Yahoo Neglected to Tell its CISO When It Permitted Mass Government Surveillance of Emails

On the heels of the announcement that hackers had accessed 500 million email accounts in 2014, Yahoo recently found itself in the spotlight for another cybersecurity issue. When the company’s security team found evidence of a major breach, they assumed they had been hacked again.

Little did they know the top executives of the firm, including CEO Marissa Mayer, had allowed the US government to scan all arriving emails for a specific signature thought to be linked to a terrorist group.

The Guardian reported information from Reuters that two former employees attributed the June 2015 resignation of Yahoo’s CISO, Alex Stamos, to the decision to permit the mass email surveillance. Stamos now heads security at Facebook.

The details of the email scanning are scarce, since it came at the behest of a federal agency. The FBI made the request to Yahoo, however the NSA is known to issue directives through the FBI using the Foreign Intelligence Surveillance Act (FISA).

While tech companies previously complied with federal requests to search stored emails or a small number of specific email accounts in real time, this appears to be the first case of an email provider permitting the search of all of its incoming messages.

In addition, The New York Times reported that Yahoo altered an existing scanning system that looks for malware, so it could scan for a signature—specific phrasing in an email or an attachment. This is the first known instance of a tech company modifying its scanning parameters to comply with a government request.

Google, Twitter, Facebook, and Apple told the Guardian that they had not received a similar request from the government. In fact, Apple refused to work with the government to create a backdoor for the iPhone to permit federal agencies to access a phone used by one of the shooters in the 2015 San Bernardino massacre.

A staff attorney with the Electronic Frontier Foundation, an Internet privacy advocate organization, said the Fourth Amendment should fully protect against scanning all emails. Andrew Crocker described the revelations as “quite staggering.” Yahoo made little comment on its actions except to say that it “complies with the laws” of the U.S.

Featured Programs: