According to a report, Yahoo had built an incognito software program that scanned through hundreds of millions of its customers’ incoming emails for specific information at the behest of US Intelligence agencies. Two former employees and one other person who knew about the program told news agency Reuters that the company complied with a classified operation for either the National Security Agency (NSA) or the FBI.
Surveillance experts say the incident is the first known case of a US internet company willingly complying to a spy agency’s demand by searching all arriving messages rather than examining stored messages or scanning a small sample of accounts in real time.
What intelligence officials were looking for has not been disclosed at this time; however, it is clear they dispatched Yahoo to search for a set of characters, which sources say could be a specific phrase or attachment. Reuters was not able to confirm what data, if any, Yahoo handed over to officials and whether officials approached other email providers with similar requests.
The two former employees also added that Yahoo CEO Marissa Mayer’s decision to agree to the directive put her at odds with several senior executives and led to the June 2015 resignation of chief information security officer Alex Stamos, who now leads security at Facebook.
In response to Reuters’ questions regarding the demand, a spokesperson said in a brief statement that ““Yahoo is a law-abiding company, and complies with the laws of the United States”. They declined to comment further.
Yahoo security team thought hackers breached their system
Sources say Yahoo’s security team discovered the program in May 2015 and initially thought that hackers had gained access to Yahoo’s system. When Stamos found out that Mayer had authorized the program, he left Yahoo citing that he had been left out of a decision that was detrimental to users’ security.
He did not, however, mention any issues with Yahoo during his June 2015 announcement that he had joined Facebook.
US phone and internet companies are known to have handed over large amounts of customer data to intelligence agencies. However, experts say they have never previously seen a directive to this scale nor one that required the creation of a new program. They also assert that it is likely the NSA or FBI approached other internet companies with the same directive since it is clear they did not know what email accounts their targets were using. Since the NSA makes domestic requests like the one made to Yahoo through the FBI, it is difficult to determine which agency is seeking the information.
Google, whose Gmail is the largest email service in the world, said on Tuesday that it had not received spying requests from the government. In the event that they do, however, Google said its response would be “no way”. Likewise, Microsoft said it has “never engaged in the secret scanning of emails”.
Social networking sites Twitter and Facebook, both of which allow users to send direct messages to one another, also expressed their stance against spying directives.
Apple recently fought a similar directive on February this year after US intelligence agencies made a request gain access to a phone owned by one of the attackers of the 2015 San Benardino massacre.
“We have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will”, Apple said in a statement.