For years, Yahoo has been scanning the email of unknowing users and then turning this information over to US intelligence agencies. Citing sources familiar with the matter, Reuters broke the story today that Yahoo is complicit in breaching the privacy of millions of potential users, even beyond its recent hack.
The company complied with a US intelligence directive that saw millions of Yahoo Mail accounts scanned in near-real time as opposed to the stored message scanning relied on most commonly. This breach seemingly targeted millions of users, all of which were unaware they were being monitored.
In fact, ‘complicit’ may be the wrong word. Yahoo actively built a tool that enabled this sort of covert surveillance on its users.
According to two former employees, Yahoo CEO Marissa Mayer ordered the company’s compliance, a move that led to the departure of Chief Information Security Officer Alex Stamos’ departure. Three others familiar with the matter reported the order came in the form of a classified directive sent to Yahoo’s legal team.
Bulk data collection on US phone and internet companies is nothing new. Government officials and private surveillance experts claim they’ve not seen such a broad directive for real-time collection on the web.
“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented telecom companies on surveillance issues for the past 20 years. “It would be really difficult for a provider to do that.”
A ‘selector,’ in this case, is a search query used to zero in on a particular target.
Google and Microsoft didn’t respond to a request for comment. We had intended to ask whether either received similar orders and if they were compliant.
Update: A Microsoft representative issued this response:
We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.
Google responded to Ars Technica. Cyrus Farivar posted this on Twitter:
— Cyrus Farivar (@cfarivar) October 4, 2016