Yahoo sifted through users’ emails for the government

The embattled internet giant created a software program to access customers’ emails, which possibly made it vulnerable to hackers.

CREDIT: AP Photo/Marcio Jose Sanchez
CREDIT: AP Photo/Marcio Jose Sanchez

Yahoo gave the custom-built software to search customers’ incoming emails at the request of U.S. intelligence agencies, Reuters reported Tuesday.

The troubled internet company, which has a pending $4.8 billion merger deal with Verizon and suffered one of the largest hack attacks in history, reportedly built the software to comply with an FBI or NSA warrant from the secret Foreign Intelligence Surveillance Court, anonymous former Yahoo employees told Reuters.

Specifics of what the agencies were looking for is unknown, but the government was aiming to scan hundreds of millions of Yahoo email accounts in search of a certain set of characters, which could be part of a phrase in an email body or an attachment.

News of Yahoo’s legal cooperation with the government dredges up security and surveillance concerns the stem from the Patriot Act. Two years after NSA contractor turned whistleblower Edward Snowden released documents outlining the government’s surveillance practices in 2013, Congress passed an NSA reform bill that was meant to curtail some broad surveillance practices such as collecting metadata for phone numbers in an entire state rather than a specific region.


Privacy advocates were pleased with the compromise but warned that the bill didn’t address other surveillance practices — primarily cooperation with tech companies through the NSA’s PRISM data-sharing program.

Security experts were also concerned about government agencies’ repeated requests for backdoor access to tech companies’ consumer data, claiming that doing so would compromise encryption and make it easier for bad actors to breach data servers.

Yahoo’s former Chief Information Security Officer Alex Stamos shared that concern and reportedly left the company in 2015 after learning that CEO Marissa Mayer okayed the government’s data request, according to Reuters. Stamos now works as Facebook’s head of security declined to comment on the story, but associates told Reuters that he resigned because the decision to acquiesce the government’s request compromised Yahoo’s security. Yahoo released a statement saying “Yahoo is a law abiding company, and complies with the laws of the United States.”

Yahoo isn’t alone in its cooperation with government requests. The number of government requests worldwide has increased in recent years, with many of them originating from the United States or targeting U.S.-based companies.

U.S. agencies made the most data requests for Google consumers, according to the company’s 2016 transparency report. The company received 12,523 requests for 27,157 Google users from July through December 2015. The government received data for 79 percent of those requests.


For Facebook, date requests jumped 13 percent in the latter half 2015. Sixty percent of the U.S. government’s 19,235 requests for data from 30,041 accounts came with a gag order — meaning the company couldn’t disclose to account holders that their data had been turned over to law enforcement. The social network also adamantly states in their latest government requests report that it does not provide governments’ backdoor or direct access to customer data.

According to its transparency report, Yahoo fielded 4,460 data requests from U.S. government agencies regarding 9,373 specified accounts from July 1, 2015 to Dec. 31, 2015, according to the company’s latest transparency report. The company then disclosed content for 25 percent of those requests.

Yahoo’s transparency report does not mention direct access to consumers emails, but the company has denied doing so in the past. But the report does clearly display a quote from Yahoo’s general counsel Ron Bell, which says “We fight any requests that we deem unclear, improper, over-broad, or unlawful.”

Update: Yahoo released a statement Wednesday denying Reuters’ report that the company aided in email surveillance. “We narrowly interpret every government request for user data to minimize disclosure,” the company said. “The mail scanning described in the article does not exist on our systems.”