Skip to main content

Yahoo’s CISO resigned in 2015 over secret e-mail search tool ordered by feds

October 11, 2016

According to a new report by Reuters citing anonymous former employees, in 2015, Yahoo covertly built a secret “custom software program to search all of its customers' incoming emails for specific information.”

Reuters noted that Yahoo “complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.” It is not clear what data, if any, was handed over.

Presuming that the report is correct, it would represent essentially the digital equivalent of a general warrant—which is forbidden by the Fourth Amendment, as Electronic Frontier Foundation lawyer Andrew Crocker noted on Twitter.

The Fourth Amendment implications are staggering. Yahoo as agent of government scans all email, devoid of probable cause, particularity, etc

— Andrew Crocker (@agcrocker) 1:24 PM - 4 Oct 2016

This seems to be the first known case of an American Internet company acting on behalf of the government to search messages in near real time—previous operations captured stored data or intercepted only a handful of target accounts.

As Reuters also reported, Yahoo's then-Chief Information Security Officer, Alex Stamos, resigned in protest once he found out about the secret program. Stamos now works at Facebook.

Yahoo did not immediately respond to Ars' request for comment.

UPDATE 5:11pm: Kaitlin Kikalo, a Yahoo spokeswoman, sent Ars the same statement that the company has been sending to other media and declined further questions: “Yahoo is a law abiding company, and complies with the laws of the United States."

A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and also declined further questions: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”

For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"

Sen. Ron Wyden, a Democrat who represents Oregon, also expressed dismay over the Yahoo revelation. He e-mailed:

It is a fact that collection under Section 702 of the Foreign Intelligence Surveillance Act has a significant impact on Americans’ privacy. It is public record that this expansive surveillance program is the basis for warrantless searches of Americans’ emails, and that the government has never even counted how many. The FISA court has publically stated that tens of thousands of wholly domestic communications are caught up under 702 collection every year and that the potential number of Americans impacted is even larger than that.

The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public.

UPDATE 6:31pm ET: In a phone interview, Rep. Ted Lieu, a Democrat who represents a portion of Los Angeles County, told Ars that this type of forced government request was "flat out unconstitutional."

"The continuing revelation of our law enforcement and these agencies violating the Constitution shows that there is a break down in oversight," he continued. "The [Foreign Intelligence Surveillance Court] has shown repeatedly that they do not have the ability to protect the Constitution or the rights of Americans, we need another system—thank God we have freedom of the press."

Neither the NSA nor the FBI have responded to Ars' request for comment.