Yahoo secretly monitored email for US government
October 4, 2016 2:22 PM Subscribe
Yahoo last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials, sources have told Reuters. The company complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency (NSA) or FBI, said two former employees and a third person who knew about the programme.
Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time. It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified. Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
Some surveillance experts said this represents the first known case of a US internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time. It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified. Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
I guess it's time for all of us to start hosting our own email servers.
posted by CheeseDigestsAll at 2:26 PM on October 4, 2016 [15 favorites]
posted by CheeseDigestsAll at 2:26 PM on October 4, 2016 [15 favorites]
"The NSA was disappointed to discover that 96% of Yahoo users only signed up for the email service to play fantasy football or login to Flickr."
posted by selfnoise at 2:29 PM on October 4, 2016 [62 favorites]
posted by selfnoise at 2:29 PM on October 4, 2016 [62 favorites]
alright congratulations everyone we've pretty much arrived at the worst case scenario the most paranoid slashdot user could come up with. good job! see you in the camps!
posted by entropicamericana at 2:30 PM on October 4, 2016 [19 favorites]
posted by entropicamericana at 2:30 PM on October 4, 2016 [19 favorites]
Experts said it was likely that the NSA or FBI had approached other internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. ... Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied. Alphabet’s Google and Microsoft, two major US email service providers, did not respond to requests for comment.posted by Gerald Bostock at 2:33 PM on October 4, 2016 [5 favorites]
They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.This part in particular fascinates me. Bypass the security team, it gets discovered because the security team is reasonably competent, and now people are resigning. (This appears to line up with the details coming out from the Yahoo security breach)
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
I also have to wonder about what it must be like to be a developer handed something like this. The secrecy, the logistics, etc. What does someone say at their daily standups to cover for this? Who all gets to know?
posted by CrystalDave at 2:35 PM on October 4, 2016 [46 favorites]
Luckily, my Prodigy account wasn't hacked.
posted by a lungful of dragon at 2:35 PM on October 4, 2016 [6 favorites]
posted by a lungful of dragon at 2:35 PM on October 4, 2016 [6 favorites]
The bigger news is that executives at Yahoo deliberately chose not to disclose a very large data breach in 2014.
posted by schmod at 2:36 PM on October 4, 2016 [6 favorites]
posted by schmod at 2:36 PM on October 4, 2016 [6 favorites]
And remember: these are the spineless enablers that we know about
posted by lalochezia at 2:41 PM on October 4, 2016 [15 favorites]
posted by lalochezia at 2:41 PM on October 4, 2016 [15 favorites]
Nothing about this surprises me. Nearly every other positive aspect of the nation I grew up in has been degraded (yes, that would be White Lady Privilege speaking, and sorry about that part) so heaven forfend that there be any privacy left. I thought you had to get narrowly defined wiretapping approval that wasn't the equivalent of a blank check. Guess I was wrong about that.
posted by Bella Donna at 2:43 PM on October 4, 2016 [4 favorites]
posted by Bella Donna at 2:43 PM on October 4, 2016 [4 favorites]
“… there is no warrant that could possibly justify scanning all emails”
From what I understand, FISA warrants (and even their existence) are secret, so Crocker of the EFF is correct: there is no warrant that could possibly justify scanning all emails
posted by scruss at 2:44 PM on October 4, 2016 [1 favorite]
From what I understand, FISA warrants (and even their existence) are secret, so Crocker of the EFF is correct: there is no warrant that could possibly justify scanning all emails
posted by scruss at 2:44 PM on October 4, 2016 [1 favorite]
It's a really good thing that I haven't used yahoo mail in literally decades.
Part of the problem is that it doesn't have to be you that used Yahoo, just anyone you wrote e-mails to or anyone that someone forwarded e-mails you wrote to. It's almost certain that they tried to get Google to do the same thing, and while we might snicker a little here about the relative lack of technical expertise of the average Yahoo mail user and how we don't send them anything, Google's hosted e-mail for domains means that your messages can easily be flowing through them and unless you're looking up the MX of outgoing domains, you're going to be unaware.
posted by Candleman at 2:45 PM on October 4, 2016 [3 favorites]
Part of the problem is that it doesn't have to be you that used Yahoo, just anyone you wrote e-mails to or anyone that someone forwarded e-mails you wrote to. It's almost certain that they tried to get Google to do the same thing, and while we might snicker a little here about the relative lack of technical expertise of the average Yahoo mail user and how we don't send them anything, Google's hosted e-mail for domains means that your messages can easily be flowing through them and unless you're looking up the MX of outgoing domains, you're going to be unaware.
posted by Candleman at 2:45 PM on October 4, 2016 [3 favorites]
This is Byzantine, as is the spying.
posted by clavdivs at 2:49 PM on October 4, 2016 [1 favorite]
posted by clavdivs at 2:49 PM on October 4, 2016 [1 favorite]
"The point is that thing you keep missing," as the poet said, "...the point is power. Power doesn't need to explain itself, power is not about explaining. Power just does because it can."
If there's a mechanism for tyranny, there's going to be tyranny.
posted by Frowner at 2:52 PM on October 4, 2016 [19 favorites]
If there's a mechanism for tyranny, there's going to be tyranny.
posted by Frowner at 2:52 PM on October 4, 2016 [19 favorites]
This is Byzantine, as is the spying.
No saintly portraits were either desecrated or revered in the production of this sentence.
posted by y2karl at 2:59 PM on October 4, 2016 [3 favorites]
No saintly portraits were either desecrated or revered in the production of this sentence.
posted by y2karl at 2:59 PM on October 4, 2016 [3 favorites]
I wonder if this was supposed to be something that came out via Wikileaks, like maybe the sources came forward when they saw that Assange was going to do this slow drip kind of thing and decided that they wanted to get the story out now.
a lungful of dragon: Luckily, my Prodigy account wasn't hacked.
Could you not do this, please? They're a huge email provider, they've been around a long time, a lot of people were affected by this.
posted by indubitable at 3:02 PM on October 4, 2016 [2 favorites]
a lungful of dragon: Luckily, my Prodigy account wasn't hacked.
Could you not do this, please? They're a huge email provider, they've been around a long time, a lot of people were affected by this.
posted by indubitable at 3:02 PM on October 4, 2016 [2 favorites]
I am a network security engineer and the thought of the CEO doing this where I work...and being discovered by my team...and the way our team is driven by some pretty hardcore principles based on fairness and "doing the just thing"...well, we would revolt and scorch the earth with the asses of every person involved in a scheme like this.
I hurt for their security team.
That just fucking lowdown sucks.
posted by Annika Cicada at 3:05 PM on October 4, 2016 [22 favorites]
I hurt for their security team.
That just fucking lowdown sucks.
posted by Annika Cicada at 3:05 PM on October 4, 2016 [22 favorites]
The fact this is completely not shocking or surprising is the saddest thing of all.
posted by rokusan at 3:13 PM on October 4, 2016 [16 favorites]
posted by rokusan at 3:13 PM on October 4, 2016 [16 favorites]
Did the CEO really think the security team wouldn't discover this?
And all we have is hope that Google, Microsoft et al haven't done the same thing, but rather less stupidly.
Oh for a usable serverless email protocol.
posted by Devonian at 3:16 PM on October 4, 2016 [2 favorites]
And all we have is hope that Google, Microsoft et al haven't done the same thing, but rather less stupidly.
Oh for a usable serverless email protocol.
posted by Devonian at 3:16 PM on October 4, 2016 [2 favorites]
Then again, it well could've been a provision of the NSL that Meyer *couldn't* tell Stamos. Layers within layers.
posted by CrystalDave at 3:23 PM on October 4, 2016
posted by CrystalDave at 3:23 PM on October 4, 2016
"The NSA was disappointed to discover that 96% of Yahoo users only signed up for the email service to play fantasy football or login to Flickr."
Also I used it for my fake facebook account back when I played dumb facebook games.
posted by advil at 3:23 PM on October 4, 2016 [2 favorites]
Also I used it for my fake facebook account back when I played dumb facebook games.
posted by advil at 3:23 PM on October 4, 2016 [2 favorites]
Then again, it well could've been a provision of the NSL that Meyer *couldn't* tell Stamos. Layers within layers.
Intending to become a pediatric neurosurgeon,[28] Mayer took pre-med classes at Stanford University.[22] She later switched her major from pediatric neuroscience to symbolic systems,[29] a major which combined philosophy, cognitive psychology, linguistics, and computer science.[16]--wiki
It goes back farther, for this is what often happens when you groom elite college graduates to run corporations. They tend to forget everything they were taught.
posted by polymodus at 3:28 PM on October 4, 2016 [2 favorites]
Intending to become a pediatric neurosurgeon,[28] Mayer took pre-med classes at Stanford University.[22] She later switched her major from pediatric neuroscience to symbolic systems,[29] a major which combined philosophy, cognitive psychology, linguistics, and computer science.[16]--wiki
It goes back farther, for this is what often happens when you groom elite college graduates to run corporations. They tend to forget everything they were taught.
posted by polymodus at 3:28 PM on October 4, 2016 [2 favorites]
provision of the NSL that Meyer *couldn't* tell Stamos. Layers within layers.
Yeah, no. She could tell two developers on a dev team but not her own IT security counsel? That's on her. She chose to do that because she knows her CISO would have resigned upon receiving a request to comply with an order like this.
My respect for Stamos has grown.
posted by Annika Cicada at 3:45 PM on October 4, 2016 [4 favorites]
Yeah, no. She could tell two developers on a dev team but not her own IT security counsel? That's on her. She chose to do that because she knows her CISO would have resigned upon receiving a request to comply with an order like this.
My respect for Stamos has grown.
posted by Annika Cicada at 3:45 PM on October 4, 2016 [4 favorites]
Did the CEO really think the security team wouldn't discover this?
This is the same person who micromanaged the "redesign" of the company logo over a weekend.
posted by indubitable at 3:49 PM on October 4, 2016 [8 favorites]
This is the same person who micromanaged the "redesign" of the company logo over a weekend.
posted by indubitable at 3:49 PM on October 4, 2016 [8 favorites]
The first question that comes to mind is "Who else?"
posted by ethansr at 4:40 PM on October 4, 2016 [2 favorites]
posted by ethansr at 4:40 PM on October 4, 2016 [2 favorites]
My apologies to Prodigy.
posted by a lungful of dragon at 4:43 PM on October 4, 2016 [2 favorites]
posted by a lungful of dragon at 4:43 PM on October 4, 2016 [2 favorites]
I'm always amazed when the NSA gets caught on things like this because I've pretty well assumed the NSA is filtering the bulk of email and has been since practically forever either illegally or with FISA warrants.
posted by Mitheral at 4:49 PM on October 4, 2016 [3 favorites]
posted by Mitheral at 4:49 PM on October 4, 2016 [3 favorites]
As an aside, it's interesting that the story is not at all on Yahoo News. Not on the main site, not under the US tab, and not in tech.
Maybe I should have expected it, but it's disappointing all the same since I used to consider Yahoo a pretty fair and comprehensive aggregator of news.
posted by kyp at 4:54 PM on October 4, 2016 [2 favorites]
Maybe I should have expected it, but it's disappointing all the same since I used to consider Yahoo a pretty fair and comprehensive aggregator of news.
posted by kyp at 4:54 PM on October 4, 2016 [2 favorites]
It's a really good thing that I haven't used yahoo mail in literally decades.
Yeah, it's a good thing your parents don't use their ISP-provided email address to email you. The one which was outsourced by said ISP to Yahoo and the one they've had for at least thirteen years.
posted by MikeKD at 5:09 PM on October 4, 2016 [3 favorites]
Yeah, it's a good thing your parents don't use their ISP-provided email address to email you. The one which was outsourced by said ISP to Yahoo and the one they've had for at least thirteen years.
posted by MikeKD at 5:09 PM on October 4, 2016 [3 favorites]
Fort those of you hurf durfing, remember that email's a two way street - you may not use yahoo mail, but you may be mailing people who do. Or, like mikekd says, haven't farmed out a high value low return function to them.
posted by boo_radley at 5:24 PM on October 4, 2016 [4 favorites]
posted by boo_radley at 5:24 PM on October 4, 2016 [4 favorites]
I still have a yahoo account, but it is only for junk now. I had a university alumni account that I used as my main personal email for over 20 years until this summer, when they decided to farm it out to Microsoft instead of running their own servers in Canada. I just don't trust email services that run their servers in the US anymore because of stuff like this.
posted by fimbulvetr at 5:42 PM on October 4, 2016 [1 favorite]
posted by fimbulvetr at 5:42 PM on October 4, 2016 [1 favorite]
Grand jury subpoena for Signal user data, Eastern District of Virginia LOL
posted by jeffburdges at 6:27 PM on October 4, 2016
posted by jeffburdges at 6:27 PM on October 4, 2016
Snowden disclosures helped reduce use of Patriot Act provision to acquire email records: Leaks in 2013 helped shift FBI away from using controversial Section 215 to acquire internet metadata, US justice department watchdog finds
posted by jeffburdges at 6:48 PM on October 4, 2016 [1 favorite]
posted by jeffburdges at 6:48 PM on October 4, 2016 [1 favorite]
Crystal Dave's comment mentioning Yahoo's daily standups got me wondering if Yahoo uses agile. In the process of looking around I found this short video, which I think provides some context about Yahoo software development culture.
posted by Lazlo Hollyfeld at 6:58 PM on October 4, 2016 [1 favorite]
posted by Lazlo Hollyfeld at 6:58 PM on October 4, 2016 [1 favorite]
It'll rock if (a) court cases and convictions got overturned for using mail collected form yahoo as evidence, and (b) interesting lawsuits dragged yahoo through court for ages.
posted by jeffburdges at 7:02 PM on October 4, 2016
posted by jeffburdges at 7:02 PM on October 4, 2016
Well since everyone has been asking (from the ArsTechnica coverage):
A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and also declined further questions: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”posted by danny the boy at 7:05 PM on October 4, 2016 [3 favorites]
For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"
The Easter Bunny, and Santa Claus never read my emails.
posted by Oyéah at 8:13 PM on October 4, 2016
posted by Oyéah at 8:13 PM on October 4, 2016
oh shit my terror cell is also my fantasy football league
posted by klangklangston at 9:02 PM on October 4, 2016 [8 favorites]
posted by klangklangston at 9:02 PM on October 4, 2016 [8 favorites]
How much is Verizon paying for this pile of dung and why?
posted by AugustWest at 9:49 PM on October 4, 2016 [2 favorites]
posted by AugustWest at 9:49 PM on October 4, 2016 [2 favorites]
The smug "lol who uses Yahoo anymore?" comments in this thread are missing two things:
(a) Lots of people do use Yahoo, whether you approve or not; they don't deserve to be thrown to the wolves.
(b) Remember, this is a program to scan incoming mail - which means that even if you have a dormant account you never use, if you receive email that is spam, misaddressed, intentionally mischievous, whatever, you're still going to be flagged because of this.
Pissed off and wanna delete your dormant account? Watch out: their terrible, completely insecure policy of recycling email addresses means that even deleting the account comes with a huge hassle: you need to first ensure the Yahoo address is not linked to any online account that matters, else the next person to get your Yahoo email address will have access to it (thanks to the common password-reset-email practice). And of course then there's the fact that the new owner of this email address could impersonate you if they wished to anyone you've ever given your Yahoo email address.
posted by splitpeasoup at 11:20 PM on October 4, 2016 [8 favorites]
(a) Lots of people do use Yahoo, whether you approve or not; they don't deserve to be thrown to the wolves.
(b) Remember, this is a program to scan incoming mail - which means that even if you have a dormant account you never use, if you receive email that is spam, misaddressed, intentionally mischievous, whatever, you're still going to be flagged because of this.
Pissed off and wanna delete your dormant account? Watch out: their terrible, completely insecure policy of recycling email addresses means that even deleting the account comes with a huge hassle: you need to first ensure the Yahoo address is not linked to any online account that matters, else the next person to get your Yahoo email address will have access to it (thanks to the common password-reset-email practice). And of course then there's the fact that the new owner of this email address could impersonate you if they wished to anyone you've ever given your Yahoo email address.
posted by splitpeasoup at 11:20 PM on October 4, 2016 [8 favorites]
If you aren't doing anything wrong, what do have to fear? (ctrl-alt-sarcasm)
I just threw up in my mouth a little bit typing that. I have to go take a shower now.
posted by AJScease at 3:54 AM on October 5, 2016
I just threw up in my mouth a little bit typing that. I have to go take a shower now.
posted by AJScease at 3:54 AM on October 5, 2016
Article from 2014 in regards to events from 2007-2008:
Yahoo $250,000 daily fine over NSA data refusal was set to double 'every week'
posted by I-baLL at 10:51 AM on October 5, 2016
Yahoo $250,000 daily fine over NSA data refusal was set to double 'every week'
posted by I-baLL at 10:51 AM on October 5, 2016
I guess I'm getting cynical in my old age, because I read unequivocal-sounding denials like these with a lot more leeway:
A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and also declined further questions: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”
-> "Our secret scanning program was a very different kind." Or maybe, "We never scanned, we just forwarded everything to someone else to scan."
For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"
-> "That wasn't what we were asked to do. We were asked to do something quite different, like giving direct access to the decrypted traffic."
posted by RedOrGreen at 11:02 AM on October 5, 2016 [5 favorites]
A spokeswoman for Microsoft, Kim Kurseman, e-mailed Ars this statement, and also declined further questions: “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”
-> "Our secret scanning program was a very different kind." Or maybe, "We never scanned, we just forwarded everything to someone else to scan."
For its part, Google was the most unequivocal. Spokesman Aaron Stein e-mailed: "We've never received such a request, but if we did, our response would be simple: 'no way.'"
-> "That wasn't what we were asked to do. We were asked to do something quite different, like giving direct access to the decrypted traffic."
posted by RedOrGreen at 11:02 AM on October 5, 2016 [5 favorites]
Oh for a usable serverless email protocol.
Would you settle for a provider not under US jurisdiction?
posted by flabdablet at 11:54 AM on October 5, 2016
Would you settle for a provider not under US jurisdiction?
posted by flabdablet at 11:54 AM on October 5, 2016
The show "Person of Interest" has as its premise that one of the main characters programmed an AI to scan people's communications just like this; and one of his justifications is that he trusts an algorithm better than he trusts a person. An algorithm can't target someone for no reason, it can't use information for unauthorized purposes, and any information that isn't relevant to the algorithm becomes completely invisible to the human eyes it provides information to.
I don't necessarily trust the coders or users of these algorithms but I have to wonder if they might be on the right track. It doesn't feel as creepy to have a robot going through my metaphorical underwear drawer.
posted by Rainbo Vagrant at 11:54 AM on October 5, 2016
I don't necessarily trust the coders or users of these algorithms but I have to wonder if they might be on the right track. It doesn't feel as creepy to have a robot going through my metaphorical underwear drawer.
posted by Rainbo Vagrant at 11:54 AM on October 5, 2016
"The show "Person of Interest" has as its premise that one of the main characters programmed an AI to scan people's communications just like this; and one of his justifications is that he trusts an algorithm better than he trusts a person. An algorithm can't target someone for no reason, it can't use information for unauthorized purposes, and any information that isn't relevant to the algorithm becomes completely invisible to the human eyes it provides information to."
Heh, that's not the premise of "Person of Interest". The premise is that a guy was hired to make an AI that wouldn't target anybody because it looked at EVERYBODY. Who hired him? The NSA. And what did he do to prevent abuse of power? He made the system give the NSA only the social security number or some identifying number for people who were either terrorists or would become victims of terrorists. Then the premise of the show is that it also started spotting things like inevitable murders and such and... it's a good show. One of those cyberpunk shows that ends up being real (it premiered before Snowden's whole thing.)
posted by I-baLL at 12:08 PM on October 5, 2016
Heh, that's not the premise of "Person of Interest". The premise is that a guy was hired to make an AI that wouldn't target anybody because it looked at EVERYBODY. Who hired him? The NSA. And what did he do to prevent abuse of power? He made the system give the NSA only the social security number or some identifying number for people who were either terrorists or would become victims of terrorists. Then the premise of the show is that it also started spotting things like inevitable murders and such and... it's a good show. One of those cyberpunk shows that ends up being real (it premiered before Snowden's whole thing.)
posted by I-baLL at 12:08 PM on October 5, 2016
well one thing we can agree on is that all this surveillance certainly has stopped mass shootings, bombings, and other terrorist attacks, which was the flimsy excuse this whole double-time march to totalitarianism hung on.
posted by entropicamericana at 1:03 PM on October 5, 2016 [4 favorites]
posted by entropicamericana at 1:03 PM on October 5, 2016 [4 favorites]
Has any company tried flagrantly disobeying one of these national security letters? I'd like to see if it goes to the supreme court or if the CEOs just get disappeared one by one until one of them agrees to it.
posted by Galaxor Nebulon at 1:44 PM on October 5, 2016
posted by Galaxor Nebulon at 1:44 PM on October 5, 2016
The smug "lol who uses Yahoo anymore?" comments in this thread are missing two things:
Three - you need a second email for security reasons. Mine was an old yahoo account. :(
posted by srboisvert at 3:02 PM on October 5, 2016 [1 favorite]
Three - you need a second email for security reasons. Mine was an old yahoo account. :(
posted by srboisvert at 3:02 PM on October 5, 2016 [1 favorite]
I don't necessarily trust the coders or users of these algorithms but I have to wonder if they might be on the right track. It doesn't feel as creepy to have a robot going through my metaphorical underwear drawer.
Yes but the robot's job is to find things for people to look at.
posted by ethansr at 5:07 PM on October 6, 2016
Yes but the robot's job is to find things for people to look at.
posted by ethansr at 5:07 PM on October 6, 2016
« Older "TV is all made up anyway. Why not join the fun? " | Hey, that's the O'Nedders Newer »
This thread has been archived and is closed to new comments
Not that I have anything to hide...
posted by 81818181818181818181 at 2:26 PM on October 4, 2016 [4 favorites]