Report: Yahoo Spied On User Emails for US Government

UPDATED Wednesday, Oct. 5, with comment from Yahoo, Apple, Facebook, Google, Microsoft and Twitter, on Thursday, Oct. 6, with information from The New York Times, and on Friday, Oct. 7 with information from VICE Motherboard.

While Apple stood firm against U.S. law-enforcement demands, Yahoo caved.

At the request of the FBI, or perhaps the National Security Agency, Yahoo in early 2015 created a tool to search all Yahoo Mail messages for a specific set of information, Reuters reported today (Oct. 4). The implication is that every email sent or received by Yahoo Mail users was scanned.

Yahoo headquarters in Sunnyvale, California. Credit: Coolcaesar/Creative Commons

(Image credit: Yahoo headquarters in Sunnyvale, California. Credit: Coolcaesar/Creative Commons)

The existence of the tool was not disclosed to Yahoo's own security team, Reuters said. Yahoo security personnel found it on their own, and initially thought hackers had broken into Yahoo's systems. Yahoo's security chief resigned as a result, arguing that the tool itself could have let in hackers.

MORE: 7 Ways to Stop NSA Spying on Your Smartphone

It's not clear whether other email providers received or complied with similar government requests. Google and Microsoft did not reply to Reuters' inquiries. Reuters spoke to two former Yahoo employees, and a third person knowledgeable of the events. None were named or directly quoted.

The report comes as Yahoo is still reeling from the disclosure that a 2014 security breach led to the compromise of 500 million accounts, the largest on record. The financially ailing company is in the process of selling its core assets to Verizon.

Apple famously refused to comply with a court order in February that it alter its mobile operating system iOS 9 to let FBI forensic researchers access an iPhone used by terrorist Syed Rizwan Farook. The FBI eventually found someone else who could break into the phone.

The government request to Yahoo may have come in the form of a National Security Letter, a secret request for information that cannot be refused or even revealed by any party. Yahoo fought a similar order in 2007, but reportedly lost.

It's not clear whether the request came from the FBI or the NSA, or what exactly the desired information was. The NSA frequently has to route such requests through the FBI to comply with laws barring the NSA from spying on U.S. citizens and legal residents.

Nor is it known whether the information the government sought was ever found, how long the scanning tool was in operation, or whether it is still used.

The decision to comply with the government request led to the departure of Alex Stamos, Yahoo's then-chief information security officer, the report said.

Stamos, widely respected in the information-security industry and a noted advocate of online privacy, reportedly told Yahoo security staffers that he had not been told of the tool before or after it was implemented. He also told staffers that flaws in the tool could have let hackers read Yahoo user emails.

In February 2015, while he held the Yahoo job, Stamos famously confronted NSA Director Admiral Mike Rogers at a security conference about the use of encryption "backdoors" that would let law enforcement read otherwise encrypted data.

Last week, The New York Times reported that Stamos and Yahoo CEO Marissa Mayer had clashed over the security protection of Yahoo accounts during his tenure. Mayer and other top Yahoo executives refused to allow a forced reset of all Yahoo passwords, arguing that it would drive Yahoo Mail users away.

Stamos joined Yahoo in March 2014, and tightened up Yahoo security procedures, most visibly by switching password encryption from a weak standard to a very strong one that has yet to be "cracked." It's not clear whether the 500 million Yahoo user accounts were accessed while Stamos was at the company. He left Yahoo in July 2015 and soon joined Facebook.

UPDATE: Yahoo would neither confirm nor deny the reports, telling news outlets including The Wall Street Journal and Ars Technica that "Yahoo is a law-abiding company, and complies with the laws of the United States."

On Wednesday, Yahoo further told Ars Technica, "The [Reuters] article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning system described in the article does not exist on our systems."

Twitter commentators quickly pointed out that Yahoo did not say the scanning system had never existed on the company's systems.

Other U.S. internet giants sent out statements Tuesday that they had never done anything similar.

"We have never received a request of this type," said Apple to Vocativ. "If we were to receive one, we would oppose it in court."

"Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it," Facebook told Vocativ.

"We've never received such a request, but if we did, our response would be simple: 'no way,'" Google said to Ars Technica, CNBC and the Journal.

"We've never received a request like this, and were we to receive it, we'd challenge it in a court," Twitter said to Vocativ, adding that it was "currently suing the Justice Department for the ability to disclose more information about government requests."

"We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo," said Microsoft to the same three outlets. Unlike the others, Microsoft did not say it had never received such a request.

UPDATE: The New York Times reported Wednesday that the scanning tool was actually an adaptation of Yahoo's existing filters, which normally scan for malware, spam and child pornography. A filter was added to scan for a specific string of text used in emails sent by persons working for an overseas state-sponsored terrorist organization, the Times' anonymous sources said. The terrorist organization was not named.

UPDATE: Two anonymous sources who spoke with VICE Motherboard countered the Times story, saying that the email scanner was a "rootkit" that was "poorly designed" and threatened all Yahoo Mail users.

"If it was just a slight modification to the spam and child pornography filters, the security team wouldn't have noticed and freaked out," one source, said to be a former Yahoo employee, told Motherboard. "It definitely contained something that did not look like anything Yahoo Mail would have installed."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.