Advertisement

SKIP ADVERTISEMENT

Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter

A laptop open to Yahoo’s email login page.Credit...Cole Wilson for The New York Times

A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, several people familiar with the matter said on Wednesday.

Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.

To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.

With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, those two people said.

The order was unusual because it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.

News of the order has opened a new chapter in a public debate over the trade-offs between security needs and privacy rights that has cast a spotlight on the sometimes cooperative, sometimes antagonistic relationship between Silicon Valley companies and the United States government.

It comes six months after a standoff between the F.B.I. and Apple, in which the government obtained a federal magistrate's order to force the company to help it unlock an encrypted iPhone from one of the attackers in the December mass shooting in San Bernardino, Calif. The F.B.I. gave up the fight with Apple after it found a way into the iPhone without the company’s help.

By contrast, Yahoo cooperated with the Foreign Intelligence Surveillance Court order, although the technical burden on the company appears to have been significantly lighter than the one the F.B.I. placed on Apple.

Details of Yahoo’s cooperation with the court order come two weeks after the company reported that hackers had broken into its computer network, stealing the credentials of 500 million users. Yahoo engineers discovered the breach this summer, two years after it had occurred, and just weeks after Verizon Communications announced plans to buy the troubled internet company for $4.8 billion.

The two government officials familiar with the matter said the digital signature Yahoo was ordered to look for last year was individually approved in an order issued by a judge, who was persuaded that there was probable cause to believe that it was uniquely used by a foreign power.

Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the officials said.

The officials’ description of the unusual surveillance operation carried out at Yahoo shed new light on a report by Reuters that has attracted widespread attention and provoked outrage among privacy and technology specialists.

The Reuters article reported that in response to a “broad demand” from the government, Yahoo had “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials.”

According to the government officials, Yahoo was served with an individualized court order to look only for code uniquely used by the foreign terrorist organization. Two sources, including one of the officials, portrayed it as adapting the scanning systems that it already had in place to comply with that order rather than building a brand-new capability. The other official did not comment on the technology. The officials did not name the terrorist organization.

Asked on Wednesday about the information obtained by The New York Times, Suzanne Philion, a Yahoo spokeswoman, said the company had nothing further to say. Earlier in the day, the company said in a statement that the Reuters article was “misleading.”

“We narrowly interpret every government request for user data to minimize disclosure,” the Yahoo statement said. “The mail scanning described in the article does not exist on our systems.”

Richard Kolko, a spokesman for the Office of the Director of National Intelligence, declined in a statement to discuss specific foreign intelligence collection techniques, but referred to the Foreign Intelligence Surveillance Act, or FISA.

“Under FISA, activity is narrowly focused on specific foreign intelligence targets and does not involve bulk collection or use generic key words or phrases,” he said. “The United States only uses signals intelligence for national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people.”

Technology companies like Yahoo, Google and Microsoft scan for child pornography and are required to report any discoveries to the National Center for Missing and Exploited Children. They similarly search traffic for malware and spam, which companies disclose in their terms of service.

There is no engineering limitation preventing technology companies from using their spam and child pornography filtering systems to search email traffic for other sorts of digital signatures, said Hany Farid, chairman of the computer science department at Dartmouth, who helped develop the child pornography scanning system with Microsoft.

But the use of that technology to carry out an order from the Foreign Intelligence Surveillance Court to search for a digital signature used by a foreign power is rare, and one of the officials portrayed it as innovative.

“This is another example of how the government is pushing secretly novel or innovative interpretations of surveillance law” to conduct wiretapping in broader ways than the public realizes, said Jennifer Granick, the director of civil liberties at the Stanford Law School Center for Internet and Society.

The government has not released any intelligence court opinion explaining how the judge interpreted FISA to authorize such surveillance. Although Congress in June 2015 enacted a law that required the government to make public novel and significant rulings by the court, the order to Yahoo appears to have predated that legislation, the USA Freedom Act, by several months.

Yahoo has an inconsistent record with meeting government data demands. In 2007, the company settled a lawsuit related to allegations that it helped the Chinese government crack down on journalists by passing along their Yahoo emails.

But that year, the firm fought a legal battle, then secret, before the Foreign Intelligence Surveillance Court, challenging a mandate that it turn over, without a warrant, emails from user accounts the F.B.I. and the National Security Agency said belonged to noncitizens abroad who had been targeted for surveillance.

That litigation became an important test of whether Congress could legalize the Bush administration’s warrantless surveillance program through the Protect America Act and, later, the FISA Amendments Act. Ultimately, the intelligence court ruled against Yahoo, and after being threatened with a huge fine, the company cooperated.

Yahoo was not able to clarify details of the Reuters article on Tuesday because orders from the Foreign Intelligence Surveillance Court are secret by law, and an increasing number of other government requests come with gag orders that prohibit tech companies from even acknowledging they exist.

Tech companies complain that such gag orders make it impossible for them to explain to customers what sort of data they do and do not turn over. Twitter and Microsoft have separately sued the Justice Department over the gag order practice, and both cases are pending.

Dozens of other companies have filed briefs in support of Microsoft. In its brief, Apple said it had received about 590 gag orders, of unlimited or indefinite durations, in the first eight months of 2016.

Vindu Goel contributed reporting.

Follow Charlie Savage and Nicole Perlroth on Twitter @charlie_savage and @nicoleperlroth.

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: Yahoo Said to Have Adapted Email Scanner to Aid U.S. Surveillance. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT