Yahoo data breach

If you harbour Edward Snowden-era suspicions about the state of internet surveillance by the US intelligence establishment and vassal state agencies like our own Australian Signals Directorate, you might have taken comfort from Barack Obama’s assurance, delivered overnight in Germany, that it no longer happens.”This is not a situation in which we are rifling through the ordinary emails of German citizens or American citizens or French citizens or anybody else,” he said while standing next to Angela Merkel, on whom the National Security Agency directly spied.

But with excruciating timing, Reuters was dropping an absolute bombshell of a report at that very moment. The NSA, it turns out, is “rifling through ordinary emails” — if you’re one of the (few) people using Yahoo Mail. Not merely did Yahoo co-operate with a request from US intelligence agencies for access to its email systems last year, it actually custom-built software to scan every single incoming email of a Yahoo account.

The company did so pursuant to a national security order that CEO Marissa Mayer decided not to challenge in court — prompting its chief information security officer Alex Stamos to immediately quit when he learnt what had happened. According to the Reuters report:

“… the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in. When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.”

As Snowden himself noted, the story contains potentially shocking implications for all hosted email providers, and other companies have rushed to make clear that they have not made Yahoo’s mistake. Since 2013, Silicon Valley has muscled up on encryption and surveillance, conscious of the reputational damage of the Snowden revelations. End-to-end encryption has been established as default on services by major companies like Google and Apple, and companies have taken a much more aggressive legal stance against government demands for surveillance access. Google and Microsoft both denied conducting similar searches to Yahoo, and Google added “we’ve never received such a request, but if we did, our response would be simple: ‘No way’.” Apple has also said (by pointing to earlier statements) it would never co-operate with similar requests; Twitter also said it had never received such a request and would fight one in court. Facebook (where Stamos went after Yahoo) has now said the same thing.

And note the point that Stamos thought the software had been put in place by hackers and could have been exploited by hackers — yet again demonstrating that back doors into IT systems actually make us less secure, not more secure.

Yahoo was recently sold to Verizon for $5 billion — an ignominious end for one of the early internet giants that has lived in the shadow of Google for 15 years or more. Verizon might be about to discover that $5 billion was too much. As Snowden advised about Yahoo, “close your account today.” This story has a way to go yet.