Reuters reported that Yahoo, at the request of US security services, built a customised software tool that has the ability to scan every email and attachment for “a set of characters”.
It has been suggested by a number of security experts that this is the first time a US Internet company has complied with a classified US government directive.
The secret programme is suspected to have scanned hundreds of millions of Yahoo Mail accounts at the request of government agencies, either the National Security Agency or FBI.
This is the first known incident of a US internet organisation mass-monitoring communications as they are sent.
Apple, Google, Facebook and Twitter in unison said they have never received such requests.
>See also: Yahoo data leak: the biggest on record
It is rumoured that Facebook’s head of security Alex Santos, formerly of Yahoo, resigned from the Internet company after Yahoo’s chief executive, Marissa Mayer, reportedly obeyed the government’s request.
“Yahoo is a law-abiding company and complies with the laws of the United States,” the company said in a statement.
It is unclear what, if any, information was handed over. But the belief that the programme was looking for a set of characters, implies Yahoo, on behalf of the US government, were looking for certain phrases.
Questions remain
Right now it is all speculation to exactly what happened.
“If this story is accurate,” according to Jeremiah Grossman, chief of security strategy at SentinelOne, “it indicates there were potentially three breaches on Yahoo’s network: first the hackers found selling user data, then the alleged state-sponsored attack currently being investigated and now a self-compromising exploitation via a government surveillance system.”
The most notable missing piece, Grossman goes on, from this story so far “is its resolution—did Yahoo find what the U.S. government was looking for? Is the backdoor still in use, and if not, at what point was it active? These are questions we would all like Yahoo to answer. Users deserve transparency – they deserve to know how, when and by whom their communications are being accessed”.
>See also: What must businesses learn from the Yahoo data breach
This potential revelation has blown open the idea of privacy and government interference in a big way.
The mass email searches are reminiscent of the NSA’s PRISM surveillance programme that was exposed by Edward Snowden.
If this story turns out to be true then Yahoo will be perceived as the ‘villain’.
However, as Grossman points out: “We have to remember Yahoo, like many others, is a global company with global operations, and therefore has to comply with laws in every country it operates in.”
“If this information sharing was, in fact, the result of Yahoo following a “lawful order” by the U.S. government, it begs the question which other governments the company’s leaders might be following orders from – past, present and in the future.”