According to a Tuesday Reuters report, Yahoo built a software in 2015 that let them screen their users’ emails for the US government. The tech firm did the scanning without the knowledge of the company’s CSO (Chief Security Officer), two former employees told Reuters anonymously.
US Intelligence officials issued a surveillance order secretly conducted by Yahoo CEO Marissa Mayer, which forced the firm’s engineers to create an app that can search incoming user emails for an “unspecified string of characters”, according to Reuters.
“Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional,” Patrick Toomey, staff attorney with the American Civil Liberties Union, said. “The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit.”
Yahoo’s security team discovered the spy software in May 2015. At the time, the team thought the company has been hacked. Alex Stamos, who was the CSO, resigned after he realized the decision was made behind his back. He allegedly told his employees that a software bug could be the reason why hackers could access hundreds of millions of user accounts.
The latest revelations fueled the concerns over the massive Yahoo hack in 2014, which resulted in the hack of around 500 million accounts.
“They secretly scanned everything you ever wrote, far beyond what law requires. Close your account today,” tweeted Edward Snowden.
“The Fourth Amendment implications are staggering,” Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, tweeted.
According to the Reuters, the NSA or the FBI served a classified US government directive last year. Either agency could have requested data from Yahoo under the Foreign Intelligence Surveillance Act (FISA). The firm challenged unsuccessfully a screening order from the NSA in 2007 before the U.S. Foreign Intelligence Surveillance Court. Unsealed documents in 2014 revealed the tech company was threatened to be fined by $250,000 each day when Yahoo did not comply with the order.
Surveillance experts say investigators often request data from tech companies like Yahoo, however, this is the first time in US history when a firm has agreed to screen all of the user messages. It is still unclear what kind of information was the investigators seeking or if the government was successful during their search.
“Yahoo is a law-abiding company, and complies with the laws of the United States,” Yahoo told Reuters in a statement, declining to comment further.
In the most recent transparency report, according to Yahoo, the company received 4,460 requests for user data from US investigators during the second half of 2015. The firm disclosed content 1,098 times. However, in the footnote, the requests was not approved by FISA in the figures.
When the company responded to FISA requests, Yahoo said they may potentially provide authorities with any content their users “create, communicate and store on or through our services. This could include, for example, words in an email or instant message, photos on Flickr, Yahoo Address Book or Calendar entries and similar kinds of information.”
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order because customers are counting on technology companies to stand up to novel spying demands in court,” Toomey said in a statement Tuesday. “If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency.”