Reuters is reporting that, in 2015, Yahoo complied with an order it received from the U.S. government to search all of its users’ incoming emails, in real time.
If the report is accurate, it represents a new expansion of the U.S. government’s mass surveillance techniques.
In a carefully worded statement that stops short of a denial, Yahoo said a Tuesday Reuters report is "misleading," saying that "the mail scanning described in the article does not exist on our systems." Yahoo added that it complies with U.S. law and that it interprets every government request for data "narrowly" to "minimize disclosure."
This isn’t the first time the U.S. government has been conducting unconstitutional mass surveillance of Internet communications in real time. The NSA’s Upstream surveillance program - the program at the heart of our ongoing lawsuit Jewel v. NSA - bears some resemblance to the surveillance technique described in the Reuters report. In both cases, the government compels providers to scan the contents of communications as they pass through the providers’ networks, searching the full contents of the communications for targeted "selectors," such as email addresses, phone numbers, or malware "cybersignatures."
Mass surveillance of Yahoo’s emails is unconstitutional for the same reasons that it'sunconstitutional for the government to copy and search through vast amounts of communications passing through AT&T’s network as part of Upstream. The warrantless surveillance of millions of Yahoo users’ communications described in the Reuters story flies in the face of the Fourth Amendment’s prohibition against unreasonable searches. Surveillance like this is an example of "general warrants" that the Fourth Amendment was directly intended to prevent.
While illegal mass surveillance is familiar, the Yahoo surveillance program represents some deeply troubling new twists.
First, this is the first public indication that the government has compelled a U.S.-based email provider-as opposed to an Internet-backbone provider-to conduct surveillance against all its customers in real time. In attempting to justify its warrantless surveillance under Section 702 of the FISA Amendments Act-including Upstream and PRISM-the government has claimed that these programs only "target" foreigners outside the U.S. and thus do not implicate American citizens’ constitutional rights. Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving millions of Yahoo users.
Second, the story explains that Yahoo had to build new capabilities to comply with the government’s demands, and that new code may have, itself, opened up new security vulnerabilities for Yahoo and its users. We read about new data breaches and attempts to compromise the security of Internet-connected systems on a seemingly daily basis. Yet this story is another example of how the government continues to take actions that have serious potential for collateral effects on everyday users.
The question is whether Yahoo the only company to be compelled to engage in this sort of mass surveillance.
Google, whose Gmail is the world's largest email service, said Tuesday that it hadn't received a similar spying request from the request from the U.S. government.
Twitter, which allows users to exchange direct messages, likewise said it has never received such a request and would challenge it in court if it did. Facebook said it would "fight" such a request should it ever receive one.