Contrary to a denial by Yahoo and a report by the New York Times, the company’s scanning program, revealed earlier this week by Reuters, provided the government with a custom-built back door into the company’s mail service — and it was so sloppily installed that it posed a privacy hazard for hundreds of millions of users, according to a former Yahoo employee with knowledge of the company’s security practices.
Despite this week’s differing media accounts, this much isn’t disputed: In 2015, Yahoo provided the U.S. government with the means to scan every single email that landed in every single Yahoo Mail inbox. The scanning was kept an absolute secret — and as this ex-Yahoo source describes, that meant keeping it a secret from security personnel who came to believe it endangered Yahoo’s hundreds of millions of unwitting customers.
The employee, who worked at Yahoo before, during, and after the installation of the email-scanning program, requested anonymity because of a nondisclosure agreement formed when the individual quit several months after the program was discovered internally last summer. The source declined to share certain specific names for fear of violating that same NDA or the NDA of others, but The Intercept has confirmed details of the source’s employment at Yahoo, which would have put the then-employee in a position to know this information.
A New York Times article by reporters Charlie Savage and Nicole Perlroth published the day after the initial Reuters report, citing “two government officials who spoke on the condition of anonymity,” characterized the Yahoo email scan as only a modification of an existing email-scanning technique used to detect malware and child pornography — common across many other email and messaging services — rather than a bespoke, new tool built specifically for the government surveillance order, as Reuters had reported. Essentially, according to the Times’s report, Yahoo made its porn and virus scanner merely to look for one more nasty thing (some sort of “signature” pertaining to a state-sponsored terrorist group) while it was looking anyway, as opposed to building an altogether new scanner (the difference between an addition to your grocery shopping list and separate trip). Both are indiscriminate mass searches with troubling Fourth Amendment implications, but there are important differences: According to the Yahoo alum, a mere “modification to [existing] mail filters wouldn’t have raised a red flag … [the security team] wouldn’t have been able to detect it in the first place.” Rather, Yahoo’s security team had detected “something novel, like something a hacker would have installed.” The team believed it “was or looked like a root kit,” a piece of software installed on a computer system to give a third party complete, invisible control. In this case, according to the ex-Yahoo source, it was “a program that runs on your servers that has access to incoming data.”
Alex Stamos, Yahoo’s former information security chief who Reuters reported left the company after finding out about its cooperation with the U.S. government’s scanning mandate, is said to have taken particular issue with how poorly the scanning tool was installed. “He was especially offended that he was not looped in on the decision,” said the ex-Yahoo source. “The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone’s Yahoo mail,” something the source attributed to “the fact that it was installed without any security review.”
To people whose entire job it is to prevent something like this from happening, the discovery was a shock, and they immediately did what was done for any other uncovered vulnerability, filing a complaint so the problem could be tracked and corrected. “Standard protocol on the security team,” the ex-Yahoo source explained, “is to open a security issue and assign it to the team responsible for that component, in this case Mail, saying you have to fix this within 24-48 hours,” due to its severity. “At that point [Yahoo Mail] would have had to explain to [them] why they didn’t have to fix this, which was because they had installed it.” But the source says that after the security team raised an alarm over the email scanning, still thinking it was the work of an outside hacker and not their coworkers, the complaint suddenly went missing from Yahoo’s internal tracker: “I looked for the issue and I couldn’t find it,” said the Yahoo alum. “I assume it was deleted.”
Eventually, several months after the tool was first installed, some members of Yahoo’s security team were filled in about the truth of scanning project, though they were unable to alter it by that point — a decision that left many frustrated or worse. “It was detected early enough that we could have made things better,” the ex-Yahoo source said. “I was very upset.”
Yahoo declined to comment on the record.