Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency’s demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company’s legal team by the NSA or FBI.
Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act (FISA), intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.
Former NSA General Counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”
Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal. Yahoo Chief Executive Marissa Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose. In 2007, Yahoo had fought unsuccessfully a FISA demand that it conduct searches on specific email accounts without a court-approved warrant.
The company ended up scanning hundreds of millions of Yahoo Mail accounts for U.S. intelligence. It is unknown what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers such as Google and Microsoft Corp with this kind of request.
A similar request was made of Apple Inc earlier this year when the FBI asked it to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party.
In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo’s security practices.