A government directive ordering Yahoo to scan customer emails was issued by the Foreign Intelligence Surveillance Court, requesting the company essentially sift through incoming email streams for a digital signature associated with a known terror organization, a federal law enforcement official said Wednesday.
The official, who is not authorized to comment publicly on the matter, said the nature of the order did not require the company to design a program to comply with the request. Rather, the company was able to employ existing tools to execute the request.
Any information that may have been provided, the official said, would have been limited to material associated with the organization’s digital signature.
The official declined to comment on whether useable information was obtained in the process, which is believed to have ceased.
The account, first reported Wednesday by the The New York Times, confirms Yahoo was working with the U.S. government to scan emails and elaborates on a Reuters report earlier this week which disclosed Yahoo’s unusual cooperation.
Reuters said Tuesday the company had built a special software program to scan emails for specific information at the request of the National Security Agency or Federal Bureau Investigation. Former Yahoo employees told Reuters that the scanning involved hundreds of millions of Yahoo email accounts.
That report rocked tech companies, as the firms have sought to distance themselves from the Edward Snowden-leaked revelations about how tech companies worked with the government to divulge consumer information.
Yahoo on Wednesday said, “The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.” The comment went further than its initial response, that, “Yahoo is a law abiding company, and complies with the laws of the United States."
Reuters responded: “Yahoo has provided us with no specifics to support its claim that the Reuters article is misleading. We are confident in the accuracy and fairness of our story.”
Yahoo did not respond to a request for comment on the Times story.
The Yahoo incident would be the first case of a U.S.-based Internet company searching all incoming messages rather than scanning stored messages or focusing on a small number of accounts, a red flag for privacy advocates. It also comes at a terrible time for Yahoo, already under scrutiny after it said last month that a state-sponsored actor had stolen information on 500 million customer accounts in 2014.
Privacy advocates have decried the use of Section 702 of the 2008 FISA Amendments Act — crafted to allow U.S. intelligence agencies to gather information on foreign nationals living outside the United States — as a means of compiling personal communication data on Americans.
"If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency,” American Civil Liberties Union attorney Patrick Toomey said.
White House Press Secretary Josh Earnest said he couldn’t confirm the Reuters report or discuss its specifics. But he said that under an update of the Patriot Act passed by Congress last year, the use of electronic surveillance is narrowly tailored and subject to oversight.
“The United States only uses signals intelligence for national security purposes and not for the purpose of indiscriminately reviewing the e-mails or phone calls of ordinary people, and certainly not of law-abiding American citizens.”
This controversy won't help Yahoo, which is the midst of merging with Verizon, which agreed to take it over for $4.8 billion.
Yahoo should have done more to explain its role in the email scanning situation, said Michael Gordon, CEO of Group Gordon, a corporate and crisis public relations firm in New York.
"There are still open questions because they are calling it misleading but are not saying exactly what they do and what they don’t do," he said. "They should be more specific about where the story was wrong. It was a vague statement that did not put the story to bed," he said.
Contributing: Gregory Korte and Kevin Johnson in Washington, D.C. and Elizabeth Weise in San Francisco.
Follow Mike Snider on Twitter: @MikeSnider
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.