Yahoo denies carrying out mass surveillance of users’ emails for US government amid fierce backlash
Report claims internet firm built a custom program in 2015 which scanned all its emails to help the National Security Agency and the FBI
Yahoo on Wednesday rejected allegations of mass email surveillance amid an outcry from privacy activists over a report that it created a special scanning program at the behest of US intelligence.
The report, which said the US internet giant secretly scanned hundreds of millions of email accounts to help American intelligence, was “misleading,” Yahoo said.
“We narrowly interpret every government request for user data to minimise disclosure,” the company said in a statement. “The mail scanning described in the article does not exist on our systems.”
A report on Tuesday by Reuters news agency, citing former employees of the internet firm as sources, said Yahoo had built a custom program in 2015 which scanned all its emails to help the National Security Agency (NSA) and the FBI.
The New York Times reported on Wednesday that Yahoo had been ordered by a federal judge to search its emails for a digital “signature” in an investigation seeking information about a state-sponsored entity linked to attacks.
The Times, quoting an unnamed government official, said that in order to comply with the Foreign Intelligence Surveillance Court order, Yahoo had needed to modify its software which scans for spam and child pornography.
According to the Times’ report, the government request was unusual because it required Yahoo to systematically scan all of its users’ emails – rather than hand over data from specific users.
The Office of the Director of National Intelligence, which oversees the NSA, did not respond directly to the claims but said in a statement it does not comment on “specific techniques” to gather intelligence.
The statement echoed earlier remarks from intelligence officials, saying: “The United States only uses signals intelligence for national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people.”
But the report was described by some activists as a “bombshell” which could, if proven true, reveal a new level of surveillance by the National Security Agency, already roiled by disclosures in 2013 by former contractor Edward Snowden.
“There’s still much that we don’t know at this point, but if the report is accurate, it represents a new – and dangerous – expansion of the government’s mass surveillance techniques,” the Electronic Frontier Foundation said.
Patrick Toomey, a staff attorney with the American Civil Liberties Union, said: “Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional.”
Bruce Schneier, a cryptographer and fellow at the Berkman Klein Centre for Internet & Society who has clashed with the NSA over surveillance, said he was not surprised by the latest claims.
“The NSA is spying on the internet, they use different techniques,” Schneier said.
If confirmed, the allegations would be at odds with Yahoo’s transparency report which claimed it received a relatively small number of US government requests in 2015.
Yahoo also backed Apple’s effort to challenge a US government effort to force the iPhone maker to build a program to help decrypt a handset used by one of the shooters in a 2015 California shooting spree.
Julian Sanchez, a fellow at the Cato Institute and critic of NSA surveillance, said his concerns were not allayed by Yahoo’s statement.
“Yahoo’s meticulously worded statement not terribly comforting,” said Sanchez, who took issue in particular with the phrase “does not exist on our systems”.
“DID it exist? Does it exist somewhere else?” he tweeted.
It was not immediately clear how or if other US tech companies faced similar situations.
Microsoft said in a statement: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”
Facebook, in a statement, said it “has never received a request like the one described in these news reports from any government, and if we did we would fight it”.
Twitter issued a similar denial.
“We’ve never received a request like this, and were we to receive it we’d challenge it in a court,” a Twitter spokesman said.
The report adds to Yahoo’s woes over security and privacy, weeks after it acknowledged data from some 500 million users may have been compromised by hackers in a breach in 2014.
In Europe, the Ireland-based Office of the Data Protection Commissioner said it would look into the latest allegations, in addition to the data breach.
“Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern by this office,” a statement by the agency said.