Yahoo Secretly Built Software To Scan All Emails Under Pressure From NSA Or FBI

from the uh-wait-a-second dept

So Reuters had a big exclusive report this morning about Yahoo creating "custom software to search all of its customers' incoming emails for specific information" at the behest of the NSA or FBI. This was built last year -- which came well after the Snowden disclosures, and after Yahoo had been revealed to have legally challenged earlier NSA dragnet attempts -- and after it had rolled out end-to-end encryption on email.

Apparently, this was a decision made at the top by Marissa Mayer, and pissed off the company's top security guy, Alex Stamos (who is awesome and a big supporter of end-to-end encryption) leading him to leave the company (and move to Facebook, where he is currently).

According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc."Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Of course, this comes out less than a week after the NY Times had a big report on how Mayer de-prioritized security, despite having built up a great team of computer security experts called "The Paranoids." But, Mayer apparently downplayed or blocked their efforts, leading many to go elsewhere. And now we find out that Yahoo agreed to create this special software for scanning all emails for certain phrases or keywords. Bizarrely, this new report notes that Mayer gave the task of writing this software not to the security team, but to email engineers, leaving the security team in the dark, until they discovered it, thinking it was malware:

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Now, there are still a number of open questions about this: chief among them if others, such as Google, Microsoft, Facebook, and Twitter were similarly compelled to create similar software. This may not be that meaningful, but the article does not say that it was a FISA Court "order" but rather a "directive" that compelled this:

The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.

The question then is what secret "directive" does the government have that allows such broad scanning? The most likely (but certainly not the only) possibility is a stretched interpretation of Section 702 of the FISA Amendments Act. That Section is responsible for two known programs for the NSA to collect info: PRISM, which had big tech companies sharing specific information with the NSA, and "upstream" collection in which broadband providers like AT&T would scan all traffic for certain information. Without more detail, it's a little difficult to know what happened here, but it sounds like something in between PRISM and upstream -- in which online service providers were similarly asked to scan all content for certain information.

It seems clear that Yahoo either didn't think it could win a legal fight over this (certainly a possibility), or that it just didn't want to. At the very least, this seems like yet another example of totally secretive rulemaking by the US government on what surveillance capabilities are legal, without any public review or adversarial process designed to make sure that civil liberties are protected. I know that many of the more paranoid folks out there think that the NSA already had deals with the big companies to scan all content, but they weren't supposed to, and as far as we knew they did not as of a few years ago. But if that changed last year, that's a big, big deal, and much more information needs to become public on this.

Filed Under: alex stamos, bulk collection, email, marissa mayer, mass surveillance, nsa, privacy, scanning, section 702
Companies: yahoo

Tech Company Officials Meet With Obama Officially About Healthcare.gov, But Focus On NSA Surveillance Instead

from the good-to-see dept

It came out yesterday that President Obama was scheduled to meet privately with a group of "tech" execs officially about the status of the healthcare.gov website. However, as some expected, it appeared that the meeting focused much more on the NSA's overreach and the need for reforms. While somewhat disappointing that the meeting was held privately, it looks like the execs made it clear that the NSA surveillance efforts were doing a lot more harm than good and something needed to change.

Schmidt, of Google, opened the meeting and laid out industry officials' concerns. Obama seemed sympathetic to the idea of allowing more disclosure of government surveillance requests by technology companies, according to a tech industry official who was briefed on the meeting. The official asked to remain anonymous because the meeting was private.

Mayer, the Yahoo! executive, brought up concerns about the potentially negative impact that could be caused if countries, such as Brazil, move forward with legislation that would require service providers to ensure that data belonging to a citizen of a certain country remain in the country it originates, the official said.

That would require technology companies to build data centers in each country — a costly problem for American Internet companies, the official said. The White House noted in a statement after the meeting that the group discussed the "economic impacts of unauthorized intelligence disclosures."

We've been saying since the Snowden leaks first came out that the tech industry needed to be a lot more vocal about how bad the NSA's actions are for pretty much everyone, so it's good to see at least some effort to continue to push that story. Of course, the list of attendees also includes AT&T's Randall Stephenson -- and AT&T has been one of the companies most complicit in the NSA's activities, something the company refuses to talk about, and unlike the actual tech companies, seems completely unwilling to address.

Filed Under: barack obama, eric schmidt, healthcare.gov, marissa mayer, nsa, nsa surveillance, randall stephenson, surveillance
Companies: at&t, google, yahoo

Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too

from the thank-ed-snowden dept

If you use Yahoo, you can now thank Ed Snowden for the fact that your data is soon going to be more secure. Last week, we noted that Microsoft still wasn't encrypting traffic on the private lines between its data centers, and that Yahoo had suggested the same thing was true, given their very vague answer when asked about it all. Google, on the other hand, had been feverishly encrypting the traffic flows since the summer. Now, Yahoo's CEO Marissa Mayer has directly addressed the issue, announcing that they're working hard to encrypt all such data transfers and that they'll have the job done by the end of March in 2014. Also, perhaps equally or more importantly, they're planning to offer users the option to encrypt all the data in and out of Yahoo by that same date. Yahoo had been a bit slower than others to really recognize the importance of encryption, but it looks like they're going all in now -- which is great to see. And, if you remaining Yahoo users out there want to thank anyone, you might want to direct that appreciation towards Ed Snowden. Without him, it's quite unlikely this would be happening right now.

Filed Under: data centers, ed snowden, encryption, marissa mayer
Companies: yahoo

Though Wrong About 'Treason', Yahoo's Marissa Mayer Shows Why It's Hard To 'Just Say No' When The NSA Comes Calling

from the that's-not-true dept

We were just having a discussion in our comments about how companies should respond to NSA (and other law enforcement) requests for information. Many of our commenters take the extreme positions that companies should never abide by such requests and should always reveal them publicly. I tend to take the view that this is a counterproductive approach that is much more likely to destroy a company and have the execs end up in jail. So, I can kind of see where Yahoo CEO Marissa Mayer is coming from when she was asked about the NSA efforts and falsely stated it would be "treason" to disobey:

"Releasing classified information is treason. It generally lands you incarcerated," she said, clearly uncomfortable with the turn of the conversation.

She repeated that claim again later, so it wasn't a one-off thing:

"I'm proud to be part of an organization that from the very beginning in 2007, with the NSA and FISA and PRISM, has been skeptical and has scrutinized those requests. In 2007 Yahoo filed a lawsuit against the new Patriot Act, parts of PRISM and FISA, we were the key plaintiff. A lot of people have wondered about that case and who it was. It was us ... we lost. The thing is, we lost and if you don't comply it's treason."

First off, let's get this out of the way: she's wrong. It's not treason. Not by any stretch of the imagination. Treason is defined in 18 USC 2381, and revealing classified info isn't there:

Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason and shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.

Releasing classified information to the public is not covered. She is right that Yahoo fought a key FISA court lawsuit and lost -- and she's right that if Yahoo didn't comply, it (and its executives) would be in serious trouble, but not treason-level trouble.

That said: this does raise a serious question about what companies can do. I know that many don't trust any other process to get this information out there. And, like everyone else, I'm happy that some individuals such as Ed Snowden and Chelsea Manning had the courage to blow the whistle and reveal government misdeeds. And I'd likely support other individuals and companies that choose to take a stand and reveal government wrongdoing. But it's a step too far to claim that it's a requirement when it's not your life on the line. And, for many companies it's not hard to recognize that there are strategies that are likely to be much more effective than flat out breaking the law. Doing so would not just open them up to a lawsuit that would be expensive, but would also open them up to being tarred and feathered by a large portion of the population. And that would likely make any "statement" they were making much less effective.

Even Lavabit, which many of us respect for choosing to shut down in the face of a government order, has not revealed the nature of that order, knowing that doing so would be monumentally stupid in the long run and counterproductive.

Strategy involves thinking multiple moves ahead, not just making the one big move upfront. That's how you lose. These fights and the efforts to stop government surveillance will die an early death if companies just flat-out ignore FISA Court orders. First off, many of them are legit, even if some people don't want to recognize that. But, more importantly, there are multiple ways you fight back against these programs, and blowing the entire strategy upfront by publicizing a single request like that is almost certainly destined to backfire. Snowden didn't just reveal the first document he came across. He planned out a detailed strategy. Assuming companies should blow a ton of goodwill and the power to effect real change by revealing the first FISA Court order that comes along, even if it's legitimate, is a quick way to destroy the company, the lives of execs, and do little to create actual change.

Marissa Mayer is wrong to claim that it's treason, but she's right that there are limits to what a single company can do. Yes, we can hope that more companies fight back against more secret orders, but at some point reality has to be a part of the discussion.

Filed Under: fisc, marissa mayer, nsa, nsa surveillance, prism, tech industry, treason
Companies: yahoo

DailyDirt: Creepy Ads From Big Data

from the urls-we-dig-up dept

Lots of advertisers are turning to data mining techniques to try to squeeze more value out of their budgets. Given all the data that gets collected by our phones/browsers/credit cards/etc, it's not too surprising that ads can get pretty creepy, pretty fast. Here are just a few stories about ads that aren't technically doing anything wrong -- but that haven't quite gotten their privacy behavior right either.

• Target has been highlighted for its uncanny ability to predict when women shoppers are pregnant. Public birth records just aren't updated anywhere near fast enough for retailers who want to know when to start sending targeted ads to new parents ASAP. [url]
• Marissa Mayer said credit card companies can predict a divorce with 98% accuracy two years before it happens. Considering 50% of marriages end in divorce anyway, that might not be considered impressive..? [url]
• Facebook uses photos from some of its users to help promote various products, and sometimes the results are far from flattering. Becoming the new spokesperson for 55 gallon tubs of lubricant probably isn't what Nick Bergus wanted to be. [url]
• To discover more interesting advertising-related content, check out what's floating around on StumbleUpon. [url]  

By the way, StumbleUpon can recommend some good Techdirt articles, too.

Filed Under: ads, data mining, marissa mayer, predictions, privacy
Companies: facebook, target