It may not come as a huge surprise that the company embroiled in controversy following today’s groundbreaking Reuters report on surveillance is Yahoo, as the internet search and email giant was one of several major tech companies exposed as being accessible to the National Security Agency’s Prism program in 2013.
It is certainly shocking to see this kind of dragnet surveillance going on, however, after the Edward Snowden leaks, which revealed Prism and many other secret snooping programs and led to the passage of a law to supposedly reform the NSA. The email siphoning system at Yahoo was apparently installed just weeks before that bill, the “USA Freedom Act,” was signed into law by the president. To make matters worse, the Yahoo surveillance appears to have gone even further than previously revealed programs.
According to the Reuters report, in the spring of 2015 Yahoo was ordered by either the NSA or FBI to create a system to scan all of its customers’ incoming email traffic, amounting to hundreds of millions of emails. The company reportedly complied with the secret government order, enabling intelligence agents to scan the massive database of email content for a certain set of characters or keyword they were looking for.
That the email scanning system apparently targeted email content rather than just “metadata,” and targeted all Yahoo email accounts, regardless of the account holders’ U.S. citizenship or other considerations, is a considerable step further than previously exposed NSA programs, as experts were quick to point out. Andrew Crocker, an attorney with the Electronic Frontier Foundation, described the Yahoo revelations as “staggering,” adding that the email surveillance was “in some ways more problematic and broader” than previously known programs.
Patrick Toomey, a staff attorney with the American Civil Liberties Union, meanwhile, said that “the order issued to Yahoo appears to be unprecedented and unconstitutional.” Toomey also reportedly added that the surveillance described in the Reuters report represents “a new surveillance paradigm, one in which computers constantly scan our communications for information of interest to the government.”
In 2013, following news reports of Yahoo users’ data being accessible through the NSA Prism program, Ron Bell, general counsel for the company, issued a strong statement denying the allegations, insisting the company would “fight any requests that we deem unclear, improper, overbroad, or unlawful.”
“The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false,” Bell wrote. “Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive. Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested. Then, and only then, do our employees evaluate the request and legal requirements in order to respond—or deny—the request.”
In response to the Reuters story today, in contrast, Yahoo issued only a brief statement saying that it “is a law abiding company, and complies with the laws of the United States,” declining further comment.
Also revealed in the Reuters report is that Alex Stamos, formerly chief information security officer at Yahoo, left the company over CEO Marissa Mayer’s decision not to fight the federal surveillance directive. Stamos, who now holds a similar position at Facebook, would not comment on the Yahoo revelations, although Facebook itself did give a statement to the Intercept through a spokesperson, saying “Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it.”
Other tech companies made similar statements in response to the Yahoo story. “We’ve never received such a request, but if we did, our response would be simple: ‘No way’,” a Google spokesperson reportedly said. A Microsoft spokesperson said the company had “never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” while declining to comment on whether the government had ever requested it to do so.
Coming in the wake of a security breach impacting hundreds of millions or perhaps even billions of its users, this latest news is sure to add to Yahoo’s present public relations crisis. Just because Yahoo has egg on its face today, however, doesn’t make it an anomaly in the world of high tech plausible deniability. As demonstrated by Yahoo’s 2013 public position compared to its subsequent actions, and by much-hyped privacy protections like the USA Freedom Act that appear to be doing very little in practice, PR statements from gigantic tech companies, like those from politicians intelligence agencies, should be taken with a grain of salt.