It seems there’s no end to Yahoo’s problems. Last month, the troubled company admitted that at least 500 million user accounts had been compromised in a breach that took place in 2014. It claimed “state-sponsored actors” were responsible for the attack, though a security firm disputes this. Now, it’s been revealed that Yahoo secretly built custom software last year that scanned all of its customers’ incoming emails for information provided by US intelligence officials.
The report comes from Reuters’ Joseph Menn, citing three people familiar with the matter.
Yahoo was complying with a classified US government request when it created the scanning tool that searched hundreds of millions of user emails at the behest of the National Security Agency or FBI. The software was searching for a specific string of characters, though it’s unclear exactly what words or phrases it was looking for and what data, if any, Yahoo handed over to the authorities.
When Yahoo’s internal security team discovered the software, they initial thought it was the work of hackers. Company CEO Marissa Mayer’s decision to comply with the demand led to Chief Security Officer Alex Stamos leaving his position to join Facebook in June 2015. Stamos said a programming flaw could have allowed hackers to access the stored emails.
The incident is the first known case of a company agreeing to an agency’s request to scan all arriving emails, rather than probing stored messages or a small number of accounts in real time. "Yahoo is a law-abiding company, and complies with the laws of the United States," the firm said in a statement.
The American Civil Liberties Union called the order "unprecedented and unconstitutional [...] It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court.”
I wonder how the candidates feel about Yahoo spying on every single customer's emails for NSA/FBI. Will they defend this shameful practice?— Edward Snowden (@Snowden) October 4, 2016
Last year, Yahoo became one of several companies that promised to alert users whose accounts they suspect have come under attack by state-sponsored hackers. Google, Facebook, and Twitter have also made the same promise.
Other tech firms have denied that they received similar demands from government agencies. "We've never received such a request," a Google spokesperson said, "but if we did, our response would be simple: 'no way'."
Microsoft was quick to damn Yahoo: "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo."
Stamos’ current employer said: "Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it."
And Apple, which has had its fair share of troubles with the FBI, said: "We have never received a request of this type. If we were to receive one, we would oppose it in court."
Whether these new revelations affect Yahoo’s $4.8 billion sale to Verizon remains to be seen.