This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at https://www.theguardian.com/technology/2016/oct/04/yahoo-secret-email-program-nsa-fbi
The article has changed 9 times. There is an RSS feed of changes available.
| Version 1 | Version 2 |
|---|---|
| Yahoo secretly monitored emails on behalf of the US government – report | Yahoo secretly monitored emails on behalf of the US government – report |
| (35 minutes later) | |
| Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials, sources have told Reuters. | Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials, sources have told Reuters. |
| The company complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI, said two former employees and a third person who knew about the programme. | The company complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI, said two former employees and a third person who knew about the programme. |
| Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time. | Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time. |
| It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified. | It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified. |
| Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request. | Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request. |
| According to the two former employees, Yahoo CEO Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of chief information security officer Alex Stamos, who now holds the top security job at Facebook. | According to the two former employees, Yahoo CEO Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of chief information security officer Alex Stamos, who now holds the top security job at Facebook. |
| “Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment. | “Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment. |
| Andrew Crocker, staff attorney with the Electronic Frontier Foundation, said that the language used to describe the program gives some indication which law the government was operating under. Crocker describes certain “tells” in the language used – especially the word “directive” – which point to section 702 of the 2008 FISA Amendments Actwhich allows the government to target non-US citizens abroad for surveillance. | |
| Revelations by Edward Snowden about the Prism and Upstream programs – of which the Yahoo program looks like a hybrid, Crocker said – show that US citizens were also subject to mass surveillance. | |
| “The Fourth Amendment and attendant privacy concerns are quite staggering,” Crocker said. “It sounds like they are scanning all emails, even inside the US ... the Fourth Amendment protects that fully. It’s hard to see how the government justifies requiring Yahoo to search emails like that; there is no warrant that could possibly justify scanning all emails.” | |
| Yahoo security initially ‘thought hackers had broken in’ | Yahoo security initially ‘thought hackers had broken in’ |
| Sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in. | Sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in. |
| When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails. | When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails. |
| Through a Facebook spokesman, Stamos declined a request for an interview. | Through a Facebook spokesman, Stamos declined a request for an interview. |
| Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. | Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. |
| The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment. | The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment. |
| The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company’s legal team, according to the three people familiar with the matter. US phone and internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they have not previously seen either such a broad directive for real-time web collection or one that required the creation of a new computer program. | The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company’s legal team, according to the three people familiar with the matter. US phone and internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they have not previously seen either such a broad directive for real-time web collection or one that required the creation of a new computer program. |
| “I’ve never seen that, a wiretap in real time on a ‘selector’,” said Albert Gidari, a lawyer who represented phone and internet companies on surveillance issues for 20 years before moving to Stanford University in 2016. A selector refers to a type of search term used to zero in on specific information. “It would be really difficult for a provider to do that,” he added. | “I’ve never seen that, a wiretap in real time on a ‘selector’,” said Albert Gidari, a lawyer who represented phone and internet companies on surveillance issues for 20 years before moving to Stanford University in 2016. A selector refers to a type of search term used to zero in on specific information. “It would be really difficult for a provider to do that,” he added. |
| Experts said it was likely that the NSA or FBI had approached other internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information. | Experts said it was likely that the NSA or FBI had approached other internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information. |
| Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied. Alphabet’s Google and Microsoft, two major US email service providers, did not respond to requests for comment. | Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied. Alphabet’s Google and Microsoft, two major US email service providers, did not respond to requests for comment. |
| Companies are obliged to comply with government requests | Companies are obliged to comply with government requests |
| Under laws including the 2008 amendments to the foreign intelligence surveillance act, intelligence agencies can ask US phone and internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks. | Under laws including the 2008 amendments to the foreign intelligence surveillance act, intelligence agencies can ask US phone and internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks. |
| Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led US authorities to modestly scale back some of the programs, in part to protect privacy rights. | Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led US authorities to modestly scale back some of the programs, in part to protect privacy rights. |
| Technology companies – including Yahoo – have challenged some classified surveillance before the Foreign Intelligence Surveillance Court (FISA), a secret tribunal. | Technology companies – including Yahoo – have challenged some classified surveillance before the Foreign Intelligence Surveillance Court (FISA), a secret tribunal. |
| Some FISA experts said Yahoo could have tried to fight last year’s directive on at least two grounds: the breadth of the demand and the necessity of writing a special program to search all customers’ emails in transit. | Some FISA experts said Yahoo could have tried to fight last year’s directive on at least two grounds: the breadth of the demand and the necessity of writing a special program to search all customers’ emails in transit. |
| Apple made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set. | Apple made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set. |
| Other FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to web companies’ mail. | Other FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to web companies’ mail. |
| As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies. | As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies. |
| Former NSA general counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies”. | Former NSA general counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies”. |
| Marissa Mayer ‘did not involve the security team’ | Marissa Mayer ‘did not involve the security team’ |
| Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter. | Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter. |
| Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful. | Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful. |
| Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said. They were also upset that Mayer and Yahoo general counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources. | Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said. They were also upset that Mayer and Yahoo general counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources. |
| In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. | In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. |
| The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon for $4.8bn. | The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon for $4.8bn. |