Yahoo scanned its users’ incoming emails for an unusual string of characters that had been linked to a terrorist organisation, according to a fresh report about the matter.
The New York Times says flagged messages were made available to the FBI, but the scans have now stopped. It adds that the tech company adapted one of its spam and child-abuse-image filters to carry out the task.
The details build on an earlier report by the news agency Reuters.
Yahoo declined to add to its previous statements, in which it said Reuters’ report was “misleading” and that it was “a law-abiding firm”. The California-based company also said the mail-scanning process outlined by Reuters “does not exist” on its systems, but did not explicitly address whether it had done so previously.
The New York Times says its report is based on interviews with two unnamed US government officials and a third anonymous person “familiar with” Yahoo. It says that FBI investigators had learned that agents of a foreign terrorist body were using Yahoo’s email service.
The bureau had managed to discover a “highly unique identifier or signature” used by the terrorists, it adds, but had been unable to indentify which accounts were being used, and so wanted Yahoo’s aid. It says that a judge at the Foreign Intelligence Surveillance Court was persuaded that the string of characters would have been used only by a foreign power, and so agreed to issue an order for Yahoo to comply.
The US law governing what can and cannot be scanned is the Foreign Intelligence Surveillance Act (Fisa).
The original version, passed in 1978, set out strict conditions under which a special court could authorise electronic surveillance if suspects were believed to be engaged in espionage or planning an attack against the US on behalf of a foreign power.
Following the 9/11 attacks, the Bush administration secretly gave the NSA permission to bypass the court and carry out warrantless surveillance of al-Qaeda suspects, among others. After this emerged in 2005, Congress voted to both offer immunity to the firms that had co-operated with the NSA’s requests and to make amendments to Fisa. A relaxation to the rules, introduced in 2008, meant officials could now obtain court orders without having to identify each individual target or detail the specific types of communications they intended to monitor so long as they convinced the court their purpose was to gather “foreign intelligence information”.
In addition, they no longer had to confirm both the sender and receiver of the messages were outside the US, but only had to show it was “reasonable” to believe one of the parties was outside the country.
Yahoo had previously handed over data about its users to US cyber-spies – a fact it fought a legal battle to be able to reveal – but only after unsuccessfully appealing against the demand. But Reuters’s article said that it had not challenged last year’s order, a decision that allegedly disappointed some of its staff and led to the resignation of its chief information security officer.
A Fisa court order would restrict Yahoo from discussing the matter. But the reports have raised privacy concerns and prompted US lawmakers and the EU’s lead data protection commissioner to say they are looking into the allegations. “This is a perfect example of why we need to reform [the Fisa Amendments Act],” said the Electronic Frontier Foundation, a digital rights campaign group. “Absent such reform, congress must not reauthorise section 702 [of Fisa, which permits warrantless surveillance] when it expires at the end of next year.”