Yesterday, a very aggressive and very secret surveillance operation was abruptly made public. According to an exclusive Reuters report, Yahoo complied with a government order last year asking the company to scan all incoming emails for a specific string of characters — effectively surveilling hundreds of millions of users in search of a single phrase or snippet of code. In a statement this morning, Yahoo called the report "misleading" and emphasized that the mail-scanning system does not currently exist on company servers, but did not otherwise dispute the report.
It’s the biggest surveillance news in years — and suggests that despite the post-Snowden chill, many companies are more than willing to cooperate with ambitious government requests. But more troubling than the system itself is the way it was justified. Reuters’ reporting makes clear that, despite the unprecedented nature of the proposed system, Yahoo simply didn’t believe it had legal grounds for refusing the government. Other tech companies have lined up to say they wouldn’t comply with such a request — including Google, Microsoft, Facebook, and Twitter — but the fact that Yahoo felt it had to raises up an uncomfortable question. Was the mass-wiretap order sent to Yahoo legal? And if not, why not?
"Precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit"
For privacy groups, the answer is simple: the Fourth Amendment says you need a warrant, and you can’t get a warrant for 300 million users at once. We don’t know exactly how the government justified the order to Yahoo, although a subsequent New York Times report indicates it was approved by a FISA court judge. But however it happened, there’s good reason to think it would have violated the warrant requirements of the Fourth Amendment.
"The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit," says Patrick Toomey of the American Civil Liberties Union. The Electronic Frontier Foundation took a similar tack in a statement this morning, saying, "The sweeping warrantless surveillance of millions of Yahoo users’ communications described in the Reuters story flies in the face of the Fourth Amendment’s prohibition against unreasonable searches."
NSA's Adm. Mike Rogers says, re Yahoo! story, that a blanket look at all email "would be illegal." #cambridgecyber— AJ Vicens (@AJVicens) October 5, 2016
The crucial words are "suspicionless" and "unreasonable." The government may have had good reason to investigate anyone using the telltale string of characters, but they had no reason to suspect any particular email of containing the string. It’s not even clear whether the government had reason to suspect the email would arrive in a Yahoo account rather than a Gmail or Outlook account. The result is the equivalent of searching every house in a city block to look for a missing gun. Without some particular suspicion to justify the search, it’s unconstitutional. Companies routinely grant access to specific email accounts, but only after the owner of the account has been shown to be party to a crime. Without that specific suspicion, the government is asking for what lawyers call a "general warrant," a clear violation of the Fourth Amendment.
"The executive branch has an obligation to notify the public."
But as the Snowden documents showed, the government has become very good at sidestepping those protections in the name of national security. Section 702 of the Foreign Intelligence Surveillance Act (FISA) authorizes the government to target foreign targets for foreign intelligence purposes — and often compel assistance from network carriers in doing so. Since the order only authorizes foreign targets, intelligence services argue that Fourth Amendment concerns don’t apply — but those same collection efforts also sweep up vast amounts of communications by US citizens. As a result, groups like the ACLU and EFF have long argued that 702 authorizations violate the Fourth Amendment for the same reasons described above.
Because the Yahoo system targeted anyone using the telltale string of characters, there’s also reason to think that even 702 might not be enough to justify it. According to the 2014 PCLOB report, the NSA has typically used Section 702 to target foreign actors using an email address or other identity-based tags, rather than looking for keywords the contents of a message itself. According to Senator Ron Wyden (D-OR) — a longtime surveillance critic — the Yahoo order could represent a troubling break from that practice. "The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers," Wyden said in an email to Ars Technica. "If that has changed, the executive branch has an obligation to notify the public."
Fulfilling the order meant building a brand-new system
There’s also the issue of compelled coding, a crucial element in Apple’s San Bernardino case earlier this year. The government wasn’t just asking for access to Yahoo’s records or a peek into their network. Fulfilling the order meant building a brand-new system, one that presented lasting privacy and security risks to Yahoo’s customers and network. It’s not clear how any of the existing surveillance authorities could be used to compel that kind of work.
The result is something of a muddle, leaving intelligence agencies with plenty of grounds to make the request and companies plenty of grounds for resisting it. The bigger problem is how that disagreement might play out. Yahoo was facing an intelligence request rather than a law enforcement request, so it couldn’t be challenged in open court, a lesson Yahoo had itself learned after a seven-year battle against a separate 702 request. At one point, the company was threatened with fines of $250,000 per day. The company dodged the fines but ultimately lost the fight, the details of which were only made public in the wake of the Snowden leaks.
The result is daunting logic for any company trying to challenge such an order, even with the constitution on its side. It’s still unclear whether the Fourth Amendment defense put forward by the ACLU and EFF would hold up under pressure from an intelligence agency — and that uncertainty isn’t an accident. The groups have been actively trying to test those laws for years, and the government has been working just as hard to block the cases from going through.
The result is that, when a company like Yahoo gets an order like this, it’s hard to say whether it’s lawful or not, and it could take years of legal warfare to find out. As long as the government can keep the law ambiguous, there’s no legal protection to appeal to. Even if a company decides to fight, that fight will take place in secret courts friendly to intelligence agencies, and it may take years to reveal there was ever a fight in the first place. That’s a scary thought for Yahoo and other tech companies, but it should be even scarier for their users.
Update 4:12pm ET: Updated with details from subsequent New York Times report.