Earlier this week, Reuters revealed an exclusive report backed by multiple sources, saying that Yahoo allowed either the NSA or the FBI to scan a “set of characters” across all of its hundreds of millions of accounts. When we asked whether it was true and how it happened, Yahoo responded saying that the Reuters article was “misleading,” but it didn’t characterize it as false.
“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” a Yahoo Inc. representative told Tom’s Hardware.
The statement was Yahoo's only reply to multiple different questions we posed about what happened. We also attempted to clarify previous statements made to Reuters and other news sites.
Misleading, But Not False?
What’s surprising about Yahoo’s statement is just how vague it is. Beyond not calling it false, but only misleading, the response goes no further in trying to clarify what exactly was misleading about the Reuters article.
Reuters’ post made two primary claims. One was that there is a software scanner that allows U.S. intelligence agencies to scan through all of Yahoo’s user accounts, and the other was that the scan is limited to “search of characters,” not that the government is allowed to look and see anyone’s emails in full at will.
Yahoo also seems to talk about “disclosure,” while the Reuters post talks about the ability to search emails. Yahoo may minimize disclosure to the U.S. government (not clear just how minimized), but according to the Reuters post it still has to search through everyone’s emails first.
It’s not the first time when Yahoo has released carefully crafted statements that may technically be true, but don’t answer the actual question at hand. Back in 2013, following accusations that Yahoo was involved in NSA’s “PRISM” program, the company implied it doesn’t voluntarily participate in such a program. However, everyone wanted to know whether Yahoo participates at all; voluntarily or not.
Internal Scanners, Repurposed For Government Surveillance
Many have argued that once you build a censorship or surveillance infrastructure, even with the best intentions in mind, governments will eventually demand that companies use it for much more.
According to a recent New York Times post, this seems to have happened at Yahoo as well. The company allegedly repurposed its malware, spam, and child pornography scanners as a surveillance tool to aid the U.S. intelligence agencies.
Google and Microsoft have their own similar malware and child pornography scanners, but so far, they’ve all denied that they have also repurposed the scanners for government surveillance in the same way that Yahoo’s scanners seem to have been.
“Yahoo Complied With U.S. Laws” - But Which?
One particular bit of information we would’ve liked Yahoo to clarify was what laws was Yahoo “complying with” when it made this statement as the first response to Reuters’ article:
"Yahoo is a law abiding company, and complies with the laws of the United States," Yahoo said in a statement to Reuters.
As far as we know, the U.S. doesn't apply “secret laws.” There may be secret interpretations of laws, and we already know there are plenty of secret government or judicial orders, which governments often abuse. However, governments use the secret orders as a reason to protect an investigation from becoming public. There’s no reason to keep a law itself secret, at least not in a way that wouldn’t be unconstitutional.
Americans (companies or individuals) have the right under the First Amendment to say which laws (passed publicly through Congress) they’re complying with. However, for some reason, Yahoo refuses to disclose the laws it is operating within.
FISA Amendments Act, Section 702
Two government sources have said that the law in question is the FISA Amendments Act. More specifically, the government seems to have given the order under a provision called “Section 702,” which is due to expire on December 2017.
Section 702 of the FISA Amendments Act was one of the three main tools that have allowed indiscriminate mass surveillance by the U.S. government, along with Section 215 of the Patriot Act (which was set to expire before the passing of the USA Freedom Act last year) and Executive Order 12333.
Senator Dianne Feinstein, who’s now working on an anti-encryption bill, heavily supported and promoted renewing the Section 702 provision in 2012. President Obama also provided support. Senator Ron Wyden was one of the few that fought against its renewal. Unless there’s a change in public perception and enough pressure on Congress to vote against renewal, it’s likely that the government will extend the provision for at least another five years in 2017.
Many Unanswered Questions
In another statement to the New York Times, Yahoo said that the collection of the data that the Reuters article mentioned is no longer taking place. The company didn’t say whether it happened in the past. We also asked Yahoo why it had to stop the collection if it has done it under a legal requirement by the government, and whether it was the government or Yahoo that decided to end it for now. However, Yahoo didn’t provide an answer.
The Reuters report said that Alex Stamos, Yahoo’s Chief Information Security Officer in 2015, discovered the “program” weeks after the company installed it. It’s not clear how Stamos knew Yahoo installed the program only a few weeks before. Stamos reportedly left the company to move to Facebook after Yahoo’s CEO, Marissa Mayer, kept the security team in the dark about the email scanning operation.
If Yahoo installed the program in 2015, it may not have anything to do with the data breach that Yahoo reported happened in 2014. Often, government backdoors, or any backdoors at all, are the ones that lead to massive data breaches. Yahoo didn’t tell us whether there was any connection between the two.
In light of the significance of the accusations thrown at Yahoo right now, which could impact its business or sale to Verizon (to be completed in Q1 2017), it's puzzling that the company isn't at least trying to answer as many questions as it can in a more direct manner.
Christopher Soghoian, privacy researcher and principal technologist at the ACLU
It’s likely this won’t be the last time we’ll hear about Yahoo’s alleged involvement with U.S. intelligence agencies, especially if the company decides to clarify some of the questions it now seems to avoid answering purposefully. We’ve also asked Yahoo for further clarification on its statement that the Reuters article was misleading, so we’ll update the post if we receive new statements.