NEW YORK — Yahoo’s reported willingness to search user email to assist U.S. government investigators has revived concerns about court-approved surveillance programs that companies aren’t allowed to disclose to the people using their services.
Last year, Yahoo modified an existing version of its email security program to flag the appearance of a digital “signature” the U.S. had linked to a foreign terrorist group backed by another government, according to a report published Wednesday by The New York Times. Copies of any incoming email containing the signature were stored in Yahoo’s system and made available to the FBI.
The Times quoted an unnamed government official, following up an earlier Reuters story that had revealed Yahoo’s email scanning activity without specifying what kind of information the government sought.
SEEN THROUGH A PRISM
The revelations have conjured memories of a data-collection program set up by the National Security Agency and major internet companies a few years ago under other court orders issued in secret.
That program, called “Prism,” only became public knowledge in 2013 after former NSA contractor Edward Snowden leaked slides revealing that the government had been authorized to grab emails, videos and pictures stored by Google, Yahoo and Facebook, among other companies.
As with Prism, the U.S. government appears to have demanded Yahoo’s cooperation in an effort to sniff out terrorist threats and protect public safety. The government said Prism targeted the specific online accounts of foreigners.
The Yahoo hunt may have cut a much broader swath, scanning through hundreds of millions of incoming emails in search of the signature used by the foreign terrorist group, said Kurt Opsahl, general counsel for the Electronic Frontier Foundation, a digital rights group. He likened it to the government getting a court order to rifle through the documents stored in millions of homes in search of a particular piece of information.
BIG COMPUTER IS WATCHING YOU
“This is a troubling vision of the future where there might be massive government surveillance done with computers,” Opsahl said. “The government may well say they were only targeting a string of characters used by a foreigner, but it just so happened that hundreds of millions of innocent people also had their emails examined too.”
Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement that the government order appears to be “unprecedented and unconstitutional.”
Odia Kagan, a Philadelphia-based data privacy attorney, said that it’s impossible to judge the legality of the government’s request, because the facts surrounding it remain murky.
The Justice Department didn’t immediately respond to a request for comment late Wednesday.
Bulk collection of data isn’t allowed and the government cannot indiscriminately review the emails or phone calls of ordinary people, Richard Kolko, deputy director of public affairs for the Office of the Director of National Intelligence, said in a statement. The U.S. government can gather information about non-U.S. citizens under the Foreign Intelligence and Surveillance Act, but those powers are supposed to be narrowly focused, Kolko said.
Yahoo hasn’t explained what it did under the government order. It called Reuters’ original story “misleading,” but declined to comment on the Times’ disclosure about the government’s quest for the digital signature.
GAGGING ON SECRECY
The company probably wishes it could say more, but can’t because of a court order forbidding the company from discussing the surveillance, Opsahl said.
Google and Microsoft have issued statements disavowing any involvement in a government-ordered surveillance program similar to Yahoo’s.
While companies have a duty to abide by the law, they also have a duty to protect the privacy of their users, Kagan said. The trick is to balance those two things. And sometimes that means putting up a fight when it comes to government requests, even if they ultimately lose, in order to preserve their users’ trust in them.
Not long ago, Yahoo also resisted government demands. The Sunnyvale, California, company initially challenged the program that became Prism in a battle dating back to 2007, despite threats of being fined $250,000 per day if it didn’t comply.
Yahoo was under different management then. It has been run by a former Google executive, Marissa Mayer, for the past four years.
“The big takeaway is that that we really don’t know what is going on between any of these companies and the government,” said Forrester Research privacy analyst Fatemeh Khatibloo. “It sort of a shadowy world threatening our Fourth Amendment rights” protecting against unreasonable search and seizures.
MORE TROUBLE FOR YAHOO
The news is just the latest email bombshell for Yahoo, which was already reeling from its recent admission that computer hackers swiped personal information from at least 500 million of its accounts. That attack is believed to be the biggest digital break-in ever suffered by an email provider.
This week’s revelations could also affect Yahoo’s operations in Europe, Kagan said. User data there is protected by a data privacy agreement struck this summer between the U.S. and EU regulators known as the Privacy Shield.
Yahoo is also in the process of selling its online operations to Verizon for $4.8 billion. Verizon so far has had no comment on the email-scanning reports.
Liedtke reported from San Francisco. AP reporters Mae Anderson in New York and Deb Riechmann in Washington contributed to this report.