Application security, Breach, Threat Intelligence, Data Security, Encryption

FBI sought terrorist email in Yahoo sweep

Yahoo's sweep was intended to snag a digital signature used by a state-sponsored terrorist organization, unidentified government sources close to the matter told the New York Times.

To comply with a directive from the Foreign Intelligence Surveillance Court to dig through all of its customers' email, Yahoo customized an already existing technology intended to search for child porn and spam, according to the Times.

Yahoo, forbidden to discuss the order, responded by altering a scanning system it already employed to search incoming emails for malware and other unwanted material. The modifications enabled its system to capture any hits with the digital signature and provide copies to the Federal Bureau of Investigation (FBI).

What distinguishes this activity is the fact that, in complying with the order from the Court, Yahoo allowed the search of all of its email, as opposed to specific accounts, a practice other tech companies have stated they have not encountered.

The search began after government officials learned that an undisclosed foreign terrorist group was using Yahoo's email system to send encrypted messages, though with a "highly unique" digital signature.

But, while the Times article is vague about what precisely the intelligence community was searching for in the emails of Yahoo users, Robert Graham, a security researcher at Errata Security, offered further detail. 

"What they are likely referring [to] is software like 'Mujahideen Secrets,' which terrorists have been using for about a decade to encrypt messages," he wrote in a blog post.

By using the software to send an email to his Yahoo account, Graham managed to decode the "highly unique signature" the FBI may have wished to capture in the metadata string: ### Begin ASRAR El Mojahedeen v2.0 Encrypted Message ###.

"Indeed, if this is the program the NSA/FBI was looking for, they've now caught this message in their dragnet of incoming Yahoo! mail," Graham wrote.

Problem is, he said, the NSA sweeps up any email associated with the transmission so that anyone reading about this would be swept up in the government's dragnet as well.

A spokesman from the Office of the Director of National Intelligence told the Times that FISA activity "does not involve bulk collection." 

As well, Adm. Michael Rogers, head of the National Security Agency (NSA), downplayed the allegations. Speaking at a cybersecurity event in Massachusetts on Wednesday, Rogers said the report "is a little speculative," according to The Hill. The NSA couldn't get a nod from a judge's to “blanket” search through "all email," he said. “That would be illegal. We don't do that, and no court would ever grant us authority to do that. We have to make a specific case. What the court grants is specific authority for a specific period of time for a specific purpose.”

But, security experts point out that existing technology already in use to weed out child porn, malware and spam, could enable filtering systems to scour email, although many are pointing out that employing this engineering capability in the service of a FISA directive is not common.

Yahoo issued a statement on Wednesday calling the claim "misleading."

"We narrowly interpret every government request for user data to minimize disclosure," the company said in a statement. "The mail scanning described in the article does not exist on our systems."

But, the news is stirring outrage from privacy advocates all over the globe.

"The suspicion that Yahoo has actively assisted to scan mails of their users as a henchman of the NSA is not really surprising regarding the information of the PRISM program," said Johannes Caspar, Commissioner for Data Protection and Freedom of Information in Hamburg, Germany, according to PC World. "On the other hand it goes far beyond what is acceptable."

Regardless of the government's intentions, "this is still mass surveillance of American citizens," Graham wrote. "All Yahoo! mail is scanned for such a pattern. I'm not sure how this can possibly be constitutional."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.