National Security

Security experts urge clients to stop using Yahoo Mail after spying report

Yahoo once again was under scrutiny after a report that at the behest of the U.S. government, its engineers had written software to scan every email message sent and received by its users.
Yahoo once again was under scrutiny after a report that at the behest of the U.S. government, its engineers had written software to scan every email message sent and received by its users.

Civil and human rights groups issued denunciations and some cybersecurity experts urged their clients to stop using the popular Yahoo Mail service after a news agency reported Tuesday that the internet service provider had secretly scanned hundreds of millions of clients’ emails at the behest of U.S. intelligence agencies.

The report by the Reuters news service said Yahoo complied with a classified U.S. government directive last year that demanded that it scan all incoming emails of its users for certain phrases. The report said Yahoo’s engineers wrote a program that complied with the blanket spying request.

“Enough is enough. It’s time to close your Yahoo account,” Graham Cluley, a British cybersecurity expert, tweeted following the report.

The report was the second piece of challenging news in recent days for the Sunnyvale, California, company as it attempts to finalize a $4.8 billion sale of its core business to Verizon. On Sept. 22, Yahoo acknowledged that the passwords of 500 million Yahoo account holders had been stolen.

Yahoo did not immediately respond to the Reuters report. A chief rival for global email, Alphabet Inc.’s Google, said it had not been approached by the intelligence agencies.

“We’ve never received such a request, but if we did, our response would be simple: ‘No way,’ ” Aaron Stein, a Google spokesman, said in a statement posted online.

Another large tech firm, Twitter, also weighed in, saying it would reject a similar directive.

“We’ve never received a request like this, and were we to receive it, we’d challenge it in a court,” Twitter spokesman Nu Wexler said. “Separately, while federal law prohibits companies from being able to share information about certain types of national security related requests, we are currently suing the Justice Department for the ability to disclose more information about government requests.”

Civil and human rights groups directed their criticism not at Yahoo but at the U.S. government, saying its request had undermined trust in the internet.

“The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit,” said Patrick Toomey, an attorney for the American Civil Liberties Union. “It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court.”

The alleged Yahoo collaboration with intelligence agencies caused turmoil in the upper ranks of the company, the Reuters report said, and led to the June 2015 departure of Chief Information Security Officer Alex Stamos.

Yahoo Chief Executive Marissa Mayer bypassed the company’s security team and went to engineers to write the program to siphon off emails in real time for the government, it added.

Stamos, who is now the chief security officer for Facebook, offered no immediate comment on the report. The federal government also did not comment.

Amnesty International, a London-based rights group, lamented what it called the eroding privacy of internet users and efforts by the U.S. government to “indiscriminately vacuum up the world’s data.”

“This is a clear sign that people can trust neither their government nor their service providers to respect their privacy: Only end-to-end encryption that keeps their communications away from prying eyes will do,” said Amnesty’s Sherif Elsayed-Ali, the head of technology and human rights.

Yahoo has gotten into hot water before for collaborating with government requests – in China. More than a decade ago, it shared information with the Chinese government that allowed for the jailing of two dissidents, one of whom, Wang Xiaoning, spent a decade in jail. The other dissident, Shi Tao, served a shorter sentence.

Yahoo’s partial sale to Verizon is already facing uncertainty over the massive data breach, which took place in 2014. Yahoo apparently did not inform Verizon of the breach, and news of it came out only last month when Yahoo user data was offered for sale on the black market.

Legal advocates said they expected Congress to be uneasy over Tuesday’s revelation.

“If Yahoo is indeed scanning the content of all of its customers’ emails at the NSA’s behest, that would appear to violate the Fourth Amendment,” said Elizabeth Goitein of the Brennan Center for Justice at the New York University School of Law.

“It’s also a violation of customers’ privacy and trust. It’s disturbing to learn that the NSA was secretly expanding its surveillance reach at the very same time Congress was attempting to rein it in,” added Goitein, who is co-director of the center’s Liberty and National Security Program.

Privacy has been a major issue in Washington since former NSA and CIA contractor Edward Snowden leaked top-secret information about National Security Agency monitoring of Americans’ email and cellphone use in 2013. Congress ended one formerly secret program after the revelations.

The issue of privacy also pitted the FBI against the tech giant Apple after the FBI sought to force Apple to circumvent security settings on a phone that had been used by one of the killers at a holiday party last year in San Bernardino, California. Apple refused a judge’s order that it do so. The impasse was resolved when the FBI allowed a company that said it had developed a way to bypass the security settings to hack into the phone.

Not surprisingly, Snowden, who now lives in Russia, was among those urging Yahoo Mail clients to abandon the service. “Use @Yahoo? They secretly scanned everything you ever wrote, far beyond what law requires. Close your account today,” Snowden tweeted.

“Any major email service not clearly, categorically denying this tomorrow – without careful phrasing – is as guilty as Yahoo,” Snowden said in another tweet.