Here's some shocking news for anyone who is still actually using a Yahoo email address: Starting in 2015, all of the emails Yahoo users received were being searched for a particular set of characters at the request of the security state in an unprecedented real-time wiretap of email, according to a report from Reuters.
Reuters's Joseph Menn reports that three sources, including two former employees, have confirmed that Yahoo built a custom tool to scan "hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI." The government was looking for emails that contained a certain "set of characters."
A Yahoo spokesperson asked for comment sent the following statement: "Yahoo is a law abiding company, and complies with the laws of the United States." Update: On Wednesday, Yahoo sent out a new statement, saying that the Reuters "article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.” According to the New York Times, Yahoo did not build a special tool, but rather repurposed the scanning program it already uses to search for malware and child porn sent by and to its users.
When Yahoo's security team, who wasn't involved in the creation of the custom tool, discovered it, they thought Yahoo had been hacked, reports Reuters:
[Some Yahoo employees were] upset that [CEO Marissa] Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
Yahoo's then-chief security officer Alex Stamos reportedly left because of the discovery, moving to Facebook. Stamos said he is unable to comment on this.
In 2014, the year before Yahoo was asked to do this, Stamos had announced that Yahoo was rolling out an end-to-end encryption option for its email users. That feature would have prevented this tool from working for users who employed it, as the content of their email would appear as gobbledy-gook to Yahoo, only readable by people with the encryption keys for the conversation. However, two years later, Yahoo has still not released that feature.
We can assume that there must have been something seriously alarming to have warranted this kind of government request, but as noted by Reuters, surveillance on this scale, in real-time, is unprecedented:
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency's demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It's possible you're chuckling to yourself and thinking, "Ha, but only my great-uncle uses Yahoo for email, and he just subscribes to a bad NFL newsletter." But the inherent seriousness of this sort of secret compliance with information gathering aside, it's possible other companies were asked to perform the same sort of searches, whether or not they complied.
The newly revealed decision is also a stark contrast to one made by Open Whisper Systems which makes the encrypted messaging app Signal. On Tuesday, it revealed that it has received a subpoena accompanied by a gag order for information about a conversation one of its users had using the app. But because Whisper end-to-end encrypts its users' conversations and minimizes its data collection, all it could provide to the government, per The New York Times, was "the time the user’s account had been created and the last time it had connected to the service — far less than the government sought."
Yahoo, which sold to Verizon for nearly $5 billion this year, has been having a very rough couple of weeks when it comes to the security news cycle. Last month it revealed that 500 million accounts had their passwords stolen. NSA whistleblower Edward Snowden is among the many people urging Yahoo users to consider moving to a new service.
* Headline updated to reflect updates to story.
Ethan Chiel is a reporter for Fusion, writing mostly about the internet and technology. You can (and should) email him at firstname.lastname@example.org
Kashmir Hill is the editor of Fusion's Real Future. She has hacked a stranger's smart home, lived on Bitcoin & paid a surprise visit to the NSA's Utah datacenter, all while trying to prove privacy isn't dead yet. Contact her at email@example.com. PGP: D934E5E9.