Yahoo – The Reuter’s article is misleading and the surveillance tool doesn’t exist

A few hours after the Reuters reported the existence of a surveillance tools used by Yahoo for email massive scanning, the Tech giant denied it.

This week the Reuters reported Yahoo reportedly scanned all of its users’ incoming emails with a secret software program that is designed to gather information for the US Government agencies.

According to the Reuters agency, the software was created last year and it was used by IT giant to search emails in hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency and FBI.

“Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.” reported the article from the Reuters Agency.

“The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.”

Now Yahoo has replied to the Reuters saying that such kind of surveillance systems doesn’t exists within the Yahoo architecture.

“The article is misleading,” the statement reads “We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” reads an email sent by the company. 

The email sent by Yahoo, however, didn’t provide any further details about the story reported by the Reuters agency.

The article publishe dby the Reuters also claims that the former Yahoo CISO, Alex Stamos, left the company after his team discovered the surveillance program installed in the company architecture with the authorization of the CEO.

“When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.” reported the Reuters “Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo.”

Stamos, however, refused to comment the article.

While Snowden’s leaked documents about the PRISM surveillance program demonstrate the collaboration between the US Government the US IT giants, the companies said they had never received pressure to conduct massive surveillance through the email scanning.

“”We’ve never received such a request, but if we did, our response would be simple: ‘no way’.” Google said according to CSOonline.

Apple, Facebook and Twitter offered similar statements and said they would challenge such an order. Microsoft also said it had never engaged in the secret scanning of email traffic described in the Reuters article.”

While Yahoo continues to deny the existence of the surveillance tool mentioned by the Reuters, according to a New York Times, the company was ordered by the US Foreign Intelligence Surveillance Court to scan users’ emails for “digital signatures.”

It seems that the scanning was performed by introducing additional features to the actual security software used to examine all incoming email traffic for malicious activities.

“Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.

To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.” reported The New York Times.

“With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, those two people said. 

The order was unusual because it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.”

Let me close with the position of the US intelligence, the NSA chief, Admiral Michael Rogers, speaking at the Cambridge Cyber Summit yesterday called the article “a bit speculative,” CNBC reports, adding that dragnet email surveillance “would be illegal.”

“We don’t do that. And no court would grant us the authority to do that. We have to make a specific cast. And what the court grants is specific authority for a specific period of time for a specific purpose.”

Stay Tuned!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Yahoo, email surveillance tool)