Yahoo allowed U.S. intelligence agencies to search emails sent to its customers via a special program built in secret by company engineers, according to a Reuters report.
The tech giant complied with a secret directive from the U.S. government in 2015 that allowed the National Security Agency and Federal Bureau of Investigation to scan hundreds of millions of users’ incoming emails for a certain string of characters, according to three sources Reuters spoke with.
“It’s shocking, post the Snowden revelations and the reforms that were trumpeted after that, to see this kind of mass [domestic] surveillance,” Alan Butler, senior counsel at the Electronic Privacy Information Center told CyberScoop.
It is not known what information the company handed over, what character string the government was searching for, or if any other email providers were slapped with similar government directives.
Section 702 of the 2008 FISA Amendments Act — the legal basis for the PRISM internet mass surveillance program revealed by NSA contractor Edward Snowden — gives the director of national intelligence and the attorney general the power, under an annually renewed mandate from the Foreign Intelligence Surveillance Court, or FISC, to issue secret directives to Internet companies to hand over customer data.
In 2011, according to a legal opinion declassified after the Snowden mega-leak, FISC presiding judge John D. Bates found certain aspects of the 702 program “deficient on statutory and constitutional grounds.”
“Bates found that some methods [the government was using] were effectively searching too much domestic email traffic,” said Butler. “The program had to be changed,” so that it was essentially only searching for emails to and from certain addresses.
“Why was this [newly revealed Yahoo collection] allowed and that wasn’t?” asked Butler of the Bates opinion. “Well, the answer is we don’t know if it was allowed because the company never challenged it … Under 702, the court doesn’t get to look at the case unless the company challenges it,” he said.
The Yahoo directive is the first known instance of a company writing special software to search its customers’ data for U.S. intelligence agencies. Under the PRISM program, the NSA combed internet traffic for communications to or from certain individuals, but that traffic was monitored on global internet pipelines or collected for further search.
That program “didn’t co-opt the email providers as an agent of the government” like the Yahoo special search software did, Butler pointed out.
Sen Ron Wyden, D-Ore., has long campaigned for the reform of section 702, which he has said “has a significant impact on Americans’ privacy.”
“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a statement.
“The FISA court has publicly stated that tens of thousands of wholly domestic communications are caught up under 702 collection every year and that the potential number of Americans impacted is even larger than that,” Wyden told CyberScoop via email.
He said the new Yahoo revelations were especially disturbing because it was unclear what kind of search term was being used. Following the Bates judgment, the exact way search terms are deployed is clearly of constitutional significance, and the government ought to come clean about any changes.
“The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers,” Wyden said. “If that has changed, the executive branch has an obligation to notify the public.”
Section 702 authorities were designed with a sunset and will expire at the end of 2017 unless Congress renews them, pointed out Andrew Crocker, a staff attorney with the Electronic Frontier Foundation.
This means that lawmakers who want to reform 702 don’t have to get a bill to the floor, they just have to wait for the reauthorization to be brought up.
“I hope that these revelations add fuel to the demands for reform,” said Crocker.
According to Reuters, the special search software was approved by Yahoo CEO Marissa Mayer after executives determined the company would lose a legal battle before the FISC. Alex Stamos, Yahoo’s Chief Information Security Officer at the time, was not made aware of the custom search program, and resigned in May 2015.
The company lawyers might have had good reason to conclude they would lose, noted Butler, as they had lost an earlier FISC challenge to internet mass surveillance powers in 2007-8. That case, known as In re: directives, could have drained company coffers, as the government asked for fines of $250,000 per day — doubling every week — for non-compliance with the secret surveillance order.
“The government pushed for crippling fines,” said Butler, adding that was important context to consider when assessing the company’s reaction to the 2015 order.
Nonetheless, Butler said he expected that “This [revelation] will get traction domestically … I think [officials] will struggle to explain why this [directive] doesn’t have exactly the problem that Judge Bates identified in 2011 … too much domestic communication being swept up and searched.”
The email bombshell comes during a delicate time for Yahoo. Last month, it was revealed that User details from more than 500 million Yahoo accounts — including names, birth dates and encrypted passwords — were stolen nearly two years ago. The company has blamed state-sponsored hackers.
Additionally, Verizon is in the process of acquiring Yahoo in a deal worth around $4.8 million.
Verizon declined comment on the Reuters report. The NSA did not immediately respond to a request for comment.
Shaun Waterman contributed to this report.