The revelation this week that Yahoo scanned the incoming emails of hundreds of millions of Yahoo users set off a storm of condemnation. The real outrage is that this kind of government surveillance, frequently abetted by the collaboration of telecom and tech companies, is pervasive and has little or no oversight.
As told by Reuters and the New York Times, Yahoo received a secret order last year from a judge of the Foreign Intelligence Surveillance Court (FISC) that compelled the company to customize an existing scanning system (used to find and report child pornography and malware) to search emails for a computer "signature" tied to the communications of a state-sponsored terrorist organization. Emails containing the signature were turned over to the NSA or FBI -- and Yahoo was barred from disclosing the matter.
In other words, Yahoo was destined to be the fall guy, left to twist in the wind by a system of secret courts and government gag orders. Its terse statement -- "Yahoo is a law-abiding company, and complies with the laws of the United States" -- did nothing to defend it against the torrent of calls for users to ditch Yahoo services. But legally, the company could disclose nothing more about what data it did or did not turn over -- and why.
Therein lies the rub.
Gag on this
Twitter and Microsoft have both sued the government over its indiscriminate use of secret orders -- often of unlimited duration -- that forbid them to tell customers about requests for their data. Apple, which said it received about 590 gag orders in the first eight months of 2016, is backing Microsoft's case.
Co-opting tech companies into aiding the intelligence community has become common practice. Earlier this year, Apple was ordered to assist the FBI in breaking the encryption of a terrorist's iPhone. Apple resisted, Yahoo did not -- this time.
In 2007 Yahoo fought a secret legal battle with FISC, challenging an order to turn over to the FBI and NSA -- without a warrant -- emails of customers living abroad who had been targeted for surveillance. The court ruled against Yahoo, and after being threatened with huge fines, the company complied. Sources told Reuters that when approached last year, Yahoo's execs decided to comply rather than fight, in part because they thought they would lose again.
With a little help from our friends
While the scope of Yahoo's actions -- searching in real time the emails of all its customers, rather than individual accounts -- is broader than others that have come to light, this kind of request is not new. AT&T and Verizon have been facilitating NSA spying operations for decades.
Yahoo's is not even the biggest email grab on record. Edward Snowden's leaks revealed that starting in 2003 and continuing for at least a decade, AT&T gave the NSA access to billions of emails as they traveled across its domestic networks. One NSA document described AT&T as "highly collaborative," while another lauded the company's "extreme willingness to help."
It was revelations about the vast scale of NSA surveillance that led many Silicon Valley companies to begin encrypting communications to thwart it. Intelligence agencies, in turn, have responded by obtaining secret orders that compel tech companies to perform the surveillance for them.
Yahoo's emails are encrypted as they travel from one server to another, but can still be read by Yahoo.
"Many email companies started encrypting their emails in transit since [Snowden's leaked documents] came out," Trevor Timm writes. "The NSA probably can't do that type of surveillance unilaterally (or with the help of AT&T) anymore. The U.S. government now seems to be moving to force internet companies to do this type of mass surveillance for them, on the companies' servers, where the data remains accessible."
Insecurity for all
Yahoo implemented the scanning tool without consulting its security chief, Alex Stamos. Sources told Reuters that Yahoo's security team discovered the program within weeks of its installation and initially thought hackers had broken in. Upon learning of the secret program, Stamos resigned in protest. "Due to a programming flaw [in the software], he told [Yahoo executives], hackers could have accessed the stored emails."
Stamos now works at Facebook, which recently implemented opt-in end-to-end encryption on its Messenger app.
"The NSA's actions are making us all less safe," according to security expert Bruce Schneier, who accused the agency of subverting the internet into a gigantic surveillance platform.
Not only do its activities leave internet users more vulnerable to cybercriminals, but "by eavesdropping on all Americans, they're building the technical infrastructure for a police state," Schneier says. "Power without accountability or oversight is dangerous to society at a very fundamental level.... The solutions have to be political. The best advice for the average person is to agitate for political change."
That advice -- given in 2013 -- still holds true today.
A time for political debate
Civil rights groups and privacy advocates have been calling these secret, warrantless data grabs unconstitutional for years, but "no court has ruled definitively one way or another (mainly because the U.S. has been hiding behind official secrecy to prevent it)," Timm writes.
Rep. Ted Lieu of California told Ars Technica that the type of forced government request made of Yahoo was "flat out unconstitutional."
"The continuing revelation of our law enforcement and these agencies violating the Constitution shows that there is a break down in oversight," Lieu said. "[FISC] has shown repeatedly that they do not have the ability to protect the Constitution or the rights of Americans."
The Yahoo operation appears to have been authorized under a controversial provision, known as Section 702 of the Foreign Intelligence Surveillance Act. The surveillance programs authorized under Section 702, which has been the basis for an explosion in warrantless searches, are set to expire at the end of next year -- unless Congress votes to renew them.
The constitutionality of these surveillance programs, and the appropriate balance of digital privacy and national security, are unlikely to figure in Sunday's presidential debate. Perhaps, given the outcry over Yahoo's activities, they should.
Update: The cost to Yahoo for complying with the secret FISC order could be high: Verizon may be getting cold feet about its acquisition of Yahoo, and is reportedly asking for a $1 billion discount on the original $4.8 billion deal. Other Silicon Valley companies likely will be remembering that when they, in turn, are ordered to climb in bed with the intelligence community.