A report on Tuesday claims Yahoo last year cooperated with U.S. government agency requests to create and deploy software that scanned hundreds of millions of customer emails as they arrived at the company's servers.
Citing multiple sources familiar with the matter, including former employees, Reuters reports Yahoo complied with the wishes of either the National Security Agency or the Federal Bureau of Investigation with its email scanning program.
U.S. intelligence officials through a classified request tasked Yahoo with picking out emails containing a particular set of characters, such as a phrase or attachment, and storing them for remote retrieval. It is unclear what the government was looking for, sources said. Whether Yahoo released any data to government agencies as part of the initiative is also unknown.
"Yahoo is a law abiding company, and complies with the laws of the United States," Yahoo said in a statement provided to Reuters.
As noted by the publication, some security experts believe the incident is the first known case of a U.S. internet company agreeing to such terms. It is also the first to involve software created specifically for the purpose of snooping. Email service providers -- like phone companies -- have in the past acquiesced to requests for bulk data searches and limited real-time monitoring, but certain laws restrict state actors from imposing undue burden on these firms by asking them to create special surveillance systems.
Yahoo CEO Marissa Mayer green lit the project in a decision that didn't sit well with other high-ranking employees, the report says. In particular, sources claim Mayer's move resulted in the resignation of former Chief Information Security Officer Alex Stamos in June 2015.
At the time, Mayer and other decision makers accepted the government directive because they thought Yahoo would ultimately lose if they chose to fight, sources said. Further, instead of seeking guidance from Yahoo's security team, executives had engineers write and deploy the program. As can be expected, the security team found the software shortly after it was installed, believing it to be the work of a hacker, not company policy.
Experts believe the same government agencies behind the Yahoo request, whether it be the NSA, FBI or some other shadowy group, likely extended the same demand to competing firms offering similar services. Google and Microsoft told the publication they have never participated in email scanning operations like those reported. A Google representative went further, saying, "We've never received such a request, but if we did, our response would be simple: 'No way.'"
Apple, too, has butted heads with government entities seeking information under the Foreign Intelligence Surveillance Act (FISA), a key law cited in the Yahoo debacle. To increase transparency on the issue, Apple releases a biannual report detailing requests for information from various state players. Its latest findings, published in April, note law enforcement agencies lodged 1,015 requests for customer account information affecting 5,192 users in the second half of 2015.
Earlier this year, Apple found itself at the center of a heated public debate over personal device encryption when the company declined a federal court order to access an iPhone tied to the San Bernardino terror attacks. Specifically, the company refused to build a workaround to built-in iPhone safeguards, saying doing so would undermine the security of millions of devices worldwide. The U.S. Department of Justice ultimately withdrew the case after FBI agents successfully bypassed the phone's passcode lock using a technique purchased from an unnamed third-party.
News of Yahoo's surreptitious activities comes just two weeks after the company confirmed reports of a massive security breach that impacted at least 500 million accounts in 2014.