Since 2001, Yahoo has tussled with governments on surveillance. Recent security failures have not helped it cope with the pressure
An explosive Reuters investigation revealed today that Yahoo “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials.”
It is significant not just because it was kept secret from users, but because of the scale involved and that it would have taken place in real-time.
Yahoo’s woes in the wake of its 2016 disclosure that 500 million accounts were compromised two years ago continue with further revelations about the hack, and Yahoo’s business practices, during this period.
Though the most recent news items cover unrelated incidents, both have again called into question the company’s commitments to users’ privacy and made clear that the business end and security team were at frequent loggerheads when responding to some of the most consequential decisions the tech giant has ever faced since its founding.
Long, losing battle for Yahoo
This effort demonstrates a much more cooperative approach between the tech giant and governments than before. The U.S. intelligence community went to tech giants seeking this level of access within days of the September 11, 2001 attacks, going to the email and ISP titans of the time, like AOL and Yahoo, to search their logs and explore wiretapping options available then.
In 2007, as Reuters notes, the company fought the U.S. government against having to conduct account searches, despite being subject to massive fines for its stance. It lost that fight in court, however, and then had to cooperate with the government. Then, from 2008 to 2010, Yahoo webcams were allegedly, and forcefully, breached by the National Security Agency (NSA) as well as the UK’s GCHQ. The company angrily reacted to the intrusion, saying it had no idea it took place as the intelligence services snatched up millions of still images from the webcams.
Reuters says that the contents of the searches remain classified. A legal challenge against the program is unlikely. By 2015, when the NSA came to Yahoo with its search request, Yahoo probably understood its reluctant participation in PRISM after the 2007 case, bulk surveillance precedents set by telecoms in years past, and decisions about “cross-border surveillance” practices online as constituting legal precedent for cooperating with the NSA.
Security team at odds with business end
But the cooperation also took place without the input of the company’s security team and its then-Chief Information Security Officer, Alex Stamos. He eventually left the company to become Facebook’s CSO. His departure was, in the end, part of a larger clash between him and other Yahoo executives over a variety of issues, including this custom software program, but also over Yahoo’s reluctance to spend as much on security as Stamos and his security team, dubbed “the Paranoids,” wanted.
To further compound Yahoo’s image problem, the cyber security firm InfoArmor now contests Yahoo’s attribution of the 2014 hack to a nation-state. According to InfoArmor, the breach that targeted Yahoo’s third-party vendors in 2014 was carried out by a collective, known as “Group E” to investigators, “who [since 2012] were hired to compromise customers databases from a variety of different targeted organizations.”
Yahoo has not yet named the supposed nation-state, citing its ongoing investigation.