TechSpot

Yahoo built software to scan all its customers' emails for US spy agencies

By midian182
Oct 5, 2016
Post New Reply
  1. It seems there’s no end to Yahoo’s problems. Last month, the troubled company admitted that at least 500 million user accounts had been compromised in a breach that took place in 2014. It claimed “state-sponsored actors” were responsible for the attack, though a security firm disputes this. Now, it’s been revealed that Yahoo secretly built custom software last year that scanned all of its customers’ incoming emails for information provided by US intelligence officials.

    The report comes from Reuters’ Joseph Menn, citing three people familiar with the matter.

    Yahoo was complying with a classified US government request when it created the scanning tool that searched hundreds of millions of user emails at the behest of the National Security Agency or FBI. The software was searching for a specific string of characters, though it’s unclear exactly what words or phrases it was looking for and what data, if any, Yahoo handed over to the authorities.

    When Yahoo’s internal security team discovered the software, they initial thought it was the work of hackers. Company CEO Marissa Mayer’s decision to comply with the demand led to Chief Security Officer Alex Stamos leaving his position to join Facebook in June 2015. Stamos said a programming flaw could have allowed hackers to access the stored emails.

    The incident is the first known case of a company agreeing to an agency’s request to scan all arriving emails, rather than probing stored messages or a small number of accounts in real time. "Yahoo is a law-abiding company, and complies with the laws of the United States," the firm said in a statement.

    The American Civil Liberties Union called the order "unprecedented and unconstitutional [...] It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court.”

    Last year, Yahoo became one of several companies that promised to alert users whose accounts they suspect have come under attack by state-sponsored hackers. Google, Facebook, and Twitter have also made the same promise.

    Other tech firms have denied that they received similar demands from government agencies. "We've never received such a request," a Google spokesperson said, "but if we did, our response would be simple: 'no way'."

    Microsoft was quick to damn Yahoo: "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo."

    Stamos’ current employer said: "Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it."

    And Apple, which has had its fair share of troubles with the FBI, said: "We have never received a request of this type. If we were to receive one, we would oppose it in court."

    Whether these new revelations affect Yahoo’s $4.8 billion sale to Verizon remains to be seen.

    Permalink to story.

     
  2. Legionnaire

    Legionnaire TS Rookie

    People would have to be quite stupid to think the others aren't doing it. They're all doing it. They don't have a choice.

    Those responses by the others are probably not lies, but they're not the full truth. Read them very closely: "We've never received such a request". Since when would the government request it? They demand it. Hence the statement holds, but Google and the other big guys still have to give the data. All statements by these companies all have something like this. None of them responded with "We've never let the government or any government agency see any of our customers' data in any way, ever." If they actually didn't share data, that is how they would respond.

    It's a known fact that Windows (especially from 7 onwards) is completely hackable by at least the US (and probably a few other governments too like the UK, France and Germany). If people think they are successfully hiding their data, they're simply wrong. The only safe way to hide your data is through open-source software that does not use third-party encryption.

    A bunch of governments can just access all our stuff at any time, and can control it too. We don't need to fear it, as it will highly unlikely ever affect the average guy's life, it is kinda scary, but we just have to accept that it is there... like other things we don't like... like traffic jams and bad movies... After all, there's absolutely nothing we can do about it... like traffic jams and bad movies...
     
    BSim500 likes this.
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 1,662   +769

    What's that recent saying? "Don't put anything in an email message that you wouldn't want read out loud at your church on Sunday morning" or words to that effect. While the constitution does not specifically give you a right to privacy it has or was certainly a reasonable expectation which reminds me of that other quote "give them an inch and they'll take a mile" .... we are already a long ways down that road!
     
  4. Wendy Oltman

    Wendy Oltman TS Booster Posts: 128   +16

    Well at least now why know why Yahoo said the hack was "state sponsored". It was OUR state and Yahoo let them in!
     
    Godel and SirChocula like this.
  5. LDS0816

    LDS0816 TS Rookie

    My online mail is for junk and I dont keep important things on my computer.
     
  6. Igrecman

    Igrecman TS Enthusiast Posts: 91   +47

    Making a spelling error on purpose on all the main words of an e-mail, is one way to bypass the string of characters search. You can also add random spaces or dashes to the words. Call it the one bit encryption.
     
    Last edited: Oct 5, 2016
  7. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,506   +498

    I did the switch from Yahoo a looooong long time ago.

    You sir are a genius, I'm pretty sure no one had thought about this before... they are not searching for just one string, they are searching for specific words in all their variations or this would make no sense whatsoever.
     
  8. Igrecman

    Igrecman TS Enthusiast Posts: 91   +47

    T-h annk yoo. High n ew I w-uz a jee-niouss. H- oww doo yoo su- ppoze day'd phynnd an-y stree-ng or wu- rdz in diss ph-razze? LEL
     
    Last edited: Oct 5, 2016
  9. davejonnes

    davejonnes TS Rookie

    Honestly, I could care less if Obama just saw that I'm renewing my subscription to sexyDuckMermaids.com... as long as my information is not just simply exposed to the whole world, who gives a crap. If they are doing it for security purposes, in the end, that only benefits me and other Americans. I don't get why people are so crazy about their privacy...

    I understand it to a certain extent, since I wouldn't want all of my information to be easily available to basically anyone that wants it out there. But if this information is being monitored by the govt. and the govt. only, what is so worrisome about that? It's not like I have anything to hide in there. And if you use a "public email" like yahoo, to hide important information that you would never want anyone else to see, I feel sorry for your lack of understanding as far as technology.

    It's not like the govt. is controlling us all, and we are all wearing tin-foil hats to keep them from controlling us...

    If your argument is "I'm an American, and that is my damn given right!", I completely disagree with you. I'd much rather be a bit more "elastic" as far as a few of my rights, and in turn be more secure from all types of threats that can be prevented via this practice; then to simply exercise my rights for the sake of exercising them.
     
  10. Uncle Al

    Uncle Al TS Evangelist Posts: 1,662   +769

    Of course, that is the way most scammers from countries outside of the US will NORMALLY spell words .... so maybe we can send all the scammers to Washington! I love it!
     
  11. Evernessince

    Evernessince TS Evangelist Posts: 1,169   +577

    "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

    - Benjamin Franklin

    What you are essentially implying is that it would be A-ok to live in a complete surveillance state because it *might make you more safe. I'm guessing you've never taken the time to read any george orwell books or educated yourself on the many negatives of living in a country with such practices? It has never been just about privacy or rights and you are kidding yourself if you think people are being selfish by declaring their right to privacy an individual virtue.
     
    Last edited: Oct 6, 2016
    Raoul Duke and SirChocula like this.
  12. SirChocula

    SirChocula TS Booster Posts: 71   +50

    I so agree with you. His statements are similar to those that are brainwashed by the MSM's koolaid. It's sad and sickening to actually think people hold these views that the government has their best interests or safety in mind.
     
  13. havok585

    havok585 TS Booster Posts: 121   +19

    I heard people in North Korea would love to have such obedient people like you.
     
  14. davejonnes

    davejonnes TS Rookie

    Note: email monitoring through trigger words is one thing, people being brainwashed by the government like in Orwell's books is another. 1. It is not like they have a bunch of employees simply going through every single email that everyone in the US has sent, that would be stupid and resource wasteful. This is done via software looking for trigger words. 2. He says essential liberty, ESSENTIAL means absolutely and undeniably needed. You are comparing the tyranny of England on the US (since that is what Benjamin Franklin is referring to) to a scanning software.

    IF 9/11 could've been prevented via this practice, and saved 3000 lives, would you still be so selfish with your so called rights just for the sake of claiming them? If you were stuck in a situation where had the chance to defend yourself through words, would you plea the fifth instead just to exercise your rights? People fail to realize that unless there is someone/something forcing you to do so, giving up on a right can still be a choice... and that is what freedom ultimately is: the ability to make your own choices.
     
  15. Evernessince

    Evernessince TS Evangelist Posts: 1,169   +577

    "1. It is not like they have a bunch of employees simply going through every single email that everyone in the US has sent, that would be stupid and resource wasteful."

    You're right, it would. That's why they have prism and data collection agreements with every ISP. This is only what was leaked by snowden. We know that they collect information from many sources and aggregate this data in the prism program. Apply fitting, just ask google what you can do with this much data. Even if each individual source isn't linked to an individual, it becomes very easy to link sets of data to specific people merely by analysing patterns. The capability of modern computers to impose a constant security state is something Orwell could only dream of. What is possible today is far greater reaching than anything he could put into print.

    "He says essential liberty, ESSENTIAL means absolutely and undeniably needed."

    When he said "essential liberty" he meant it as "all liberty is essential". You are trying to rational that only "undeniably needed" liberty is required. That is far too vague. For example, a slave's only "undeniable liberty" is that he gets to sing while he works. Our forefathers didn't fight to make sure we only get the most basic of human rights, they did it so that anyone of any ethnicity could be treated as equals with the highest standard of civil rights. You start chipping away at the basis for free speech and soon you will find yourself without the basis to even speak freely.

    "IF 9/11 could've been prevented via this practice, and saved 3000 lives, would you still be so selfish with your so called rights just for the sake of claiming them?"

    First, you are speaking in hypotheticals but I'll play along. Given recent events I'd suspect it would not change much. There was a recent fake bombing at JFK airport. Even after all the security upgrades over the years guess what happened? The security guards failed to help anyone, running off trying to save themselves. Stampeded, people injured by trampling, ect. They treat every American like a terrorist yet it did absolutely nothing. Second, Human rights are selfish? Following your crazy 9/11 logic we should all be removed from having freedom of speech, I can't tell you how many books have been written that have inspired criminals or how many television programs the same. Yes, we should make fun of those who exercise their rights because IT MIGHT lead so something bad. Taking an emotionally charged scenario like 9/11 is always grasping at straws. It's you taking the most dramatic event possible and trying to get people to believe they should have their rights violated because of one incident. Thanks to logic like that we have the patriot act, which allows the government to imprison anyone without a trail.
     
  16. Danny101

    Danny101 TS Enthusiast Posts: 35   +17

    We will soon be nothing more than cattle
     
  17. Techstar

    Techstar TS Member Posts: 88   +16

    This is very commendable on their part, I applaud them in their efforts.
    We all already knew that there is no privacy on the internet though didn't we? There is no privacy anywhere but in your home with the curtains drawn and the outside links shut down. I am fine with that.
     
  18. Techstar

    Techstar TS Member Posts: 88   +16

    lol I think a lot of you already are. :)
     
  19. Evernessince

    Evernessince TS Evangelist Posts: 1,169   +577

    That's still not really private unless you turn off every electronic device in the house and pull out the battery. The NSA has already developed backdoors for both Android and iOS that allow them to take control of a device's microphone and camera, even while the device is in a low power mode. That's only one agency as well. 100% chance other countries have different methods of getting in.

    There should be privacy and there would be if the so called device security were actually transparent with their implementation. Instead, what we have right now is little knowledge of how these systems are implemented on a per device basis which also means we have no idea of it's security holes or government made zero day exploits.
     
  20. Techstar

    Techstar TS Member Posts: 88   +16

    Those would be the outside links I mentioned. The simple truth is, unless you are involved in anti American activities, no one has the time or the desire to watch what you are doing. In short no one cares. :)
     
  21. Evernessince

    Evernessince TS Evangelist Posts: 1,169   +577

    Now if that were true google wouldn't be known for collecting data on pretty much everything you do. You look around at companies and they are all trying to collect as much data as possible to predict what you will by next or figure out how to advertise to your interests. Hackers also care. If they know what you buy, how you say things, where you live, where you go, where you bought your car, and even your bowl schedule there is plenty of things they can do to get money out of that information.

    You seem to believe that these companies and people are watching each and everything that you do. That is a mistake. It's easy to setup a computer system that can parse voice or text data and collect only the juicy bits. Like I said before, the power of modern computers has made it easy to collect massive amounts of data and then collate that into something useful.
     
  22. Techstar

    Techstar TS Member Posts: 88   +16

    Well, duh. Computers gather information which is passed to algorithms. People are not even in the loop because no person cares about you or me. I'd rather get ads for things I search for, it might offer something my search missed. If you want to, turn it off and see generic ads for adult diapers and feminine napkins. lol
    People seem to think that there are people watching them, there aren't.
     
  23. Godel

    Godel TS Rookie Posts: 21

    The problem with "you've got nothing to fear if you haven't done anything wrong" is that you don't get to decide what's right or wrong, and you don't know who does and just when they made that decision about you.

    Also with all your emails being stored for years, it's not just the current regime but the ones who come into power next who can make decisions about your fitness. Just ask the journalists living in Turkey, or at least the ones that haven't been rounded up yet.
     
    Evernessince likes this.
  24. Techstar

    Techstar TS Member Posts: 88   +16

    The statutes are available to all citizens, so if you don't know what's right and what's wrong, it's your own fault. Ignorance of the law is no excuse.
     
  25. Underdog

    Underdog TS Member Posts: 21   +16

    "IF 9/11 could've been prevented via this practice, and saved 3000 lives, would you still be so selfish with your so called rights just for the sake of claiming them?"
    It has been pointed out in more than one credible factual documentaries that there was quite a lot of information about members of the group that caused the 9/11 massacre but the agencies were so inept that they didn't act on the info they had.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...