Yahoo Inc. reportedly spied on millions of users of its popular webmail service, scanning users’ incoming emails at the behest of United States intelligence agencies. According to the report, Yahoo scanned all messages arriving via Yahoo Mail for any that contained particular sets of characters or search terms.
Reuters broke the news early yesterday morning, after speaking with three former employees and a fourth person with knowledge of the situation. The program was reportedly the result of a classified directive which Yahoo Inc. complied with, providing private user information to U.S. intelligence officials — including the FBI and the National Security Agency (NSA).
By complying with the classified order, Yahoo became the first U.S. internet company to comply with to an intelligence agency’s request to search all arriving messages in real time.
It’s not the first time a U.S. company has handed over customer data to intelligence agencies. While it’s not an uncommon practice for companies to hand over bulk customer data, the method used in this case is reportedly novel. According to the report, Yahoo provided a kind of real-time wiretap to filter through incoming Yahoo Mail messages according to a certain series of characters, a “selector” or search term.
“I’ve never seen that, a wiretap in real time on a ‘selector,’ it would be really difficult for a provider to do that,” said Albert Gidari, a security expert specializing in surveillance issues.
According to Reuters’ sources, the decision to comply with the order, received by the Yahoo legal team, was made by CEO Marissa Mayer. The decision was not without opposition, however, and reportedly caused some friction among Yahoo’s senior executives. Last year’s departure of Yahoo’s chief information security officer, Alex Stamos, was allegedly the result of a rift caused by Mayer’s decision to comply with the order.
Stamos did not respond to Reuters’ requests for comment, and Yahoo released an official statement earlier today.
“Yahoo is a law-abiding company, and complies with the laws of the United States,” a Yahoo spokesperson told Reuters yesterday.
Yahoo expanded on its comments in a statement released on Wednesday, which refers to the Reuters report as “misleading.”
“We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” Yahoo said in a statement.
This news comes just after Yahoo admitted a massive data breach in 2014, which compromised around 500 million user accounts.
Article originally published on 10-04-2016. Updated on 10-05-2016 by Jayce Wagner: Added information from Yahoo’s statement issued on Wednesday.