Yahoo built an unprecedented surveillance system in response to a government request last year, according to a bombshell report published today by Reuters’ Joseph Menn, which cites three persons familiar with the matter. The request asked for all arriving emails to be scanned for a specific string of characters, either in the body of an email or an attachment. Yahoo CEO Marissa Mayer chose to comply with the request. Crucially, the system was not restrained to a specific account or set of accounts, and custom software had to be built to scan the vast amount of email traffic in real time.
Reuters does not say what the string of characters was, however, or who the request was ultimately targeting. While Reuters sources indicate the system was ultimately functional, it’s also unclear whether the offending string of characters were ever detected or if any resulting information was produced.
It’s the first known instance of a company proactively scanning its own traffic on behalf of a US intelligence agency. The Snowden documents showed the NSA aggressively watching for "selector" terms similar to the string of characters described by Reuters, but those systems typically collected traffic in bulk from undersea data cables or other networks and searched for terms in the resulting database.
Notably, the NSA’s collection efforts included direct and covert access to Yahoo’s own private network, a program that was revealed by Snowden documents more than a year before the requests described by Reuters.
The news is also notable in light of Yahoo’s long-standing security problems, particularly concerning its mail product. The company added default HTTPS protections to its webmail in 2014, years after other services had made those protections the default. Without HTTPS encryption in place, it would have been possible for the NSA to run similar scans of Yahoo emails by scanning the unencrypted text as it passed over the public network.
Because the request did not identify a particular email, there has been significant speculation that it may have been sent to other major email providers as well.
Reached for comment, Google denied receiving any similar orders. "We've never received such a request," a Google spokesperson said when reached for comment, "but if we did, our response would be simple: 'no way'."
Microsoft issued a similar statement, saying, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo."
Apple also denied receiving such an order, saying: "We have never received a request of this type. If we were to receive one, we would oppose it in court."
Facebook also denied receiving the request, saying: ""Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it."
Update 5:15pm ET: Updated with comment from Google and related info.
Update 5:24pm ET: Updated with further comment from Microsoft.
Update 9:47pm ET: Updated with comment from Apple and Facebook.