Yahoo helped US spies scan all its emails in real time for a single phrase

  • The Verge | by: Russell Brandom |
  • 10/04/2016 12:00 AM
by is licensed under
Yahoo built an unprecedented surveillance system in response to a government request last year, according to a bombshell report published today by Reuters’ Joseph Menn, which cites three persons familiar with the matter. The request asked for all arriving emails to be scanned for a specific string of characters, either in the body of an email or an attachment. Yahoo CEO Marissa Mayer chose to comply with the request. Crucially, the system was not restrained to a specific account or set of accounts, and custom software had to be built to scan the vast amount of email traffic in real time.

Reuters does not say what the string of characters was, however, or who the request was ultimately targeting. While Reuters sources indicate the system was ultimately functional, it’s also unclear whether the offending string of characters were ever detected or if any resulting information was produced.

It’s the first known instance of a company proactively scanning its own traffic on behalf of a US intelligence agency. The Snowden documents showed the NSA aggressively watching for "selector" terms similar to the string of characters described by Reuters, but those systems typically collected traffic in bulk from undersea data cables or other networks and searched for terms in the resulting database.

Notably, the NSA’s collection efforts included direct and covert access to Yahoo’s own private network, a program that was revealed by Snowden documents more than a year before the requests described by Reuters.

The news is also notable in light of Yahoo’s long-standing security problems, particularly concerning its mail product. The company added default HTTPS protections to its webmail in 2014, years after other services had made those protections the default. Without HTTPS encryption in place, it would have been possible for the NSA to run similar scans of Yahoo emails by scanning the unencrypted text as it passed over the public network.
by is licensed under

Comments