Messaging , Privacy , Technology
Yahoo Says It Is Prohibited From Discussing Surveillance OperationYahoo is appealing to the U.S. director of national intelligence to declassify an order that allegedly required the company to install secret spying software that scanned incoming email accounts for specific content.
See Also: Secrets to a Simpler Security Incident Response
The company complied with the classified order, although the spying code was removed earlier this year after Yahoo's security team suspected hackers had planted it, Reuters reported on Oct. 4.
The decision by Yahoo CEO Marissa Mayer to comply rankled some employees concerned about privacy and U.S. government overreach. Yahoo has contested media coverage around the situation but has not provided more information, presumably because it legally can't.
Technology companies must comply with orders obtained by the intelligence community through the Foreign Intelligence Surveillance Court. The court's decisions aren't public and can't be discussed by entities receiving orders due to national security concerns. Yahoo's letter, posted on its website, takes pains to keep within those bounds.
"Yahoo was specifically mentioned in these reports, and we find ourselves unable to respond in detail," writes Yahoo General Counsel Ron Bell. "Your office, however, is well positioned to clarify this matter of public interest."
The company asks James Clapper, director of national intelligence, to confirm whether an order exists, and if so, declassify all or parts of it. It also pleads to have the government "make a sufficiently detailed public and contextual comment to clarify the alleged facts and circumstances."
Also on Oct. 19, the American Civil Liberties Union said it filed a motion with the Foreign Intelligence Surveillance Court to release court records that contain "novel or significant interpretations" of law between Sept. 11, 2001 through June 2015.
The FISC is supposed to made significant rulings public, as required by the USA Freedom Act, the ACLU says. But that act doesn't apply to secret court orders released prior to when it was passed in June 2015. The ACLU contends that those decisions may shed light on the U.S. government's legal rationale for its Yahoo order.
The USA Freedom Act restricted direct bulk collection of U.S. citizens' information by intelligence agencies and strengthened legal protections over how data is accessed. But the limited information released so far about what happened to Yahoo has raised fears that the U.S. may be stretching the law.
Secret Court Battles
Long before former National Security Agency contractor Edward Snowden leaked documents that showed the extent of U.S. government's spying, Yahoo had fought surveillance-related legal orders. In 2007 and 2008, Yahoo waged a secret court battle in which the company contended that the bulk surveillance program PRISM violated the U.S. Constitution.
Yahoo lost the case, but the company pressed the U.S. government for years to release some of the court files. In 2014, more than 1,500 pages of material was released, much of it redacted. But it was one of the first times material from the Foreign Intelligence Surveillance Court was made public.
That's why Yahoo employees were dismayed by the company's decision to comply with the latest order. Alex Stamos, who then was the company's CIO, contended the spying code was buggy and could have allowed hackers to access email. He resigned from Yahoo in May 2015 and is now in the same position at Facebook (see Report: Yahoo Complied with Government Spying Order).
The disclosure of the court order came at a tough time for Yahoo, which in mid-September acknowledged a breach that leaked 500 million accounts. That data breach complicated Verizon's planned $4.8 billion acquisition of Yahoo (see Massive Yahoo Data Breach Shatters Records).
Privacy Shield Impact
Yahoo contends that media reports about the order had led to broad speculation concerning the Privacy Shield, a new data transfer agreement between the U.S. and European Union (see Europe's New Privacy Shield: Will It Hold?).
The Privacy Shield is a new framework for how U.S. companies can collect personal information in a way that complies with E.U. data protection and privacy rules. The framework is a replacement for Safe Harbour, which the European Court of Justice found failed to protect privacy in light of U.S. mass surveillance programs.
"That speculation results in part from lack of transparency and because U.S. laws significantly constrain - and severely punish - companies' ability to speak for themselves about national-security related orders even in ways that do not compromise U.S. government investigations," Bell writes.
Yahoo says that while confidentiality is needed for national security, it's important that the U.S. government discloses how and under what circumstances it uses law such as the Foreign Intelligence Surveillance Act to obtain private online activity or communications.
"Citizens in a democracy require such information to understand and debate the appropriateness of such authorities and how the government employs them," Bell writes.