On Tuesday we found out internet giant Yahoo has been playing flunky for the FBI and NSA, helping the feds spy on hundreds of millions of Yahoo email users. A Reuters investigation revealed the company built special software at the government’s request that scanned all incoming emails looking for key words and phrases.
If that list is anything like the Department of Homeland Security keyword list releasedback in 2012, it contains a lot of words that could be used in perfectly innocent contexts — words like leak, cloud, gas, cops, wave, pork and smart. Even more “suspicious” words on the list have plenty of reasonable uses, especially for people well-informed about the news and interested in discussing current events with their friends.
But we don’t have to see the list to know this program is a massive violation of Yahoo users’ Fourth Amendment right to privacy, as well as exactly the sort of mass spying the government likes to pretend isn’t an issue anymore (but definitely is).
The good news is that so far it appears other major tech companies aren’t doing the same thing. “We’ve never received such a request, but if we did, our response would be simple: ‘no way,’” said Google, which offers the most popular email service in America, while Microsoft told customers it has never secretly scanned their emails and Apple promised it would fight any such request in court.
Apple’s willingness to go to court brings up an important point given the company’srecent history of doing exactly that to ward off another assault on our privacy, namely, the feds’ attack on encryption following efforts to crack the San Bernardino shooter’s government-issued iPhone. With this news about Yahoo, Apple’s stand looks particularly prescient, and the case for encryption becomes even more compelling, as Trevor Timmexplains at The Guardian (emphasis added):
The Yahoo story, if borne out, would be the quintessential example of how government-mandated backdoors are dangerous for everyone’s security, and why end-to-end encryption needs to be standard on all our communications platforms.
Incredibly, Yahoo apparently built this backdoor into its email system without even telling its then security chief, Alex Stamos. “The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation,” Menn reported. “The security team initially thought hackers had broken in.”
Stamos was reportedly furious and resigned in protest. “Due to a programming flaw [in the software], he told [Yahoo executives] hackers could have accessed the stored emails,” Menn explained. Security experts have been highlighting for years how backdoors not only give access to the “good guys” but also could let other criminals or foreign governments into our communications systems.
This is exactly the type of mass surveillance that end-to-end encryption would prevent. Currently, Yahoo emails are encrypted as they travel from one server to another, but can be read by Yahoo at the company’s discretion.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.