A report yesterday claimed Yahoo built custom software to spy on its users’ emails on behalf of U.S. intelligence agencies, something that reportedly caused disagreements behind closed doors and at least one resignation. In a statement issued today, Yahoo downplayed the report, saying that it “narrowly interpret[s] every government request for user data to minimize disclosure.” The company also said, “The mail scanning described in the article does not exist on our systems.”
Yahoo’s statement has left some uneasy, as it called the report ‘misleading’ rather than false. Though it says the “mail scanning” software reported by Reuters yesterday doesn’t exist on its system, some have questioned whether it did in the past, and if so, how long it was in operation. If that’s not the case, clarification is needed on which parts of the report, exactly, were misleading.
According to three sources cited in the report, two of whom were reportedly Yahoo employees, the company received a government directive that supposedly resulted in Yahoo’s email engineers creating and deploying spying software without the knowledge of Yahoo’s security team. The security team allegedly discovered the software in early summer 2015 and initially believed it to be the work of an outside hacker.
Per the sources’ statements, this software looks for certain strings of government-provided characters in all inbound Yahoo Mail emails, siphoning those with the string into a separate remotely accessible system. U.S. spies working for the NSA and/or FBI can then reportedly access those emails.
The allegations surfaced mere days after Yahoo disclosed a massive state-sponsored hacking of more than 500 million user accounts. See the timeline below for related information.