Since word spread that Yahoo! backdoored its own email servers for US intelligence services, we've heard from rival webmail providers denying they have put in place similar arrangements.
That Yahoo! has a cosy relationship with the Feds is not surprising, especially given what we know about PRISM and Section 702 of the Foreign Intelligence Surveillance Act. What is bizarre is that Yahoo!'s engineering team did not, it is claimed, involve its internal security team and introduced exploitable vulnerabilities into the email scanning system.
There's also the issue that this blanket surveillance, as reported, potentially scoops up private and personal communications of millions of innocent people.
We asked Google if it created a similar mechanism in which g-men can search all incoming messages for certain keywords, or if it has been asked to. A spokesman told us:
We've never received such a request, but if we did, our response would be simple: 'No way.'
Facebook was equally unequivocal: "Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it."
Microsoft and Twitter have also denied implementing such a system. Meanwhile Yahoo! is sticking to its mealie-mouthed "we haven't broken any laws" statement.
So what does the California-based Purple Palace mean by that? It could mean that they broke no laws because the web giant's terms and conditions allow it to do pretty much what it likes with customers' data. Technology companies' T&Cs are notoriously flexible after all.
But what about the law of the land? The plethora of US laws on surveillance gives the intelligence community a wide legal remit, but not a total one – at least when it comes to the data of American citizens.
Really disappointing thing about Yahoo building wiretap capability for NSA is they are in 9th circuit where law says they don't have to...— Kevin Bankston (@KevinBankston) October 4, 2016
Section 702 of the Foreign Intelligence Surveillance Act may allow this kind of snooping albeit only on foreigners. Section 215 of the Patriot Act would allow snoops to slurp metadata describing Americans' communications – although not the content of messages themselves. It is entirely possible the message searching software is an extension to the PRISM access Yahoo! had already granted to government analysts, or that this is a system for executing lawful wiretaps.
You would hope that Yahoo! sought to make sure that its backdooring was legal before implementing a special Feds-only entrance. Presumably someone in the US government assured them that the spying was legal. It seems Yahoo! didn't put up much of a fight.
We'll never know for sure why this came about – the email scanning system was hastily created after the biz received a secret directive from Uncle Sam – but one potential reason does come to mind. Well, several million reasons to be precise.
The US government isn't shy about ponying up the cash for companies it wants to do business with. AT&T was reportedly taking $10m a year from the CIA to provide lists of overseas telephone calls from its customers and RSA is alleged to have taken a similar amount from the NSA to promote an insecure random number generator in its cryptography software.
As for the PRISM monitoring scheme, which Yahoo! was an early joiner, participating companies who opened their servers were entitled to reasonable compensation in exchange for allowing the intelligence community to get hold of its data.
Could it be that Y! CEO Marissa Mayer, faced with an increasingly precarious financial position after two years of failed leadership, decided to open a new revenue stream from the government? If so it was an astoundingly dumb move, and we recommend users make like its former chief information security officer Alex Stamos and get the hell out of there.