Say 'Hi' to the NSA in Your Next Email

However deep this does or does not go, Yahoo's worst-month-ever provides a very good lesson about security and privacy: major third-party web-service providers are full of security holes.

It's been a rough month for Yahoo. Within a few weeks, the struggling tech-company was accused of undermining its customers' security and privacy, after a massive hack of user-data from 2014 was followed-up this fall with allegations of involvement in an unprecedented government surveillance program. The question now is whether more tech companies are secretly complying with federal orders to spy on us.

For Yahoo, the woes started in late September, when chief information security officer (CISO) Bob Lord delivered some harsh news on the firm's official Tumblr account: Yahoo had been hacked. Lord confessed that the account information of some half a billion customers had been extracted and rested in the hands of unknown parties. Fortunately, no financial information appears to have been leaked. Still, the names, email addresses, birthdays, telephone numbers, security questions, and passwords of 500 million users had been successfully lifted in the 2014 incident.

Then, in early October, Reuters reported that Yahoo secretly allowed a massive government surveillance program to scan all incoming emails to Yahoo accounts. The custom software program was reportedly built by Yahoo at the behest of the National Security Agency (NSA) and the FBI, at the direction of a Foreign Intelligence Surveillance Court judge.

According to Reuters' unidentified sources ("three former employees and a fourth person apprised of the events"), the decision of Yahoo Chief Executive Officer (CEO) Marissa Mayer to follow the directive angered some senior executives at Yahoo, and led to the departure of then-CISO Alex Stamos in June 2015.

The New York Times reports a history of skirmishes between Stamos and Yahoo executives over how much to invest in security. Stamos, who is known in the industry as somewhat of a privacy and security hardliner, often butted heads with Mayer, the Times said. Mayer was fearful that the introduction of standard security measures, like an automatic reset of all user passwords, would anger Yahoo users and drive them away to other services. Yet few things can drive users away quite like a record-setting security breach...

After the hack was revealed, Yahoo encouraged affected users to change their passwords and security questions immediately. But this was almost certainly too little, too late. Many people re-use the same exact password and security questions for many, if not all, of their online accounts. A criminal who had the hacked data could have gained access to all sorts of users' other accounts with these "master" passwords and answers to security questions. Even if this hasn't happened yet, many Yahoo users won't change their passwords for other websites and a good number won't even change their Yahoo passwords.

The company was quick to blame the attack on "state-backed actors." But as some skeptical information-security experts have pointed out, this excuse is often deployed to downplay suggestion of company negligence. In the words of security writer Bruce Schneier, "'state-sponsored actor' is often code for 'please don't blame us for our shoddy security because it was a really sophisticated attacker and we can't be expected to defend ourselves against that.'"

Unfortunately for Yahoo, the hacking news broke right in the middle of a $4.83 billion acquisition deal with Verizon. The purchase was expected to infuse new direction and capital into the legacy tech-company. Now, it looks like Verizon may be hoping to get a $1 billion discount if it does go ahead with the deal.

But the hacking of Yahoo-user account data is small compared to recent revelations about the company cooperating with government surveillance. It's unclear what exactly the NSA and FBI were looking for, but sources told The New York Times that some Yahoo tools to scan emails for spam and child-pornography had been modified to scan for email signatures linked to a state-sponsored terrorist groups.

Others took issue with this characterization, however, with Motherboard reporting that the program was not designed or intentionally installed by Yahoo's security team at all. According to Motherboard's anonymous sources within Yahoo, the "poorly designed" and "buggy" malware was injected by external groups. When it was discovered internally, in May 2015, "they assumed it was a rootkit installed by hackers," one source said. "If it was just a slight modification to the spam and child pornography filters, the security team wouldn't have noticed and freaked out."

In this version of events, it's unclear who initially injected the government malware. After it was uncovered by the security team, however, Yahoo management was alerted—and took swift measures to keep it a secret.

In a statement, Yahoo simply said: "Yahoo is a law abiding company, and complies with the laws of the United States."

Whether the surveillance program was custom-built or passively allowed, it seems clear that it was at least tacitly approved of by Yahoo executives.

This represents a novel public-private surveillance partnership. Tech companies have collaborated with government snooping in the past, of course, when required by law. But this has typically been limited to the searching of stored communications or the targeting of a limited number of accounts for detailed scanning. In this situation, Yahoo allegedly allowed software to scan the contents of all emails sent to Yahoo accounts in real time, including those sent from within the United States.

Intelligence agencies are subject to relatively stricter limitations when undertaking surveillance that affects what's called a "U.S. person." Some NSA watchers believe that reports that this program was a "directive" suggests that this program may have been authorized underSection 702 of the 2008 FISA Amendments Act, which is not supposed to intentionally target communications of U.S. persons.

Electronic Frontier Foundation (EFF) attorney Andrew Crocker told The Guardian that the Yahoo program looks like a hybrid of bulk data-collection programs revealed by Edward Snowden, PRISM and UPSTREAM. Subjecting U.S. persons to such bulk surveillance is probably a big no-no, constitutionally speaking.

But is Yahoo the only potential NSA and FBI collaborator? Intelligence agencies, seeking to cast the widest net possible, would have an incentive to seek such orders from all of the most-popular email and communication services. This is speculation, however. And other tech companies are claiming innocence.

"We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo," said a Microsoft statement. Google went with, "We've never received such a request, but if we did, our response would be simple: 'no way.'" Facebook and Twitter likewise denied they had received any such requests, and said they would fight back if they did. And Apple, which made waves earlier this year for very publicly fighting a backdoor request from the FBI, said the same.

But the careful reader will note the fuzziness in such statements. Perhaps these companies have not engaged in the secret scanning of email traffic "like what has reported about Yahoo." Perhaps they do it in a different manner. Or these companies may have told the NSA to take a hike, and the NSA may have installed malware to secure its aims anyway (as Motherboard suggests was the case with Yahoo). Plus, we can't forget the extreme use of gag orders on technology providers.

Reuters was unable to verify whether tech companies other than Yahoo participated.

However deep this does or does not go, Yahoo's worst-month-ever provides a very good lesson about security and privacy: major third-party web-service providers are full of security holes.

We trust that some combination of conscience and profit-motive will compel these companies to protect our security and privacy. Yet Yahoo seems to have failed customers on both counts: It allowed its security to falter, even though this could harm its reputation and future profitability, and it allowed government agencies to compromise customers' privacy even though many people who worked there—especially former CISO Stamos—had a strong moral commitment to privacy. Perhaps Google, Facebook, and Microsoft have stronger institutional commitments regarding privacy, or at least a sharper eye toward maintaining their profit margins. But maybe not. And if that is the case, it is only a matter of time until another "Yahoo" makes itself known.

The truth is that there are major security vulnerabilities baked into the designs of most of the technology services that we use every day. Technologies that are truly privacy- and liberty-enhancing will reflect that commitment in their designs. One good example is encrypted-messaging app Signal, which is set up so developers would be unable to turn over private information to the government even if they wanted to. For now, such technologies are difficult to build and not exactly embraced enthusiastically by powerful governments. But for people who desire privacy and security that does not rely on the tech-companies' better angels, such services present a real and hopeful alternative to the uncertain status quo.