There’s no good reason to have a Yahoo account these days. But after Tuesday’s bombshell report by Reuters, indicating the enormous, faltering web company designed a bespoke email-wiretap service for the U.S. government, we now know that a Yahoo account is a toxic surveillance liability.
Reuters’s Joseph Menn is reporting that just last year, Yahoo chose to comply with a classified “directive” to build “a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials” — the NSA in particular.
[UPDATE at 10:08 a.m., Oct. 5, 2016: Yahoo has issued a labored non-denial denial, insisting that the Reuters story is “misleading.” See our new story.]
It’s still unknown what the “specific information” here was — or is — but Yahoo CEO Marissa Mayer’s decision not to put up any fight against the extremely broad request apparently prompted the departure of then-Chief Information Security Officer Alex Stamos, now head of security at Facebook.
Reached via Twitter DM, Stamos told The Intercept that he’s “not commenting at all on Yahoo.” When asked if Facebook had ever received a similar government directive, Stamos replied that he would “pass that to Facebook comms.”
A Facebook spokesperson told The Intercept, “Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it.”
It remains unclear what form the directive took, though according to Andrew Crocker, an attorney with the Electronic Frontier Foundation, the best guess is that it invoked Section 702 of the Foreign Intelligence Surveillance Act, which permits the bulk collection of communications for the purpose of targeting a foreign individual.
But this Yahoo program doesn’t appear to have had even an ostensibly non-U.S. target. Rather, literally every single person with a Yahoo email inbox was evidently placed under surveillance, regardless of citizenship.
Crocker said the Yahoo program seems “in some ways more problematic and broader” than previously revealed NSA bulk surveillance programs like PRISM or Upstream collection efforts. “It’s hard to think of an interpretation” of the Reuters report, he explained, “that doesn’t mean Yahoo isn’t being asked to scan all domestic communications without a warrant” or probable cause.
“The Fourth Amendment implications of that are pretty staggering,” Crocker said.
The Yahoo program, as described, also differs from previous federal data grabs in that the scanning occurred in real time, as messages arrived in a user’s inbox, rather than being conducted in an archive of stored communications.
The fact that every single Yahoo email account was subject to this surveillance seems at odds with figures in Yahoo’s transparency report, which claims fewer than 20,000 accounts were tapped at the behest of the U.S. government. It would also appear to run contrary to the spirit of two quotations on Yahoo’s transparency site, where Yahoo General Counsel Ron Bell claims, “We fight any requests that we deem unclear, improper, overbroad, or unlawful,” and Mayer says, “We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it.”
The Reuters report is sourced to “two former employees and a third person apprised of the events,” rather than government officials — raising the possibility that similar orders have been issued to other major service providers.
An Apple spokesperson said “we have never received a request of this type,” and that “If we were to receive one, we would oppose it in court.” This spokesperson also pointed to a section from a recent public letter by CEO Tim Cook, which he said was still accurate:
Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.
A Google spokesperson provided the following statement: “We’ve never received such a request, but if we did, our response would be simple: ‘no way.’” The spokesperson later clarified that the company has not received a “directive” or “order” to that effect, either.
“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” a Microsoft spokesperson said in a statement. The spokesperson would not comment on the record as to whether the company has ever received such a request.
Asked whether Twitter had ever received such a directive aimed at its messaging system, Nu Wexler, the company’s public policy communications chief, replied that “Federal law prohibits us from answering your question, and we’re currently suing the Justice Department for the ability to disclose more information about government requests.” Twitter filed the lawsuit in 2014.
In a subsequent statement, Wexler clarified:
We’ve never received a request like this, and were we to receive it we’d challenge it in a court. Separately, while federal law prohibits companies from being able to share information about certain types of national security related requests, we are currently suing the Justice Department for the ability to disclose more information about government requests.
Yahoo issued this statement: “Yahoo is a law abiding company, and complies with the laws of the United States.”
Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement that “the order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit.”
He added: “It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court.”
Here is how to delete your Yahoo account.
Update: October 4, 2016
This article has been updated to include comments from Microsoft, Twitter, Google, Facebook, Yahoo, and Apple.