nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Yahoo! tries!, fails! to! shoot! down! email! backdoor! claim!

Purple Palace twists words to wriggle out of its surveillance hell

By Iain Thomson, 5 Oct 2016

Updated Almost 24 hours after refusing to deny allegations that it allowed US intelligence free rein on its email systems, Yahoo! has issued a carefully worded non-denial.

"The article is misleading," the statement reads, referring to yesterday's Reuters report. "We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems."

The only declarative statement in there is that the message filtering software – described as a system that allows NSA analysts to perform keyword searches on Yahoo! users' incoming mail – does not exist. That's reassuring, although the statement doesn't say if it ever did exist, or if something very similar to it was ever implemented.

The use of the word "misleading" is also eyebrow-raising. "False" would be a much more explicit word to use, since misleading could cover a whole multitude of sins, and Yahoo! doesn't cite anything specific that Reuters got wrong.

Certainly Yahoo!'s statement stands in stark contrast to those of Google and Facebook, both of which were delightfully blunt about the matter.

Meanwhile, the head of the NSA, Admiral Michael Rogers, spoke at the Cambridge Cyber Summit on Wednesday and was asked about the Yahoo! case. Rogers called the article "a bit speculative," CNBC reports, adding that getting blanket access to emails "would be illegal."

"We don't do that. And no court would grant us the authority to do that. We have to make a specific cast. And what the court grants is specific authority for a specific period of time for a specific purpose."

Again, the statement is interesting. Rogers set up getting blanket access to all emails as a straw man, then proceeded to work on that premise. And doing individual keyword searches in the manner described in the article could be construed as a "specific cast."

This is, after all, the intelligence community we're talking about, and they have their own meanings for words. For example, the Director of National Intelligence, James Clapper, denied that the intelligence service was collecting large amounts of data on American citizens just a few months before Edward Snowden released documents showing just that.

Youtube Video

Clapper explained later that, to the intelligence services, the word "collect" means to gather information and then study it. Simply gathering the data in the first place isn't called "collection" unless an analyst has looked at it.

So where does Yahoo!'s statement leave us? Well, still pretty much in the dark, pending a full review of the article pointing out what it got wrong, and possibly what it got right too.

One person who could really help sort this mess out is Yahoo!'s former security chief, Alex Stamos. In the security field, Stamos' integrity is legendary and he would have had to have known about this – indeed the original report suggests he resigned over the matter. Sadly, a spokesman told us he had no comment on the matter. ®

Updated to add

According to a New York Times article today, Yahoo! was ordered by the US Foreign Intelligence Surveillance Court to search people's email for "digital signatures." This keyword search mechanism was built as an extension to the software it used to examine all incoming email traffic for spam, malware and child sex abuse material.

"Yahoo was forbidden from disclosing the order and the collection is no longer taking place," the Times notes. So Yahoo! was scanning innocent people's incoming mail – it just customized its existing code rather than build a brand new system as Reuters had claimed.

The Register - Independent news and views for the tech community. Part of Situation Publishing