what they thought of it.