Yahoo email scandal could derail Safe Harbour replacement

Reports of mass email surveillance prompt fears of rights infringements

Yahoo's alleged scanning of user emails on behalf of the US government could undermine the newly agreed Privacy Shield data regulations if they turn out to be true.

Ireland's data protection commissioner, which is the lead European regulator on privacy issues for Yahoo, is making inquiries as to whether any European citizens may have been affected.

"Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern," the regulator said in a statement.

According to bothReutersandThe Times(subscription required), European politicians have called on the European Commission to investigate the matter, with lawyers saying a legal challenge to the Privacy Shield agreement, which was settled on earlier this year, is now more likely.

In the US, the legality of Yahoo's reported actions has also been called into question.

Patrick Toomey, a staff attorney with the American Civil Liberties Union (ACLU), toldIT Pro: "Based on [Reuters's initial report] the order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit."

In this country, however, it has been claimed this behaviour may not be illegal even if UK citizens were among the subjects of the alleged spying.

Privacy International legal officer Camilla Graham Wood toldIT Pro: "The information on the scanning of emails by Yahoo remains sparse. It is important to note that similar powers exist in the United Kingdom, in the form of the Investigatory Powers Bill. There has been little public debate about how intrusive such powers are. The fault lies with the Government in failing to clearly inform the public about the broad spectrum of powers that will be authorised by the Investigatory Powers Bill.

"We do not know if the UK Government has already requested that companies scan their customers' emails on a bulk scale, but we do know that this will be possible under the Investigatory Powers Bill, if we look at powers such as Technical Capability Notices."

IT Pro contacted two telcos known to have used Yahoo's email services, either in the past or currently Sky and BT to find out if their customers may be among those who allegedly had their data scanned.

A BT spokesman said: "Yahoo have stated they are a law abiding company and comply with the laws of the United States." Sky did not respond to IT Pro's request for comment.

According to The New York Times, Yahoo was forced by a secret court order adapted existing software, which scans for spam and images of child abuse being sent to Yahoo Mail addresses, "to search for messages containing a computer 'signature' tied to the communications of a state-sponsored terrorist organisation", citing "several people familiar with the matter".

"With some modifications, the system stored and made available to the [FBI] a copy of any messages it found that contained the digital signature," theNYT reported.

"The order was unusual because it involved the systematic scanning of all Yahoo users' emails rather than individual accounts," the newspaper added.

Several other tech companies, including Google, Facebook, Microsoft and Twitter said they had never received this kind of request and that if they had, or do in the future, they would fight the order in court.

05/10/2016: Yahoo 'snooped on users' emails and passed data to the NSA'

Yahoo has secretly been scanning its customers' emails and sending information contained in them to the NSA, according to aReuters report.

Three former Yahoo employees and a fourth person "appraised of the events" allegedly toldReuters the beleaguered company last year "secretly created a software programme to search all [Yahoo Mail] customers' incoming emails for specific information provided by the US intelligence officials".

The details of the case are a little hazy beyond this information Reuters was unable to determine what keywords or information were being scanned for, what information (if any) was handed over, or whether any other email providers were asked to comply with the same order.

However, the news agency's sources did indicate that the decision to comply with the request was one of the reasons the company's then-CIO, Alex Stamos, resigned in June 2015.

In a statement to Reuters, a spokesperson said: "Yahoo is a law abiding company, and complies with the laws of the United States."

The situation has riled both privacy campaigners and the tech community at large.

Jim Killick, executive director of the Open Rights Group, toldIT Pro: "This could be very damaging for Yahoo and will no doubt affect the trust its customers have in their services. Surveillance should be carried out through a transparent legal framework and only in response to warrants.

"While there may be a need for companies to scan incoming emails for malware and spam ... they should not indiscriminately spy on customers who are not suspected of any crime. Yet again we need more transparency about how companies are working with law enforcement and security agencies."

Rafael Laguna, CEO of Open-Xchange said: "The integrity of Yahoo as an email provider is in tatters. As a user, if you're not having your details leaked online you can be sure the US government is rifling through your emails and attachments. This utter disregard for the consent of law abiding citizens is shocking but it is something the NSA and GCHQ increasingly believe they can do with impunity."

Only last month Yahoo confirmed a hack in late 2014 obtained 500 million people's usernames and passwords, with the search giant blaming a "nation state actor".

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now


NSA issues guidance on encrypted DNS usage
Domain Name System (DNS)

NSA issues guidance on encrypted DNS usage

15 Jan 2021
How LogPoint uses MITRE ATT&CK

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021
Mimecast admits hackers accessed users’ Microsoft accounts

Mimecast admits hackers accessed users’ Microsoft accounts

13 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?

Should IT departments call time on WhatsApp?

15 Jan 2021