Cybersecurity experts immediately demanded that their clients stop using Yahoo Mail.

Share story

Civil and human-rights groups issued denunciations and some cybersecurity experts urged their clients to stop using the popular Yahoo Mail service after a news agency reported Tuesday that the internet service provider had secretly scanned hundreds of millions of clients’ emails at the behest of U.S. intelligence agencies.

The report by Reuters said Yahoo complied with a classified U.S. government directive last year to scan all incoming emails of its users for certain phrases. The report said Yahoo’s engineers wrote a program to comply with the blanket spying request, which came from the National Security Agency or the FBI.

The report cited three former Yahoo employees and another unidentified person familiar with the matter. Those individuals told Reuters that the government pushed Yahoo to search for a string of letters, numbers or other characters. That meant the fishing expedition could have involved finding a specific phrase or code in the text of an email or an attachment.

Reuters was unable to determine what data Yahoo handed over, if any.

The Sunnyvale, Calif., company did not deny the report in a Tuesday statement, describing itself as a company “that complies with the laws of the United States.” The Department of Justice and the FBI did not immediately respond to requests for comment.

Cybersecurity experts immediately demanded that their clients stop using Yahoo Mail.

“Enough is enough. It’s time to close your Yahoo account,” Graham Cluley, a British cybersecurity expert, tweeted following the report.

Microsoft says “never”

In a statement, a Microsoft spokesman said the company has “never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.”

Google, whose Gmail is the world’s largest email service, said it hadn’t received a similar spying request from the U.S. government. If it had, Google said, its response would be “No way.”

An Apple spokesman pointed to a previous statement from CEO Tim Cook indicating that the company would never create a government-mandated backdoor into its services.

Twitter also weighed in, but without clarifying whether it had received a directive aimed at intercepting communications.

“Federal law prohibits us from answering your question, and we’re currently suing the Justice Department for the ability to disclose more information about government requests,” Twitter spokesman Nu Wexler said in a statement.

“Deeply disappointing”

Civil- and human-rights groups directed their criticism not at Yahoo but at the U.S. government, saying its request had undermined trust in the internet.

“The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit,” said ACLU attorney Patrick Toomey. “It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court.”

“If Yahoo is indeed scanning the content of all of its customers’ emails at the NSA’s behest, that would appear to violate the Fourth Amendment,” echoed Elizabeth Goitein of the Brennan Center for Justice at New York University.

“It’s also a violation of customers’ privacy and trust. It’s disturbing to learn that the NSA was secretly expanding its surveillance reach at the very same time Congress was attempting to rein it in,” added Goitein, who is co-director of the Center’s Liberty and National Security Program.

Amnesty International lamented what it called the eroding privacy of internet users and efforts by the U.S. to “indiscriminately vacuum up the world’s data.”

“This is a clear sign that people can trust neither their government nor their service providers to respect their privacy,” said Amnesty’s Sherif Elsayed-Ali, the head of technology and human rights.

Stressed loyalty

The report will likely test the bounds of Yahoo users’ already stressed loyalty.

The company late last month disclosed that hackers had broken into at least 500 million user accounts to steal email addresses, birth dates, phone numbers and passwords. That theft, the biggest breach ever at an email provider, occurred in 2014 when Yahoo’s security was run by Alex Stamos, who now holds a similar job at Facebook.

The cooperation with the government’s spying on emails created a rift between Stamos and Yahoo CEO Marissa Mayer, prompting Stamos to leave in June 2015, according to Reuters. Mayer bypassed the company’s security team and went to engineers to write the program to siphon off emails in real time for the government, Reuters added.

Stamos, who is now the chief security officer for Facebook, offered no immediate comment on the report. The federal government also did not comment.

Questions over Yahoo’s stewardship of user email could threaten the company’s deal to sell its online operations to Verizon Communications for $4.8 billion.

Verizon could renegotiate the terms or call the deal entirely if Yahoo users flee its email and other services, such as news, finance and sports. Verizon had no comment on the Reuters report.

Yahoo is among companies that have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal. Reuters reported that some said Yahoo could have tried to fight last year’s demand on at least two grounds: the breadth of the directive and the necessity of writing a special program to search all customers’ emails in transit.

A nemesis of the government, former NSA contractor Edward Snowden, who leaked top secret information about the agency, called on Yahoo users to take action.

“Use @Yahoo? They secretly scanned everything you ever wrote, far beyond what law requires. Close your account today,” Snowden tweeted.