Following up on last week's announcement that 500 million accounts were breached, it was revealed today that Yahoo complied with a FISA request to dig through customers' emails.
Following up on last week's announcement that 500 million accounts were breached, it was revealed today that Yahoo complied with a FISA request to dig through customers' emails.

At the behest of a directive handed down by U.S. intelligence officials, Yahoo built a custom software program in secret to dig through all of its customer's emails, according to a Reuters report.

Hundreds of millions of Yahoo Mail accounts were searched in response to a classified U.S. government directive from the National Security Agency (NSA) or FBI directed at Yahoo's legal team, according to unidentified sources who were said to be former employees of the agencies.

The specifics of what the intelligence agencies were looking for is unknown, the sources said, only that a search for a set of characters was requested, i.e., a phrase appearing in an email or an attachment.

This is not the first time phone or internet companies have complied with requests from intelligence agencies to hand over data on customers, but experts who spoke with Reuters said they had never seen such a wide-sweeping collection of real-time web data. It also appears that a custom computer program was used for the trawling.

Reuters reported that according to two former employees, Marissa Mayer, Yahoo's chief executive agreed to the agencies' request with dissent from other executives at the firm. Alex Stamos, the firm's CISO, departed in June 2015 as a consequence, they said, moving to a similar post at Facebook.

It's unknown at this time whether the federal agencies filed directives with other phone or internet providers. However, there is precedent owing to amendments in 2008 to the Foreign Intelligence Surveillance Act, which sanctions intelligence agencies to make the demand of U.S. phone and internet companies to hand over customer data in matters of preventing terrorist attacks and other intelligence gathering.

Reuters reported that Mayer and Yahoo General Counsel Ron Bell left the firm's security team out of the loop and had company engineers create a program capable of digging through email messages in search of the character string requested by the intelligence agencies. The data could then be stored for remote retrieval.

When Yahoo's security team detected the program in May 2015, a few weeks after the install, they initially believed they were under attack from hackers.

Reuters reported that CISO Stamos resigned after finding out that Mayer had approved the FISA request. He was left out of the decision, he said, and the move put users' security at risk, he reportedly told colleagues, as a bug in the programming could allow hackers to gain access to accounts.

"We're deeply concerned with today's Reuters report," Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), told SCMagazine.com on Tuesday. "This type of broad, warrantless surveillance of hundreds of millions of Yahoo users plainly violates the Fourth Amendment."

But it might not be uncommon. "Unfortunately, it sounds very similar to the type of surveillance AT&T and Verizon allow the NSA to conduct on their networks, as well," Rumold said. "This type of upstream surveillance is unconstitutional on Verizon and AT&T's networks, and it's unconstitutional on Yahoo's networks as well."

While the Reuters story, if it is accurate, "may at first blush seem to be another black eye for Yahoo on the privacy front," Michael Sutton, CISO at Zscaler, in a statement emailed to SCMagazine.com, urged that "we shouldn't be quick to rush to judgement or single out Yahoo. It's unlikely that Yahoo alone received the classified U.S. government directive to search all incoming email messages."

He explained that "such a broad directive suggests that the intelligence community needed to cast a wide net, which likely included other providers," but noted that "unfortunately, the very process of such directives precludes transparency and prohibits others from even revealing the existence of such a request."

Writing code in order to give effect to the FISA request is new, Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), told SCMagazine.com on Tuesday. 

While Hughes admitted that the full extent of what data was handed over is not yet known, he said the news illustrates the terrible position businesses are finding themselves in. On the one hand, he said, enforcement laws on the books order companies to comply with such directives. But at the same time they have an obligation to customers as stewards of their data. 

"They're stuck between a rock and a hard place," he said, pointing out the contrast with the legal dispute earlier this year that pitted Apple against the FBI's request to create a backdoor into a locked iPhone. "Apple took a firm stand," Hughes said. The company was both challenged and critiqued for its stand, he said, but also lauded.

Spying agencies absconding with communications has always been a risk with cloud-based email providers, Chris Wysopal, CTO and co-founder, Veracode, told SCMagazine.com on Tuesday. "Given the PATRIOT Act, unless you have end-to-end encryption in your mail reader with something like PGP, all cloud-based email is at risk." 

Wysopal posits that there have been other email providers approached and others that complied, but might not be able to speak about it because of a gag order. "I think this will be a boon for offshore secure email providers, like ProtonMail in Switzerland," he said. "I have recently seen more of my security colleagues using offshore services like this."

What should not be surprising to anyone is that requests of this type are being made, said Sutton of Zscaler. "Intelligence agencies will continue to do what they've been tasked with – protecting the nation through any and all legal means available to them. What's changing is that methods used in the past are no longer viable."

Due to the increasingly distributed nature of communications and enhanced security protections, including encryption, security agencies can no longer do everything in house, he explained. "In order to access the same data, they must now leverage the service providers themselves. While the providers may not be willing participants, with denials of FISA applications by the Foreign Intelligence Surveillance Court being extremely rare, service providers largely have their hands tied when such directives arrive.”