The Spies in Your Email

How Yahoo risked user security by giving in to government surveillance demands.

Yahoo Mail logo is displayed on a smartphone's screen in front of a code in this illustration taken in October 6, 2016.
The way that Yahoo chose to comply with government demands should ruffle feathers, too.

Dado Ruvic/Reuters

There’s a lot we don’t know about the big news, reported earlier this week by Reuters, that if you were a Yahoo email user in April 2015, Yahoo spied on your emails at the behest of a government agency. We don’t yet have a clear idea of whether the FBI or the National Security Agency was responsible, what kind of surveillance happened, for what purpose, for how long, and under what legal theory. But while a lot of the details need to be filled in, the outline we have should trouble us all.

That April, Yahoo received some sort of classified demand that required it to scan every one of its users’ incoming emails, in real time, for a set of characters. The government may have been hunting for an email address, phone number, or some other specific identifier; a phrase in an email or attachment; or a string of computer code like a signature. It is unclear whether the government order required the company to scan the contents of email or only email header information. Yahoo has not denied Reuters’ report, but it has indicated that this surveillance has stopped.

This appears to be the first instance of a government-issued demand for real-time surveillance of every user of an internet company. Yahoo could have chosen to contest the order before the secret Foreign Intelligence Surveillance Court, or FISA Court, which has jurisdiction over these orders, as it did unsuccessfully when it received a mass surveillance order from the NSA in 2007. But this time, it went along with the demand. While the breadth of the government’s demand is concerning, how Yahoo chose to comply with it should really ruffle the public’s feathers, too—and it certainly did inside of Yahoo when this all went down.

In order to comply, Yahoo had to custom-build spy software. It is unclear whether the spyware it built was a modification of the filter it uses to scan emails for child pornography and spam or it was a more advanced hacker tool. Either way, the order essentially forced the company to become an arm of the government, which is troubling: Wiretap assistance provisions of criminal and foreign intelligence surveillance laws do not go so far as to require companies to build surveillance systems for the government. Yet Yahoo did just that.

This issue was litigated earlier this year when the FBI took Apple to court in an attempt to force it to write a new operating system that would allow the government to bypass encryption on an iPhone belonging to one of the San Bernardino, California, shooters. After a public fight, the government withdrew its case before the court could decide on Apple’s obligations. Both the Apple battle and the Yahoo case highlight one of the key conflict points between the government and Silicon Valley: the question of when exactly companies are obligated to build spying capacity for the government into their products.

As with the Apple-FBI fight, the Yahoo case raises serious questions about user security. Yahoo’s solution of writing and implementing new code left its hundreds of millions of users vulnerable to a cyberattack. Instead of bringing in its security engineers to help build, test, and deploy the spyware, Yahoo’s email engineers did all of the work. The Yahoo security team only found out about the surveillance program about a month later, when it spotted what it thought were hackers breaching the system. Additionally, the security team identified a vulnerability in the spyware that could have allowed access to users’ stored emails. According to Reuters, then–Chief Security Officer Alex Stamos (now head of security at Facebook) promptly resigned in protest, reportedly telling his staff he had been left out of a decision that hurt user security.

Concerns about user security are not the only problem highlighted by the Yahoo revelations. We now know that less than two years after the Snowden revelations began, U.S. spy agencies went right back to making secret law that undermines Americans’ Fourth Amendment protections and that goes well beyond what any statute authorizes. The New York Times and Reuters have reported that the order was issued under Title I of the Foreign Intelligence Surveillance Act of 1978, but we still don’t know what legal theory the government used to convince the FISA Court that this was a reasonable interpretation of that authority, which it certainly is not.

Title I authorizes the government to issue individualized wiretap warrants for surveillance of Americans when there is probable cause to believe that they are working for a foreign power. A plain reading of the law makes clear that it is not meant to authorize this sort of mass intrusion. This appears to be the first time Title I of FISA has been used in this manner—the first time we know about, at least. Congress owes it to every American to provide more clarity around how surveillance laws, such as Title I of FISA and Section 702 of the FISA Amendments Act of 2008 (which will expire next year), are interpreted and used, and how they impact individual privacy. Luckily, members of Congress like Sen. Ron Wyden and Rep. Justin Amash are fighting for transparency and reform of surveillance laws and practices.

It will take some time for the dust to settle from these revelations. Perhaps the clearest takeaway so far is that the public, legal experts, and members of Congress may all have underestimated what the government believes it could do both technically and legally.

Another takeaway is that, Stamos, the Yahoo security team, and those who protested how the company chose to comply with this order deserve a huge thank you from internet users everywhere—especially from Yahoo users—for trying to put security first. Stamos took a principled stand to defend user security and privacy. Hopefully the head of security at the next tech company to receive an overly broad order will follow Stamos’ lead and won’t have to quit his or her job to do so.

So far, it seems that security officials from other major companies have not been faced with that decision. Google, Microsoft, Facebook, Apple, and Twitter have all denied receiving such an order and have assured their users that if they were to receive an order like the one Yahoo received, they would fight it in court. That’s important for both users and the companies: The intelligence community’s reliance on excessive secrecy does little more than undermine the public’s trust in the U.S. government and in the American technology sector, leading to incalculable costs to businesses. At the end of the day, secret investigations are OK; secret laws are not.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.