Just when you may have thought it was safe to start trusting Yahoo again with your personal information after the large data breach that saw 500 million accounts hacked in 2014, there comes news that the search portal and email website has been scanning its own users’ emails for key information to hand over to the U.S. government.
Apparently, according to a report from Reuters, the government’s Foreign Intelligence Surveillance Court (FISA) mandated that Yahoo install email sniffing and monitoring software so the company could flag any emails containing certain keywords or phrases associated with terrorism as specified by government intelligence agencies.
Which keywords or phrases and which specific agency or agencies were not named, although the National Security Agency (NSA) typically processes such data for the government’s intelligence community. Although it’s suspected that similar mandates may have been given to other email services such as MSN or Hotmail, this has not yet been confirmed at the present time.
When Yahoo received the government’s orders, there was internal disagreement about whether to comply; Yahoo CEO Marissa Mayer wished to give the government everything it asked for whereas many members of the company’s IT department, including Alex Stamos, the firm’s Chief Information Security Officer, disagreed.
The company’s legal department came to the conclusion that it wouldn’t be able to win a court battle regarding the orders, and Stamos ultimately resigned his position; it’s unknown if others at the company went with him.
The Yahoo filtering application would copy suspicious emails to a location where government agencies could look at them remotely. Yahoo’s own IT security personnel were not told about the additional processing until after the filtering went live.
When the security team found out what was happening, they originally thought that hackers had accessed users’ accounts. In fact, the copied emails were indeed vulnerable to outside hackers as the copies were no longer contained within the Yahoo company firewall.
According to reports, it was this lack of security specifically that led Chief Information Security Officer Stamos to quit; Stamos claimed that he didn’t want to be associated with mandated user security violations.
In the wake of these revelations, it’s been reported that Verizon, the company that recently agreed to acquire Yahoo for $4.8 billion and merge it with AOL, now wants a $1 billion discount on its purchase due to a loss of user trust and goodwill. This may be on top of an additional $1 billion that the company might wish to set aside for legal liabilities related to the hacking case.
In fact, there are now some reports that Tim Armstrong, Verizon’s head of its AOL unit, may want to kill the deal entirely. “In the last day, we’ve heard that Tim is getting cold feet. He’s pretty upset about the lack of disclosure, and he’s saying can we get out of this, or can we reduce the price?” said a source at the company. Yahoo reportedly is highly resistant to either scenario; the company’s board is due to meet regarding these issues in the immediate future.
Verizon had originally been hoping that a merger of AOL with Yahoo might create a powerful enough service to compete with Facebook and Google for digital advertising. As of today, the combined Yahoo and AOL entity would have roughly one billion users, and there are plans to grow this number to two billion by 2020, but it’s unknown what the fallout of these multiple scandals will mean for Verizon.
Verizon has yet to even complete the total integration of AOL into its firm, despite closing on the $4.4 billion acquisition of the former Time Warner partner 16 months ago.
Between this spying and the earlier hacking of the 500 million accounts, it’s hard to see how anyone would entrust their data or confidential secrets to Yahoo’s systems now.
Although the government owned up to massive warrantless NSA surveillance of consumer phone call records in the 2000s after the 9/11 terror attacks, the NSA said at the time that its programs only collected so-called “metadata” — the information included which phone numbers were called, how long calls lasted and where calling parties were physically located, as opposed to the contents of the calls themselves.
At the same time, the government has said it has the right to warrantlessly monitor all electronic communications — voice, email, text message, chat message, fax or otherwise — in any case where American citizens or foreign nationals are suspected of being associated with terrorist states or organizations.
Some government officials and legislators have expressed concern about this surveillance, and in theory, the government has dialed back the quantity and quality of it, but most members of the intelligence community agree that virtually no unencrypted data is safe from government eyes should particular agencies or officials desire to look at it.
In a notable case, the FBI paid hackers more than one million dollars to hack into the iPhone belonging to San Bernardino mass-shooter Syed Farook in the wake of his ISIS-related killing spree there. The FBI was ultimately able to access everything on the phone, despite Apple assuring its users that “cracking” the phone’s security was an impossible task.
That incident alone should be more than enough to convince users that if the government wants to read someone’s email badly enough, they will, especially if it’s sent using a major-brand email service such as Gmail, Hotmail or MSN.
In fact, it’s highly likely that “backdoors” to those services from government agencies were installed years ago, and those agencies can target any emails they want to look at specifically. In today’s day and age, essentially no data is safe, a message presciently predicted in science-fiction author William Gibson’s short story “Johnny Mnemonic” more than 35 years ago.
The government’s convenient excuse is, “if you have nothing to hide, why worry?”. But this is a far cry from the famous adage attributed to Benjamin Franklin — “Those who would give up essential liberty to purchase a little temporary safety deserve neither.”