Many tech companies including Apple, Google, Facebook, Microsoft and Twitter said they had not helped governmental agencies spy on their users like Yahoo did. Some said outright that they never received such orders and others insisted that they’d never comply if they did. Following Reuters’ initial discovery that Yahoo secretly spied on its Yahoo Mail users for the government, a new report reveals that it’s fairly easy for any of Yahoo’s rivals to do it, too. And you won’t even know it’s happening.
DON’T MISS: After buying 9 Android smartphones in a row, this Android fan switched to the iPhone 7
According to two government sources who talked to The New York Times, Yahoo simply altered a tool it had been using to ensure the safety of its users, instead using it to spy.
The Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year to compel Yahoo to help while also barring the company from talking about the matter.
Intelligence agencies wanted Yahoo to scan all Yahoo Mail emails looking for a specific signature. Apparently, agents of a foreign terrorist organization were communicating using Yahoo “with a method that involved a ‘highly unique’ identifier or signature.” The investigators did not know what email accounts were used, so they needed Yahoo’s help to discover them.
To do so, Yahoo modified a security tool it uses to search for malware in all incoming email traffic. The system was instead used to scan for that identifier and store emails containing it. A copy of that data was then given to the FBI for inspection. From the looks of it, the government did not have direct access to Yahoo’s servers, or to the tool used to collect data.
The collection of data is no longer taking place, the source said. But the Times’ findings suggest that practically any email provider, including Gmail and Microsoft, and any company that uses scanning systems to protect users from malware, spam and child pornography, could be compelled to use similar methods to spy on users without their knowledge.
The Times also says that tech companies scan for child porn, and they’re required to report any discoveries to the National Center for Missing and Exploited Children.
It’s not clear at this time whether Yahoo came up with the solution, or if intelligence agencies forced it to adapt its tool for this purpose. The sources explained that Yahoo’s efforts were a simple adaptation of software tools that were already in place, rather than a brand-new capability the company built into Yahoo Mail. Reuters, which first reported on the matter, said that Yahoo built a custom software program to search all incoming emails.
Yahoo did not detail the way it helped the government but said Reuters’ take was misleading. Even so, the fact remains that Yahoo can search all email that hits its servers, and will probably do it each time the government convinces a judge to issue similar orders. It’s likely that other tech companies that have such security measures in place will also have to comply.
