Yahoo secretly spied on customer emails at the behest of US government agencies

via Fickr © magnus hoij (CC BY 2.0)

via Fickr © magnus hoij (CC BY 2.0)

  • Another scandal envelops the reeling company
  • It rolled-over and acceded to NSA demands without question or cavil
  • Wrote secret scanning software and spied real-time on all emails in transit
  • Didn't involve Yahoo's own security team. Chief Information Security Officer resigned in protest

A few days ago Yahoo was finally forced to admit that it had concealed a massive "state-sponsored" cyber attack on its network that took place way back in 2014. The battered, tattered and increasingly desperate company confirmed that the attackers gained access to more than 500 million Yahoo customer accounts and took possession of subscriber names,passwords, email addresses, phone numbers and security questions.

Yahoo's sneaky determination to keep the breach secret form the markets, its shareholders its customers and the media was compounded by its extreme reluctance to come clean about the attack even when the story finally leaked out shows just how untrustworthy and self-serving its senior management is.

The cover-up together with the very belated and grudging admission that an attack actually did happen has put in doubt the completion of the proposed US$4.8 billion sale of Yahoo to Verizon Communications and thus the continued existence of Yahoo itself. In a statement made to the BBC, Verizon admitted that Yahoo had not told it about the huge hack during the acquisition and due diligence processes, the Verizon management had learned about it only two days earlier and that the disclosure had been partial and incomplete.

And now comes one more massive straw that may finally break Marissa Mayer's back - assuming that she actually has a backbone in the first place. Reuters has reported that Yahoo, acting at the behest of either the NSA, the FBI or some other US government intelligence agency, actually built a secret software program to interrogate each and every one one of the hundreds of millions of incoming emails sent by Yahoo's user base, allegedly to to search for undisclosed but "specific information" and pass it on to wherever it went.

In the land of the free and the home of the brave, Yahoo simply caved-in and complied, unquestioningly and without demur, with a classified demand from a shadowy agency to construct secret mass surveillance on its customers.

Reuters says this is the first known case of a US ISP actually searching all arriving emails rather than sifting stored data or searching a relatively small number of emails in real-time.

Reuters adds that, according to its sources within Yahoo, the decision by CEO Marissa Mayer to accede to the demands of the unknown government agency without seeking safeguards for its customers or making public the imposed requirement and her determination to bypass and ignore Yahoo's in-house security team, was directly responsible for the sudden and (at the time) unexplained resignation of Alex Stamos, Yahoo's erstwhile Chief Information Security Officer.

In response Yahoo issued a terse statement saying that it is "a law abiding company, and complies with the laws of the United States." That's it. Thank you and goodnight. On your way. Nothing to see here.

Another awful decision by Marissa Mayer

Of course, this isn't the first time that US ISPs and telcos have passed data over to intelligence agencies but it is the first time that a private, commercial company has written a computer program to facilitate hugely wide-ranging real-time surveillance of subscriber communications.

Things changed so much in the US after the 9/11 terrorist attacks and a raft of new legislation, some of which was passed in haste and anger and under little overview, has resulted in greatly increased surveillance of electronic communications and a concomitant erosion of previously accepted norms of personal privacy. Under various changes and codicils to the US Foreign Surveillance Act of 2008, intelligence and security agencies have the power to require telcos and ISPs to provide them with what used to be confidential customer data. And they use them.

However, in this case Google and Microsoft have explicitly denied that they provide government agencies with such real-time search capabilities and information. In a statement Google wrote, "We've never received such a request, but if we did, our response would be simple: 'No way'". And for its part Microsoft, in badly fractured English, announced, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo." Meanwhile, Facebook issued a statement saying, Facebook also denied receiving the government demand, saying: ""Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it."

Any objections and appeals about the implementation of various pieces of legislation, appellants can petition the the Foreign Intelligence Surveillance Court, (FISA) which is a sort of "Star Chamber" and secret tribunal that is given to handing down its decisions with minimal explanation for them. However, Reuters says that some FISA members are worried by the Yahoo revelations and opine that the company could have contested the extreme nature of the demands on the grounds that they were a far too wide in scope and required the private company to write and install special scanning software to spy on Yahoo mail customer communications in transit.

Patrick Toomey, a lawyer with the American Civil Liberties Union, said "It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court."

Yahoo, already riven by the hidden cyber-attack scandal and now the latest secret surveillance revelations is asking for more trouble and further tempting fate because, by writing a special program to satisfy the demands of the intelligence services, it has has built another window into its already compromised network security. It is a window one that may well be cracked open in another devastating cyber attack. Indeed, such an attack might already have happened, we don't know because Yahoo has a history of obfuscation and denial. There's something very rotten there.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.