Say 'Hi' to the NSA in Your Next Email

Sources say Yahoo let government malware scan the contents of all emails sent to Yahoo accounts. And why would the feds stop with Yahoo?


Dominic Lipinski/ZUMA Press/Newscom

It's been a rough month for Yahoo. Within a few weeks, the struggling tech-company was accused of undermining its customers' security and privacy, after a massive hack of user-data from 2014 was followed-up this fall with allegations of involvement in an unprecedented government surveillance program. The question now is whether more tech companies are secretly complying with federal orders to spy on us.

For Yahoo, the woes started in late September, when chief information security officer (CISO) Bob Lord delivered some harsh news on the firm's official Tumblr account: Yahoo had been hacked. Lord confessed that the account information of some half a billion customers had been extracted and rested in the hands of unknown parties. Fortunately, no financial information appears to have been leaked. Still, the names, email addresses, birthdays, telephone numbers, security questions, and passwords of 500 million users had been successfully lifted in the 2014 incident.

Then, in early October, Reuters reported that Yahoo secretly allowed a massive government surveillance program to scan all incoming emails to Yahoo accounts. The custom software program was reportedly built by Yahoo at the behest of the National Security Agency (NSA) and the FBI, at the direction of a Foreign Intelligence Surveillance Court judge.

According to Reuters' unidentified sources ("three former employees and a fourth person apprised of the events"), the decision of Yahoo Chief Executive Officer (CEO) Marissa Mayer to follow the directive angered some senior executives at Yahoo, and led to the departure of then-CISO Alex Stamos in June 2015.

The New York Times reports a history of skirmishes between Stamos and Yahoo executives over how much to invest in security. Stamos, who is known in the industry as somewhat of a privacy and security hardliner, often butted heads with Mayer, the Times said. Mayer was fearful that the introduction of standard security measures, like an automatic reset of all user passwords, would anger Yahoo users and drive them away to other services. Yet few things can drive users away quite like a record-setting security breach…

After the hack was revealed, Yahoo encouraged affected users to change their passwords and security questions immediately. But this was almost certainly too little, too late. Many people re-use the same exact password and security questions for many, if not all, of their online accounts. A criminal who had the hacked data could have gained access to all sorts of users' other accounts with these "master" passwords and answers to security questions. Even if this hasn't happened yet, many Yahoo users won't change their passwords for other websites and a good number won't even change their Yahoo passwords.

The company was quick to blame the attack on "state-backed actors." But as some skeptical information-security experts have pointed out, this excuse is often deployed to downplay suggestion of company negligence. In the words of security writer Bruce Schneier, "'state-sponsored actor' is often code for 'please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that.'"

Unfortunately for Yahoo, the hacking news broke right in the middle of a $4.83 billion acquisition deal with Verizon. The purchase was expected to infuse new direction and capital into the legacy tech-company. Now, it looks like Verizon may be hoping to get a $1 billion discount if it does go ahead with the deal.

But the hacking of Yahoo-user account data is small compared to recent revelations about the company cooperating with government surveillance. It's unclear what exactly the NSA and FBI were looking for, but sources told The New York Times that some Yahoo tools to scan emails for spam and child-pornography had been modified to scan for email signatures linked to a state-sponsored terrorist groups.

Others took issue with this characterization, however, with Motherboard reporting that the program was not designed or intentionally installed by Yahoo's security team at all. According to Motherboard's anonymous sources within Yahoo, the "poorly designed" and "buggy" malware was injected by external groups. When it was discovered internally, in May 2015, "they assumed it was a rootkit installed by hackers," one source said. "If it was just a slight modification to the spam and child pornography filters, the security team wouldn't have noticed and freaked out."

In this version of events, it's unclear who initially injected the government malware. After it was uncovered by the security team, however, Yahoo management was alerted—and took swift measures to keep it a secret.

In a statement, Yahoo simply said: "Yahoo is a law abiding company, and complies with the laws of the United States."

Whether the surveillance program was custom-built or passively allowed, it seems clear that it was at least tacitly approved of by Yahoo executives.

This represents a novel public-private surveillance partnership. Tech companies have collaborated with government snooping in the past, of course, when required by law. But this has typically been limited to the searching of stored communications or the targeting of a limited number of accounts for detailed scanning. In this situation, Yahoo allegedly allowed software to scan the contents of all emails sent to Yahoo accounts in real time, including those sent from within the United States.

Intelligence agencies are subject to relatively stricter limitations when undertaking surveillance that affects what's called a "U.S. person." Some NSA watchers believe that reports that this program was a "directive" suggests that this program may have been authorized under Section 702 of the 2008 FISA Amendments Act, which is not supposed to intentionally target communications of U.S. persons.

Electronic Frontier Foundation (EFF) attorney Andrew Crocker told The Guardian that the Yahoo program looks like a hybrid of bulk data-collection programs revealed by Edward Snowden, PRISM and UPSTREAM. Subjecting U.S. persons to such bulk surveillance is probably a big no-no, constitutionally speaking.

But is Yahoo the only potential NSA and FBI collaborator? Intelligence agencies, seeking to cast the widest net possible, would have an incentive to seek such orders from all of the most-popular email and communication services. This is speculation, however. And other tech companies are claiming innocence.

"We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo," said a Microsoft statement. Google went with, "We've never received such a request, but if we did, our response would be simple: 'no way.'" Facebook and Twitter likewise denied they had received any such requests, and said they would fight back if they did. And Apple, which made waves earlier this year for very publicly fighting a backdoor request from the FBI, said the same.

But the careful reader will note the fuzziness in such statements. Perhaps these companies have not engaged in the secret scanning of email traffic "like what has reported about Yahoo." Perhaps they do it in a different manner. Or these companies may have told the NSA to take a hike, and the NSA may have installed malware to secure its aims anyway (as Motherboard suggests was the case with Yahoo). Plus, we can't forget the extreme use of gag orders on technology providers.

Reuters was unable to verify whether tech companies other than Yahoo participated.

However deep this does or does not go, Yahoo's worst-month-ever provides a very good lesson about security and privacy: major third-party web-service providers are full of security holes.

We trust that some combination of conscience and profit-motive will compel these companies to protect our security and privacy. Yet Yahoo seems to have failed customers on both counts: It allowed its security to falter, even though this could harm its reputation and future profitability, and it allowed government agencies to compromise customers' privacy even though many people who worked there—especially former CISO Stamos—had a strong moral commitment to privacy. Perhaps Google, Facebook, and Microsoft have stronger institutional committments regarding privacy, or at least a sharper eye toward maintaining their profit margins. But maybe not. And if that is the case, it is only a matter of time until another "Yahoo" makes itself known.

The truth is that there are major security vulnerabilities baked into the designs of most of the technology services that we use every day. Technologies that are truly privacy- and liberty-enhancing will reflect that committment in their designs. One good example is encrypted-messaging app Signal, which is set up so developers would be unable to turn over private information to the government even if they wanted to. For now, such technologies are difficult to build and not exactly embraced enthusiastically by powerful governments. But for people who desire privacy and security that does not rely on the tech-companies' better angels, such services present a real and hopeful alternative to the uncertain status quo.

NEXT: Your Life in Numbers

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. By hacking my yahoo account, they found out that I come in second every fucking year in my fantasy football league!

    1. you should’ve declared that 2nd place payout.

    2. By hacking my yahoo account, they found out that I’m a closet lactochuggaluggarian (drinker of milk, straight from the container). Also, they now know that I scratch my mammaroids with chaw-tobacco-soaked brillo pads. I don’t know what I will EVER do if the feds spill the poop on me!

      1. A chuggalo, then.

    3. hacking your email account & bulk collecting email can reveal an enormous amount of information about you even if you never send a single email. even if u simply added the account to your cell phone checking the logs from where your phone connects provides a rough & ready estimate of your movements. the information gleaned gets more comprehensive when the account is used as a recipient address for bills and online shopping.

      reading the actual emails you send is only part of the problem with this. i get that yall are joking, but its good to keep in mind that even if the emails u sent from yahoo are not particularly damaging, your privacy has been extremely violated here.

      also the biggest part of this story is the involvement of the FBI. why js everyone acting as though their being a part of designing bulkcollection software w/ the NSA is normal? there bas been very little to no reporting or evidence showing the FBI having this level of control on bulk collection implementation & their using of such data has been a major controversy in the past. wtf?

    4. If they’re monitoring phone calls, every week I call my family in the USSA from Taiwan. we always talk about CIA snooping, bombs, guns, and simiilar subjects. I don’t know if they’re listening, but I’ll probably find out next time I make entry into the USSA.

  2. If you aren’t using Protonmail already, get on it. Your mailbox is encrypted so even if the feds demanded access to it, the folks at Protonmail would have nothing to hand over except some garbled 256-bit AES encrypted text.

    1. I just started using protonmail for one of my personal domains.

    2. If security were that critical, why would you use cloud-based email and/or rely on them to encrypt/decrypt?

      OTP or GTFO.

      1. But of course so-called security is not critical. The real, and highly critical, problem that we need to confront is the insidious Trolls of the Net. Imagine the consequences, if they were to use encryption techniques to conceal their crimes. Surely nobody here would wish to defend the “First Amendment dissent” of a single, isolated judge in America’s leading criminal satire case? See the documentation at:

        1. Give it a rest, guy.

  3. “let”

    Why do so many ostensibly anti-surveillance activists and journalists use this type of language when available evidence suggests they were ordered to participate in this program? The government is to blame here, and the responsibility should be rested squarely on their shoulders.

    1. Because Yahoo didn’t defy the government and not just refuse to comply, but also didn’t publicize the order, on the grounds that the demand that it be kept secret was also unconstitutional?

      1. Publicly traded companies can’t and shouldn’t be expected to “refuse to comply” (nor should privately held companies, for that matter, even if leadership can sometimes be a bit less risk averse). It’s easy to talk tough when it’s not your job or money on the line.

        Before someone says “But but Apple!!!”: they did not “defy” the government or “refuse to comply”, as commonly parroted in the media; they were given a chance by the judge to respond to the AWA order, and they did — in a public court, in a very public manner that burnished their reputation by privacy, delivering shareholder value.

        If we narrow / redefine “refuse to comply” to “seek a stay and fight off the order in court”, note that Yahoo has fought a FISA order before.…..lassified/.

        1. Fucked up the link. It was supposed to be: They lost.

      2. Constitution? We don’t need no stinking Constitution! Or badges.

    2. Well, Yahoo deserves some small amount of blame for not telling the NSA to get bent, but at the same time, you’re right in that the government shouldn’t have the authority to demand this shit in the first place. And as I pointed in another thread, it’s entirely possible that the NSA had enough blackmail dirt on Mayer that she felt like she had to fold like a cheap suit.

      Although it would have been nice if they showed a little backbone as well as maybe let their own security team know what was going on.

  4. The question now is whether more tech companies are secretly complying with federal orders to spy on us.

    This is not news. It’s like every few weeks a news story springs forth from the ether that details the latest revelations of how the NSA is spying on our communications and treats it like a new story. Sort of like how we keep discovering the first earth-like exoplanet.

    1. I haven’t had a chance to read the whole article, but I’m confused… aren’t tech companies ordered to comply with National Security Letters which, by government design FORBIDS the company from talking or revealing their cooperation?

  5. RE: Say ‘Hi’ to the NSA in Your Next Email
    Sources say Yahoo let government malware scan the contents of all emails sent to Yahoo accounts. And why would the feds stop with Yahoo?

    The feds should never stop at Yahoo.
    They should stick a microphone up all our rectums to see if there is any shit going down.

  6. My last pay check was $9500 working 12 hours a week online. My sisters friend has been averaging 15k for months now and she works about 20 hours a week. I can’t believe how easy it was once I tried it out. This is what I do,

    go to tech tab for work detail,,,,,

  7. Where’s my fainting couch?

  8. Umm, this is old news, or you simply do not understand english. Obama, months ago, made what the NSA was colllecting legal to be distibuted to the FBI, CIA, SS, IRS. MONTHS AGO! Wait, I may have found another reason for you to have not got it…. you believe our government is not capapble of such crimes against its own people. Wrong?

  9. until I looked at the paycheck saying $4730 , I did not believe that…my… brother woz like actualy bringing in money part time from there computar. . there friend brother started doing this for less than 7 months and resently paid for the morgage on there home and bought a new Cadillac …….


  10. Peyton . even though Billy `s report is cool… on monday I got a gorgeous Maserati after I been earnin $8985 thiss month and even more than ten k lass month . it’s certainly the easiest work Ive ever had . I started this 9-months ago and practically straight away started bringin home at least $78 per-hr . look at this now


  11. While coming to education, the technology has brought many advantages to students and as well as teachers. showbox For example, students can do their homework or assignment with ease and can complete it faster by using the Internet.

Please to post comments

Comments are closed.