nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Snoop! stooge! Yahoo! handed! all! your! email! to! Uncle! Sam! – and! any! passing! hacker!

We broke no laws, troubled web giant insists

By Shaun Nichols, 4 Oct 2016

Updated Internet has-been Yahoo! has stressed it broke no US laws when it apparently insecurely backdoored its email systems for the NSA or FBI.

In 2015, the California-based biz hastily set up mechanisms that allowed American intelligence workers to scan all incoming Yahoo! Mail for particular strings of keywords, it is reported. It appears Yahoo! made no attempt to challenge or fend off Uncle Sam's demands for people's private data.

Alarmingly, the slurping software was so insecure, opportunistic hackers could have plundered it for messages, we're told. This major shortcoming drove Yahoo!'s chief security officer to quit in protest, apparently.

"Yahoo is a law abiding company, and complies with the laws of the United States," a Yahoo! spokesperson told us, neatly avoiding denying any of the allegations.

According to sources speaking to Reuters today, the Purple Palace maintained a system for scanning incoming messages in Yahoo! Mail for specific words and phrases that the NSA or FBI had requested – security industry experts strongly believe the No Such Agency requested the access.

The keyword searching program, which was reportedly kicked off after Yahoo! was served with a classified directive from the US government, was signed off by CEO Marissa Mayer and General Counsel Ron Bell without any input from Yahoo!'s security staff, who were dubbed the "paranoids" internally.

The web giant's chief information security officer Alex Stamos stormed out of Yahoo! after his team stumbled across the surveillance software and found vulnerabilities that could be exploited by miscreants to view any and all messages going through the filtering tools.

According to the newswire:

The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

As a backdrop to this, Yahoo!'s security gurus had developed strong end-to-end encryption for the company's mail users, but were blocked from rolling it out. After Stamos walked out, he joined Facebook in June 2015 as chief of security.

It is not known at this point whether Yahoo! was alone in performing these tasks for the US government. The Register has asked Facebook and Google for comment on their own policies on these requests for intrusive spying, but has yet to hear back.

Yahoo! was part of the NSA's highly controversial PRISM intelligence-gathering network, though the one-time search king claimed it wanted the ability to inform customers about the extent to which government agencies had been asking for account information.

Providing a mechanism for spying on American citizens, let alone everyone else on the planet, sending messages to Yahoo! users is troubling. The NSA isn't supposed to snoop on its own people but its blanket electronic surveillance seemingly sweeps up millions of innocent citizens' private and personal communications.

"Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit," said Patrick Toomey, a staff attorney with the American Civil Liberties Union.

"It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court. If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency."

This bombshell comes as Yahoo! would very much like to avoid bad publicity, because it is trying to close on a deal to sell off its core business to Verizon for $4.8bn. That deal is already getting some criticism after Yahoo! admitted that it had allowed more than a half billion email accounts to be exposed to hackers in what Yahoo! had called a "state sponsored" attack. ®

Updated to add

Yahoo! says the Reuters report is "misleading" – although it has emerged that the web giant was indeed ordered by a secret US court to allow g-men to filter and collect incoming messages by keyword. This search mechanism is an extension to the code in place right now to weed out spam, malware and child sex abuse material from incoming Yahoo! email traffic.

The Register - Independent news and views for the tech community. Part of Situation Publishing