How Safe Are Your Emails? Not Very, If You’re On Yahoo.

We have to ask the important questions about our privacy as users of internet.

In today’s fast moving times of technology and devices, ‘Big Brother’, the all surveilling eye, which once used to be term for the loathed and feared omniscient monster of fables, is becoming more and more a part and parcel of our lives.

When we do talk about it, the very thought of being constantly screened is scary to most of us, but the truth of the matter is that surveillance is becoming easier by the day, to do, as well as to hide.

The latest case in point is that of Yahoo and its alleged email scanning.

There are multiple allegations of Yahoo, from a variety of different sources, all of whom seem to be gathering information from sparse sources.

The gist of them seems however to be quite clear: Yahoo scanned user emails for information for the US government.

What’s particularly unusual and is the cause of the storm is instead of a systematic scanning of a select set of use accounts (something that does not feel as abhorrent), Yahoo allegedly scanned all it’s users accounts systematically.
Reports say that this occurred over a period in 2015, and the scanning has been terminated now.

The alleged scanning began last year, after Yahoo CEO Marissa Mayer and other executives apparently decided that fighting a government order to search the messages was futile, the report said, citing unnamed sources.

This could perhaps in part have been due to the sadly lost battle of 2007, when Yahoo had failed to successfully fight the FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case have remained sealed, but a partially redacted published opinion showed Yahoo’s was unsuccessful in standing up to the authorities.

In a seemingly related incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. This of course brings new scrutiny to the company and their handling of user information.

When question regarding the allegations were made to Yahoo, they initially declined to comment, and later denied them. Any questions directed to the supposedly involved NSA were directed to the Office of the Director of National Intelligence, who declined to comment.

While my usual go to sources for credible information are NYTimes and Reuters, for this one I have had to rely on a comprehensive study with various other sources, since the two seem to be telling entirely different tales altogether.

Reuters on one hand claims that a custom software program was built by Yahoo to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials; the NYTimes instead claims that a pre-existing system generally used to scan for child porn, and spam, helped to search for a particular “signature” associated with one terrorist group.

We believe, this disparity between the two claims seems to be the result of the fact that Reuters is relying on people within Yahoo for their information, while those within NYTimes seem to be relying on unnamed government officials.

As per reports by NYTimes, two government officials confirm that Yahoo was served with an individualized court order to look for code uniquely used by a foreign terrorist organization. They refrain from getting too much into the technical aspect of the process but portrayed it as Yahoo adapted a scanning system that it already possessed to carry forward the order.

Sources for Reuters however state that a program for siphoning messages was commissioned by Merissa Mayer and Yahoo General Counsel Ron Bell, and then embedded close to the email servers for remote retrival. It was reportedly discovered within three weeks by the security team, who had been left out of the decision making process and thought they were being hacked. Subsequently the security team head resigned, with personal ideological differences and without a formal public statement.

What is also noteworthy is another difference between their stories: According to the NY Times, unlike the original Reuters report that talked about a “directive” (which would imply an NSA surveillance program such as the one under Section 702 of the FISA Amendments Act), the scanning was actually the result of a more traditional FISA court order.

If search requests were made by the US government, this is not the first time that a government or a federal body of any country has made a similar request. It hasn’t been too long since Apple fought a very public battle with the FBI over the cracking of an iPhone that belonged to an alleged terrorist (we’d covered that through three insightful articles available here, here and here).
Other companies that deal with a lot of data, like Facebook and Google have been doing rounds to ensure the privacy of their customers. Messenger services are introducing encryption, and email servers being more and more remotely located. Blackberry had for a while been milking the fact that their servers were placed in Canada for privacy reasons (it later of course came out that the authority had decryptions keys to the servers since 2010).
But this one with Yahoo seems to be one of the rare instances where the orders were complied with without much of legal (and a very public) battles.

The decision seems to not have sit quite right with some top guns at Yahoo either. The allegations put the blame of Merissa Meyers for having decided to comply with the supposed orders instead of put up a fight for their customer’s Fourth Amendment rights to privacy. Retrospectively, this also seems to be the reason that a few top guns at Yahoo left, including the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

Critics were quick to denounce Yahoo for this.

The infamous Edward Snowden of WikiLeaks took to Twitter to state “They secretly scanned everything you ever wrote, far beyond what the law requires. Close your account today”. Other similar companies in the market, including Microsoft, Google, Apple, Twitter and Facebook, also quickly distanced themselves from the matter, issuing statements claiming that they have not been a part of similar action. The company however is vehemently denying of any such scanning.

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure”, Jacob Silber, a spokesman at the crisis communications firm Joele Frank, wrote to Fortune on behalf of Yahoo. “The mail scanning described in the article does not exist on our systems”.

Amidst the allegations and denials, began third party theorizing.

Former journalist Declan McCullagh took to Twitter to state that “it’s possible that an agency such as the Department of Homeland Security told Yahoo what to look for”, he said, “along the lines of the Cybersecurity and Information Sharing Act”.
Matt Tait, of the British spy service CGHQ, speculated that the report may represent a quiet expansion of PRISM, a clandestine data collection program authorized by Section 702 of the Foreign Intelligence Surveillance Act.

As those, and other informed speculations stay, answers are being demanded, and not just by the enraged public.

A bipartisan group of 48 lawmakers in the U.S. House of Representatives on Friday, demanded an explanation, and a briefing from the Obama administration regarding these allegations. “As legislators, it is our responsibility to have accurate information about the intelligence activities conducted by the federal government”, according to the letter, organized by Republican Representative Justin Amash of Michigan and Democratic Representative Ted Lieu of California. “Accordingly, we request information and a briefing as soon as possible for all members of Congress to resolve the issues raised by these reports”.

Legal experts have also questioned if this does not violate the Fourth Amendment rights against unreasonable searches.

It is however impossible to make any conclusions about this particular incident, because of a lack of information from Yahoo as well as supposed agencies involved. All the information that we do have right now seems to only be from unofficial sources, or people who want to stay anonymous. The fact that none of them seem to be willing to provide any information to the accord, any official information that is, only means with certainty that something certainly went down.

The only thing certain is the ambiguity of the question: How safe are our emails?!

Originally published at Chip-Monks.