Yahoo Secretly Built Software To Scan All Emails Under Pressure From NSA Or FBI
from the uh-wait-a-second dept
So Reuters had a big exclusive report this morning about Yahoo creating "custom software to search all of its customers' incoming emails for specific information" at the behest of the NSA or FBI. This was built last year -- which came well after the Snowden disclosures, and after Yahoo had been revealed to have legally challenged earlier NSA dragnet attempts -- and after it had rolled out end-to-end encryption on email.Apparently, this was a decision made at the top by Marissa Mayer, and pissed off the company's top security guy, Alex Stamos (who is awesome and a big supporter of end-to-end encryption) leading him to leave the company (and move to Facebook, where he is currently).
According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc."Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.Of course, this comes out less than a week after the NY Times had a big report on how Mayer de-prioritized security, despite having built up a great team of computer security experts called "The Paranoids." But, Mayer apparently downplayed or blocked their efforts, leading many to go elsewhere. And now we find out that Yahoo agreed to create this special software for scanning all emails for certain phrases or keywords. Bizarrely, this new report notes that Mayer gave the task of writing this software not to the security team, but to email engineers, leaving the security team in the dark, until they discovered it, thinking it was malware:
They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.Now, there are still a number of open questions about this: chief among them if others, such as Google, Microsoft, Facebook, and Twitter were similarly compelled to create similar software. This may not be that meaningful, but the article does not say that it was a FISA Court "order" but rather a "directive" that compelled this:
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.The question then is what secret "directive" does the government have that allows such broad scanning? The most likely (but certainly not the only) possibility is a stretched interpretation of Section 702 of the FISA Amendments Act. That Section is responsible for two known programs for the NSA to collect info: PRISM, which had big tech companies sharing specific information with the NSA, and "upstream" collection in which broadband providers like AT&T would scan all traffic for certain information. Without more detail, it's a little difficult to know what happened here, but it sounds like something in between PRISM and upstream -- in which online service providers were similarly asked to scan all content for certain information.
It seems clear that Yahoo either didn't think it could win a legal fight over this (certainly a possibility), or that it just didn't want to. At the very least, this seems like yet another example of totally secretive rulemaking by the US government on what surveillance capabilities are legal, without any public review or adversarial process designed to make sure that civil liberties are protected. I know that many of the more paranoid folks out there think that the NSA already had deals with the big companies to scan all content, but they weren't supposed to, and as far as we knew they did not as of a few years ago. But if that changed last year, that's a big, big deal, and much more information needs to become public on this.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: alex stamos, bulk collection, email, marissa mayer, mass surveillance, nsa, privacy, scanning, section 702
Companies: yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yahoo committed treason against this nation.
How does it constitute treason? It failed to protect the American people in their "right to be secure in their persons, houses, papers, and *effects*, against unreasonable searches and seizures" This constitutes grave damage to the people of this nation by Yahoo's betrayal of trust, which is one of the definitions for Treason.
Now, I don't know about you, but I damned sure count my e-mails as "personal effects", and am damned sure that I have not, and will not allow anyone from the lowliest beggar to the PoTUS or SCoTUS to redefine them in any way.
[ link to this | view in chronology ]
Re: Yahoo committed treason against this nation.
That being said, Treason is definitely occurring just not in the manor of which you are accusing. Yahoo is not required to honor the 4th in regards to the email accounts it hosts, it is not an extension of the Law, this is just more 3rd party doctrine being used for government to skirt the 4th. Since these actions are not being used to aid an enemy of the US (that we know of) then it cannot be classified as treason. For now, it is just fucking unconstitutional... not that any of my fellow citizens give a flying fuck though. As long as they have their Cheeze Whiz and Superbowl Sundays... they are are kept little arm chair patriots.
Every Nation gets the Government it Deserves!
~Joseph De Maistre
[ link to this | view in chronology ]
Re: Yahoo committed treason against this nation.
But apparently the Constitution is no longer the highest law of the land and superseded by secret laws that are not even open to democratic scrutiny. Nobody knows what rights and recourse Yahoo or U.S. citizens have under those secret laws: the government does what it wants to and labels its own rules a state secret. Basically everybody pretends that there has been a military coup and the Constitution has been suspended, with the Bill of Rights being optional for the government.
Yahoo is not treasonous but incompetent and sleazy if they don't do their part in protecting their users' rights.
The treason is committed by the government. Execute everybody involved with putting the Constitution out of order and see whether the rest then understands that swearing an oath on the Constitution is serious business.
Oaths have meanings. And it's not Yahoo who had to swear an oath on the Constitution in order to be admitted into service of the People of the United States of America.
[ link to this | view in chronology ]
Re: Re: Yahoo committed treason against this nation.
Which would change the equation legally, compared to the government doing the scanning and selection of emails.
[ link to this | view in chronology ]
Re: Re: Yahoo committed treason against this nation.
Um, but if Yahoo is acting as an agent of the government by I don't know say instituting a government surveillance system.
[ link to this | view in chronology ]
Re: Yahoo committed treason against this nation.
[ link to this | view in chronology ]
Re: Yahoo committed treason against this nation.
Yahoo didn't damage the nation with it's "betrayal of trust." They were dipshits years ago. ANYONE using Yahoo in 2016 is someone that can't be trusted anyway.
Not treason.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
If I was a disgruntled ex-employee selling my stock would be a wise move before leaking to the press.
[ link to this | view in chronology ]
Re:
That coffin must be worth a fortune in scrap metal by now. Probably Yahoo's primary asset.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
...as well as with some who are.
[ link to this | view in chronology ]
Re: Re:
NSA's explicit responsibility is to attack other countries and defend the U.S. *government*. Nowhere in their charter does it say anything about protecting U.S. companies or citizens.
[ link to this | view in chronology ]
[Raises hand]
Once a "conspiracy theory" pondering, turns out to be true... AGAIN!!! And again and again and again.
Ok smart people... why would the gov do this to Yahoo and not MicroGoogleBook?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
https://www.techdirt.com/articles/20160714/10134734971/huge-win-court-says-microsoft-does-n ot-need-to-respond-to-us-warrant-overseas-data.shtml
Now, that involved data stored on foreign servers, and it's certainly not a guarantee that MS has never complied with any other government requests for data. But it *does* imply that MS's leadership is cognizant of the importance of maintaining overseas customers' faith that the US government wasn't spying on their E-Mails, in a way that Yahoo wasn't.
Still and all, E-Mail is based on outdated, unsecure protocols, and, whether companies are complying with government spying requests or not, people should always assume that nothing they put in their E-Mail is really private.
[ link to this | view in chronology ]
Adjust your threat model
It is not a leap to imagine a similar system applying to voice phone conversations.
[ link to this | view in chronology ]
Social media and communications platform have become defacto platforms of societal surveillance.
[ link to this | view in chronology ]
Re:
So what you want to do is run code inside facebook. It will help you find the people that you want it will show you the people whose behavior and whose social circles tell you that they are what you want by way of agent, sources what their adversaries are and who you can torture to get to them.
So you don’t want data out of facebook the day you have data out of facebook it is dead. You want to put code into facebook and run it there and get the results you want to cooperate."
[ link to this | view in chronology ]
Re:
Duh!!
"Social network" is simply another name for "Surveillance network".
When Google, Facebook, Twitter, Linked-In, etc., build surveillance platforms to sell consumer data to advertisers, why wouldn't the government use the third party doctrine to get the information?
The government could simply have purchased access to the information like any other paying customer, but by using secret rubber-stamp FISA orders, they get the information for free.
[ link to this | view in chronology ]
https://www.amazon.com/gp/product/B00UMBGZH4/ref=kinw_myk_ro_title
It's kind of, sort of, possible even now.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This would only catch really dumb terrorists
[ link to this | view in chronology ]
Re: This would only catch really dumb terrorists
Not if your intent is to preserve the political status quo, and nip protest movements in the bud by identifying people to put on the no-fly list or otherwise hinder the potential leaders ability tom meet with each other, or get to Washington to lead the Protest. Asset seizure of vehicles is another handy tool for this purpose
[ link to this | view in chronology ]
Re: This would only catch really dumb terrorists
[ link to this | view in chronology ]
Re: Re: This would only catch really dumb terrorists
[ link to this | view in chronology ]
Re: This would only catch really dumb terrorists
[ link to this | view in chronology ]
Re: Re: This would only catch really dumb terrorists
[ link to this | view in chronology ]
Re: This would only catch really dumb terrorists
Political protesters, people with jobs those in charge don't like, people that do legal stuff those in charge don't like.
Whoever is running the US government has no respect for their own laws or constitutional rights. American citizens do not have any protections they think they do, when those running the show ignore them.
[ link to this | view in chronology ]
Hmmmm
[ link to this | view in chronology ]
Re: Hmmmm
[ link to this | view in chronology ]
Worse than nothing
So they spend time and money to implement end-to-end encryption for the email, and then spend time and money to implement code that makes that completely worthless.
At this point they'd have been better off never bothering with end-to-end encryption at all because it's blatantly clear that they'll break it the second someone with enough power asks them to.
[ link to this | view in chronology ]
Re: Worse than nothing
[ link to this | view in chronology ]
Re: Worse than nothing
But as you pointed out, it looks like the NSA is trying to replicate BULLRUN domestically, which is a gigantic "fuck you" to Silicon Valley. We can reasonably assume the same has been imposed on other tech companies that publicly stated that they encrypted data between all their datacenters - Google and Facebook included. Perhaps this is the FBI order Sergey Brin and Larry Page refused to comply with in 2014 and were subsequently arrested for and walked out of Google HQ in handcuffs. Obviously they have since capitulated and agreed to comply with the order from the FBI since.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Except that the 500 million appeared to include very old accounts that had not been used in aeons. (I read somewhere) that was part of Marissa Mayer's justification for not doing an automatic password reset or sending out an earlier notification - the fear that users with old accounts would close the account rather than create a new password, hence leading to LOSS OF REGISTERED USERS - a disaster far worse PR than, you know, letting personal information be stolen. Far far worse, when one has stock prices, your own reputation and the next gig to care about.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Between this and other recent revelations, I'm seriously thinking I should completely shut down the account and use a new email address. The problem is... who to trust?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Not a single bit of my real name or life is associated in any way with any of my emails.
But then again I have always been paranoid about such things.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
We don't have the ability to stop them because we don't know who they are, what they're doing and we're denied legal means of fighting back. Some might call it searching for a needle in a haystack. These days, it seems more like finding the hay in a stack of needles.
[ link to this | view in chronology ]
Even worse than previous programs
But this, this is a search of everyone, right from the start, no suspicion or even mere connection to some suspect. It's the equivalent of searching everyone's house for evidence they committed some crime. It's an actual general warrant.
[ link to this | view in chronology ]
Re: Even worse than previous programs
And when, a few years down the road they 'request' that every company that sells to or offers service to anyone in the US does the same thing it will still be a 'narrowly worded request', because it only applies to companies on one planet.
[ link to this | view in chronology ]
This explains why Yahoo email is so slow...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Wait a minute...they BUILT software?!
Why would anyone who knows ANYTHING about email do that?
Software to do exactly that has existed, in numerous forms, since the last century. To name just one piece of it, out of dozens and dozens: SpamAssassin. (Of course SpamAssassin does much more than that, but stay with me here.)
It would be the work of a few hours to take the list of words, character strings, or phrases provided by the government, configure it into SA, remove everything else, and set it up to either copy messages to a secondary mailbox or divert them entirely (so that the intended recipient never got them). I'd imagine that the former would be desirable in order to avoid alerting recipients and thus, eventually, senders.
This is a trivial task for anyone who's run a mail system for a couple of years and has worked with the various moving parts, i.e., SMTP servers, POP and IMAP servers, anti-spam configuration, and so on. It's not a development task: it's a configuration task, since all the pieces already exist and just need to be put together.
Incidentally, while not in play here, searching already-stored mail is equally trivial. See "grepmail" for -- again -- one of many readily-available tools.
So why is Yahoo telling us that they had to build this? And especially why are they telling us that when we all know they already have content-scanning software deployed in the their mail system? (It's part of the anti-spam, anti-malware defenses they like to brag about.)
[ link to this | view in chronology ]
Re: Wait a minute...they BUILT software?!
They deliberately did NOT WANT their own IT/IT security teams to know what they were doing so they had this done by the email code team. The IT security team discovered it after it had gone live and they reported it upwards because they thought they'd caught Y! being hacked from outside.
[ link to this | view in chronology ]
Re: Re: Wait a minute...they BUILT software?!
[ link to this | view in chronology ]
Re: Re: Re: Wait a minute...they BUILT software?!
[ link to this | view in chronology ]
Missing the Details
Isn't it quite curious that three sources dropped-a-dime on the government, Yahoo, and what happened - but across a dozen stories, not one single one stated 'what they are searching for'?
HINT: It is ONE person (and goofy search strings they think will lead them to him by querying), and beyond that, I can't say more. Maybe someone could share more-interest in 'what' they are searching for, instead of the obvious - their breaking the law to find him, er, it.
[ link to this | view in chronology ]
Re: Missing the Details
No, because it's irrelevant to Yahoo's actions.
"HINT: It is ONE person"
...and you know this because...?
[ link to this | view in chronology ]
I tire of spooks who pretend that the arbitrary discretion of Intelligence Community policymakers and analysts somehow make this okay in the slightest. It's a grossly disingenuous argument by someone who doesn't have the courage to stand by their convictions.
[ link to this | view in chronology ]
Not to worry.
[ link to this | view in chronology ]
The next "directive"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The special characters NSA was looking for is...
[ link to this | view in chronology ]
Agent of the Government?
I wonder if yahoo billed the government for all the IT work they had to do extra?
[ link to this | view in chronology ]
GLOBAL FORENSIC ICT SOLUTIONS
.
This CYBER SHOCK AND AWE, has-- I feel!-- caused Netizens to become SHELL SHOCKED! I mean... one week you're wondering if an "intergalactic invasion" has hit earth, and the next week you're wondering whether the "aliens" are actually living next door!... and whether Donald Sutherland will knock any minute, and ask that your children accompany him to a "landing pad"!
.
It's A-B-U-N-D-A-N-T-L-Y C-L-E-A-R-- to me!-- that the BEHAVIOR of our "Internet Gatekeepers" is affecting/ impacting on everything we're attempting to do on the Net! In attempts to "catch the bad guy", these "Gatekeepers" have moved into the realm of P-S-Y-C-H-O-P-A-T-H-I-C B-E-H-A-V-I-O-R!... and leaving many Netizens with little-- OR N-O!-- recourse!
.
It's time for a G-L-O-B-A-L C-O-A-L-I-T-I-O-N O-F N-G-O-+-N-P-O S-E-C-U-R-I-T-Y A-D-V-O-C-A-C-I-E-S, T-O M-O-U-N-T T-H-E L-A-R-G-E-S-T N-E-T-I-Z-E-N L-A-W-S-U-I-T I-N H-I-S-T-O-R-Y, A-N-D T-H-E E-S-T-A-B-L-I-S-H-M-E-N-T O-F T-H-E L-A-R-G-E-S-T "N-E-T-I-Z-E-N I-C-T D-E-F-E-N-C-E L-E-A-G-U-E I-N H-I-S-T-O-R-Y"!
.
Enough!... of allowing Netizens to walk around with their hands over their ears!... to lesson the impact of the "daily explosions"!
.
Please!... no emails!
[ link to this | view in chronology ]
Re: GLOBAL FORENSIC ICT SOLUTIONS
Also the shouting just makes people not want to read the post.
If you just share your insight like a normal person more eyes will bother to read it. ;P
[ link to this | view in chronology ]
Re: Re: GLOBAL FORENSIC ICT SOLUTIONS
Where is the edit button... :(
[ link to this | view in chronology ]
Re: Re: GLOBAL FORENSIC ICT SOLUTIONS
[ link to this | view in chronology ]
Re: Re: Re: GLOBAL FORENSIC ICT SOLUTIONS
.
Please!... no emails!
[ link to this | view in chronology ]
Re: Re: GLOBAL FORENSIC ICT SOLUTIONS
.
Please!... no emails!
[ link to this | view in chronology ]
Frankly,
It seems to take a Mayer to effectively say "You want a backdoor? I'll give you a backdoor! Let's pull down our city walls for you!"
She puts the ancient Trojans to shame. It would seem that she left her "Don't Do Evil" motto at Google. Not that they had any use for it.
[ link to this | view in chronology ]
OK Google, tell me what crimes are happening in this area?
"There are 18 drug deals currently going occurring in a 15 mile radius - would you like to see them on a map?"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Trust
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Bunch of no good lying human life interferers
[ link to this | view in chronology ]
Problems with PRISM? Use PrismCipher!
[ link to this | view in chronology ]