Reuters reported Tuesday that Yahoo built a software system last year to scan all incoming email for specific information provided by intelligence officials, in compliance with a classified U.S. government directive. PHOTO: EUROPEAN PRESSPHOTO AGENCY
By ROBERT MCMILLAN and DAMIAN PALETTA
Updated Oct. 5, 2016 3:21 p.m. ET
Big technology companies, including Google, Microsoft Corp., Twitter Inc. and Facebook Inc. denied scanning incoming user emails on behalf of the U.S. government, following a report that Yahoo Inc. had built such a system.
Reuters reported Tuesday that Yahoo had built a software system last year to scan all incoming email for specific information provided by intelligence officials, in compliance with a classified U.S. government directive.
The system was built without the knowledge of Yahoo’s security team, and its discovery prompted the departure of Yahoo’s then-Chief Information Security Officer Alex Stamos, Reuters reported. Mr. Stamos declined to comment.
It is unclear whether Yahoo ever provided the government with information gleaned from the system.
In a statement Tuesday, Yahoo said it “is a law abiding company, and complies with the laws of the United States.” On Wednesday, Yahoo issued a second statement, describing the Reuters article as “misleading” and saying the mail scanning system “does not exist.”
According to Reuters, the Yahoo system contained a flaw that could have allowed hackers to access email messages.
The Reuters account suggested the surveillance program differed from those revealed by former National Security Agency contractor Edward Snowden in 2013. In those programs, the government gained access to messages involving specific targets. But the Yahoo tool reportedly examined all incoming email.
The report sparked criticism from some lawmakers and privacy advocates.
“The NSA has said that it only targets individuals…by searching for email addresses and similar identifiers,” said Sen. Ron Wyden (D., Ore.), a member of Senate Intelligence Committee, in an emailed statement. “If that has changed, the executive branch has an obligation to notify the public.”
Patrick Toomey, a staff attorney with the American Civil Liberties Union, said “We have never heard or seen an order requiring an email provider to do something like this.”
In a statement, Richard Kolko, a spokesman for the Office of the Director of National Intelligence, said intelligence gathering is overseen by the Foreign Intelligence Surveillance Act, and any activity is “narrowly focused on specific foreign intelligence targets and does not involve bulk collection or use generic key words or phrases.” The statement also said the U.S. only looks at electronic communication for national-security purposes “and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people.”
Representatives from the NSA and the White House declined to comment.
Other messaging providers reached Tuesday said they hadn’t built similar tools. “We’ve never received such a request, but if we did, our response would be simple: ‘no way,’” a Google spokesman said via email. Google is a division of Alphabet Inc.
“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” a Microsoft spokesman said via email. Microsoft didn’t respond to questions about whether it had received such a request from the federal government.
Twitter, Apple Inc. and Facebook said they hadn’t received requests, and said they would oppose any.
Over the past year, the federal government has found itself at odds with some Silicon Valley companies such as Apple and Facebook as they have developed so-called end-to-end messaging encryption systems that would prevent them from being able to monitor their users’ communications.
In March, the Federal Bureau of Investigation dropped a legal effort to compel Apple to circumvent the encryption protections of its iPhone to investigate the Dec. 2, 2015, terror attack in San Bernardino, Calif.
Yahoo last year pledged to introduce end-to-end encryption on email. But it is unclear the company ever followed through. A Yahoo spokesman didn’t immediately respond to a request for comment on encryption.