Bombshell revelations that Yahoo conducted mass email surveillance is raising hackles among legal, civil liberties and security experts that demand Yahoo and the U.S. government come clean. Meanwhile Yahoo challenged the accuracy of Tuesday’s report by Reuters.

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” Yahoo said in a statement.

The Electronic Frontier Foundation and others say the Reuters report, while incomplete, drives more distrust between US citizens, government spy agencies and one of the nation’s largest Internet companies. They assert, whatever the truth, American citizens have a constitutional right to know the truth.

“There’s still much that we don’t know at this point, but if the report is accurate, it represents a new—and dangerous—expansion of the government’s mass surveillance techniques,” said Andrew Crocker and Mark Rumold, attorneys with the EFF in a post responding to the Yahoo revelation.

Reuters reported Tuesday that last year Yahoo had created an internal program to scan “all arriving messages” to Yahoo email inboxes for “a set of characters.” According to three Reuters sources, the request was made by either the National Security Agency or the FBI. It’s also unknown what the officials were looking for.

According to the Reuters report, the surveillance program was discovered by Yahoo’s security team in May 2015. The reports claims the Yahoo security team initially believed hackers had infiltrated its system.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

If the report is true, the surveillance would be unprecedented in scope and go beyond NSA’s PRISM program, revealed by Edward Snowden in 2013, according to the EFF. “This is the first public indication that the government has compelled a U.S.-based email provider—as opposed to an Internet-backbone provider—to conduct surveillance against all its customers in real time,” it wrote.

The Yahoo surveillance program represents a troubling new twists to government surveillance, the EFF believes.

Under the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to hand over customer data to aid foreign intelligence-gathering efforts in an effort to prevent terrorist attacks and for a variety of reasons.

The EFF said the government has said these programs only “target” foreigners outside the U.S. and wouldn’t impinge on American citizens’ constitutional rights. “Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving millions of Yahoo users,” Crocker and Rumold state.

Ironically, in 2007 Yahoo fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant.

According to statements from leading Internet companies Microsoft, Twitter, Google, Facebook and Apple, the government surveillance program highlighted by Reuters appeared to single out Yahoo.

Twitter spokesperson Nu Wexler said: “We’ve never received a request like this, and were we to receive it we’d challenge it in a court.  Separately, while federal law prohibits companies from being able to share information about certain types of national security related requests, we are currently suing the Justice Department for the ability to disclose more information about government requests.”

A spokesperson for Google said in a statement, “We’ve never received such a request, but if we did, our response would be simple: ‘No way’.”

“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” Microsoft said in a statement.

For its part Yahoo, reacting to the Reuters story, issued the initial statement, “Yahoo is a law abiding company, and complies with the laws of the United States.”

Still Robert Graham, a security researcher and the owner of Errata Security, says there are too few details regarding the revelations to draw solid conclusions. Unclear to Graham, based on the Reuters report, is whether Yahoo searched all incoming emails or scanned email accounts. “Did they ‘search incoming emails’ or did they ‘scan mail accounts’?” he wrote in a blog post. He asserts there are still many big details that need to be better understood.

“The story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story,” Graham said.

One of those theories posited by journalist and entrepreneur Declan McCullagh is that the Department of Homeland Security “provided Yahoo with classified malware signatures to use when scanning incoming email.

“This is very plausible. There is a lot of information sharing between government and private agencies,” said Tyler Shields, vice president of strategy at Signal Sciences, a web security firm. He explains, a government agency may have been investigating previously unknown malware used in a nation state attack, or similar. “It’s feasible that the DHS reached out to Yahoo with knowledge the malware was being used against one or many of its users. Further identifying other targets of the malware would help DHS determine the malware’s sender and authors.”

Categories: Government, Privacy, Web Security