This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2016/10/06/technology/yahoo-email-tech-companies-government-investigations.html

The article has changed 5 times. There is an RSS feed of changes available.

Version 1 Version 2
Yahoo Was Ordered to Search Email for Digital ‘Signature,’ Source Says Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter
(about 4 hours later)
Yahoo was ordered last year to search incoming emails for the digital “signature” of a communications method used by a state-sponsored, foreign terrorist organization, according to a government official familiar with the matter. A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, a government official familiar with the matter said on Wednesday.
The Justice Department obtained the order from a judge of the Foreign Intelligence Surveillance Court. The Justice Department obtained the order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.
To comply, Yahoo used a modified version of its existing systems that were scanning all incoming email traffic for spam, malware and images of child pornography. The system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. To comply, Yahoo piggybacked on an existing scanning system for all incoming email traffic, which also looks for malware. With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, said the official, who spoke on the condition of anonymity.
Yahoo was forbidden from disclosing the order and the collection is no longer taking place, the official said Wednesday. The order was unusual because it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.
The news story has opened a new chapter in a public debate over trade-offs between security needs and privacy rights that has cast a spotlight on the sometimes cooperative, sometime antagonistic relationship between Silicon Valley companies and the United States government. News of the order has opened a new chapter in a public debate over the trade-offs between security needs and privacy rights that has cast a spotlight on the sometimes cooperative, sometimes antagonistic relationship between Silicon Valley companies and the United States government.
It comes six months after a standoff between the F.B.I. and Apple, in which the government obtained a court order to force the company to engineer a special system to help it unlock an encrypted iPhone from one of the attackers in the December mass shooting in San Bernardino, Calif. The F.B.I. gave up the fight with Apple after it found a way into the iPhone without the company’s help. It comes six months after a standoff between the F.B.I. and Apple, in which the government obtained a federal magistrate's order to force the company to help it unlock an encrypted iPhone from one of the attackers in the December mass shooting in San Bernardino, Calif. The F.B.I. gave up the fight with Apple after it found a way into the iPhone without the company’s help.
By contrast, Yahoo cooperated with the court order to use its scanning systems to hunt for the digital signature, although the technical burden on the company appears to have been significantly less than what the F.B.I. had wanted Apple to do. By contrast, Yahoo cooperated with the Foreign Intelligence Surveillance Court order, although the technical burden on the company appears to have been significantly lighter than the one the F.B.I. placed on Apple.
Although the digital signature was individually approved by a judge, who was persuaded that there was probable cause to believe that it was uniquely used by a foreign power, the collection was unusual because it involved the systematic scanning of all Yahoo users’ emails. More typical surveillance court orders instead target specific user accounts. Details of Yahoo’s cooperation with the court order come two weeks after the company reported that hackers had broken into its computer network, stealing the credentials of 500 million users. Yahoo engineers discovered the breach this summer, two years after it had occurred, and just weeks after Verizon Communications announced plans to acquire the troubled internet company for $4.8 billion.
The description by the official, who spoke on condition of anonymity, of the unusual surveillance operation carried out at Yahoo shed significant new light on the basis for a report on Tuesday by Reuters that has attracted widespread attention and provoked outrage among privacy and technology specialists. The digital signature Yahoo was ordered to look for last year was individually approved by a judge, who was persuaded that there was probable cause to believe that it was uniquely used by a foreign power.
Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the official said.
The official’s description of the unusual surveillance operation carried out at Yahoo shed significant new light on a report by Reuters that has attracted widespread attention and provoked outrage among privacy and technology specialists.
The Reuters article reported that in response to a “broad demand” from the government, Yahoo had “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials.”The Reuters article reported that in response to a “broad demand” from the government, Yahoo had “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials.”
In fact, according to the government official and other people familiar with the matter, Yahoo was served with an individualized court order to look only for code uniquely used by the foreign terrorist organization, and it adapted the scanning systems that it already had in place to comply with that order rather than building a new capability. In fact, according to the government official and other people familiar with the matter, Yahoo was served with an individualized court order to look only for code uniquely used by the foreign terrorist organization, and it adapted the scanning systems that it already had in place to comply with that order rather than building a new capability. The official did not name the terrorist organization.
Asked on Wednesday about the information obtained by The New York Times about the order, Suzanne Philion, a Yahoo spokeswoman, said the company had nothing further to add. Earlier in the day, the company said in a statement that the Reuters article was “misleading.” Asked on Wednesday about the information obtained by The New York Times, Suzanne Philion, a Yahoo spokeswoman, said the company had nothing further to say. Earlier in the day, the company said in a statement that the Reuters article was “misleading.”
“We narrowly interpret every government request for user data to minimize disclosure,” the Yahoo statement said. “The mail scanning described in the article does not exist on our systems.”“We narrowly interpret every government request for user data to minimize disclosure,” the Yahoo statement said. “The mail scanning described in the article does not exist on our systems.”
Technology companies like Yahoo, Google and Microsoft are required by law to report any child pornography they pick up in their email traffic and digital uploads to the National Center for Missing and Exploited Children. They similarly search traffic for malware and spam, which companies disclose in their terms of service. Richard Kolko, a spokesman for the Office of the Director of National Intelligence, declined in a statement to discuss specific foreign intelligence collection techniques, but made reference to the Foreign Intelligence Surveillance Act, or FISA.
The use of that technology to carry out an order from the Foreign Intelligence Surveillance Court to search for a digital signature used by a foreign power is rare. Several other companies said they had not encountered such an order, and the official familiar with the Yahoo matter portrayed it as innovative. “Under FISA, activity is narrowly focused on specific foreign intelligence targets and does not involve bulk collection or use generic key words or phrases,” he said. “The United States only uses signals intelligence for national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people.”
Technology companies like Yahoo, Google and Microsoft scan for child pornography and are required to report any discoveries to the National Center for Missing and Exploited Children. They similarly search traffic for malware and spam, which companies disclose in their terms of service.
There is no engineering limitation preventing technology companies from using their spam and child pornography filtering systems to search email traffic for other sorts of digital signatures, said Hany Farid, chairman of the computer science department at Dartmouth College, who helped develop the child pornography scanning system with Microsoft.
But the use of that technology to carry out an order from the Foreign Intelligence Surveillance Court to search for a digital signature used by a foreign power is rare, and the official familiar with it portrayed it as innovative.
“This is another example of how the government is pushing secretly novel or innovative interpretations of surveillance law” to conduct wiretapping in broader ways than the public realizes, said Jennifer Granick, the director of civil liberties at the Stanford Law School Center for Internet and Society.
The government has not released any intelligence court opinion explaining how the judge interpreted FISA to authorize such surveillance. Although Congress in June 2015 enacted a law that required the government to make public novel and significant rulings by the court, the order to Yahoo appears to have predated that legislation, the USA Freedom Act, by several months.
Yahoo has an inconsistent record with meeting government data demands. In 2007, the Sunnyvale, Calif., company settled a lawsuit related to allegations that it helped the Chinese government crack down on journalists by passing along their Yahoo emails.
But that same year, the firm fought a legal battle, then secret, before the Foreign Intelligence Surveillance Court, challenging a mandate that it turn over, without a warrant, emails from user accounts the F.B.I. and the National Security Agency said belonged to noncitizens abroad who had been targeted for surveillance.
That litigation became an important test of whether Congress could legalize the Bush administration’s warrantless surveillance program through the Protect America Act and, later, the FISA Amendments Act. Ultimately, the intelligence court ruled against Yahoo, and after being threatened with a huge fine, the company cooperated.
Yahoo was not able to clarify details of the Reuters article on Tuesday because orders from the Foreign Intelligence Surveillance Court are secret by law, and an increasing number of other government requests come with gag orders that prohibit tech companies from even acknowledging they exist.
Tech companies complain that such gag orders make it impossible for them to explain to customers what sort of data they do and do not turn over. Twitter and Microsoft have separately sued the Justice Department over the gag order practice, and both cases are pending.
Dozens of other companies have filed briefs in support of Microsoft’s case. In its brief, Apple said it had received about 590 gag orders, of unlimited or indefinite durations, in the first eight months of 2016 alone.