Yahoo Mail just received another blow to its already crippled reputation. Citing "people familiar with the matter", Reuters reported that last year Yahoo Inc secretly collaborated with US intelligence officials to develop custom software that scrapes all of its users' incoming emails for specific information. In real time!
"The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events," Reuters revealed.
Let's face it, Yahoo has never been an email service primarily focused on security and privacy. However, working with the NSA and the FBI behind the curtains for mass email surveillance is exorbitantly scandalous! In civilized countries, this is against the constitution!
Surveillance on a HUGE scale
According to surveillance experts, this is the first known case of a US Internet company complying with an intelligence agency's request to search ALL incoming messages in real time, as opposed to examining stored messages or scanning a small number of selected accounts in real time.
US phone and Internet companies are infamous for handing over bulk user data to intelligence agencies. But some former government officials and private surveillance experts admitted that they had never seen such a wide request for real-time web surveillance, nor one that required the creation of a new computer program.
"I've never seen that, a wiretap in real time on a 'selector'," said for Reuters lawyer Albert Gidari, who has 20 years of experience with representing phone and Internet companies on surveillance issues.
It's not yet known what the NSA and the FBI were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, the anonymous sources explained.
"It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court," Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.
The tapping wreaked havoc within Yahoo
Some Yahoo employees were upset about the outrageous decision not to fight the request and thought the company could've prevailed, the sources said. It even angered some senior executives and led to the resignation of Chief Information Security Officer (CISO) Alex Stamos in June 2015.
Yahoo's comment on this huge insider leak was very, very laconic:
"Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters, declining any further comment.
Yahoo's own security team was in the dark
Employees and executives were also upset that Yahoo's CEO Merissa Mayer and Yahoo General Counsel Ron Bell kept the company's security team in the dark, according to the sources. It was Yahoo's email engineers who were ordered to write the massive surveillance program that fetches messages with specific information.
As a matter of fact, Yahoo's security team discovered the program in May 2015, weeks after its installation, thinking hackers had broken in.
When Stamos learned that Mayer had authorized the program, he resigned as CISO and told his subordinates he'd been left out of a decision that hurt users' security, the sources shared. Moreover, he told them hackers could've accessed the stored emails due to a programming flaw.
More companies are likely in the same pot
According to experts, it's very likely that the NSA or FBI had approached other Internet companies with the same demand. After all, Yahoo isn't the only email service out there.
Google and Microsoft hurried to state that they hadn't conducted such email monitoring.
"We've never received such a request, but if we did, our response would be simple: 'No way'," a Google spokesman noted.
"We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo," Microsoft spokesperson said.
But you know what they say: the wicked run away when no one is chasing them. Not a single thinking person would blindly believe their claims. They're just too big not to play with the government.
How to protect yourself from Yahoo and mass email surveillance in general
Edward Snowden has already tweeted that everyone should stop using Yahoo Mail. But you don't need Snowden's advice to do the most obvious thing in the world.
The bigger question is what to do in general in order to protect the privacy of your email communication. Go to another generic email provider, even though they're all likely collaborating with the NSA, FBI, etc.?
If you care about your privacy, you need a service that was made for it. Like our Secure Email app or other secure email services provided by niche companies.
Our Secure Email is still a normally functioning email service, but it's been shielded by PGP end-to-end encryption since the day it was created.
PGP is one of best ways to ensure cryptographic privacy and authentication. It protects contents of messages and files from being understood even by well-funded organizations with vast computing resources. Edward Snowden used PGP to send files to Glenn Greenwald.
According to Bruce Schneier, PGP is “the closest you’re likely to get to military-grade encryption”.
It's time to make your email private again. Don't leave it under anyone's magnifying glass.