14 DAY TRIAL // Three anonymous sources have told Reuters that Yahoo built a custom tool that allowed the NSA and FBI to scan everyone's emails in real-time for designated words and expressions, and then permitted the agencies to retrieve the emails when they found something interesting.
According to the report, Yahoo received a classified request from the two agencies to built this special software at the start of 2015, which the company did by May 2015.
The three sources say that, while the company initially planned to fight this confidential order, Yahoo's legal department didn't think they would win, so, in the end, Yahoo's CEO Marissa Mayer gave the engineering department the go-ahead to build the real-time email scanning tool.
The reason why Alex Stamos left Facebook
Mayer seems to have excluded Yahoo's CISO (Chief Information Security Officer) from this decision. Reuters reports that Yahoo's security team discovered the tool a month later, and initially thought they were hacked.
The three sources say that Yahoo's security department later identified security flaws that would have allowed attackers to hack the company. Because Mayer made the decision to build this tool without consulting with him, Alex Stamos, Yahoo's CISO at the time, resigned a month later and joined Facebook.
According to another report from the New York Times from last week, Mayer had ignored security issues brought up by Stamos on a regular basis, declined to increase the security budget, and more, decisions that eventually led to Yahoo getting hacked in 2014, and attackers stealing data on over 500 million Yahoo users.
The tool worked like a real-time email filter
Reuters was unable to verify what kind and how much email data the NSA and FBI pulled from Yahoo's system using this email scanning tool.
According to the three insiders, the tool allowed the agencies to set up trigger words and phrases. The tool would then set up a filter on all of Yahoo email traffic, and all email messages and file attachments containing these words would be set aside for the two agencies to retrieve to their own servers.
It appears that this new tool is the first of its kind and the first time when the Foreign Intelligence Surveillance Court had signed off on such a document and practice.
Yahoo tried to fight secret order
According to a statement Yahoo has provided Reuters and insisted on circulating to all media outlets that asked for further commentary, the company doesn't seem to have wanted to comply with the order.
"Yahoo is a law abiding company, and complies with the laws of the United States," Yahoo said in a statement that hints at no legal means to fight the request and a possible gag order.
Since the NSA revelations, Yahoo was one of the most active companies that fought US government agencies when it came to data requests affecting its customers. In June 2015, the Electronic Frontier Foundation awarded Yahoo a five out five star rating in its yearly "Who has your back" report.
The fact that the security team discovered the backdoor reflects their talent; that they weren't told reflects calcified disfunction. — matt blaze (@mattblaze) October 4, 2016
With @Verizon buying @Yahoo, who was revealed today to be spying on all of their customers, this seems relevant. https://t.co/37Mu3G04EA pic.twitter.com/CJozLOTpj9 — Edward Snowden (@Snowden) October 4, 2016
I hereby nominate Marissa Meyer to be the first civilian Director of NSA under Hillary. Cause NSA doesn't have to make a profit. — emptywheel (@emptywheel) October 4, 2016