Skip to content
Naked Security Naked Security

Did Yahoo spy on its users’ emails for the NSA?

While the other tech giants rush to refute involvement Yahoo remains muted.

Just when Yahoo email users thought they had settled their long-running privacy dispute with the company, Reuter’s Joseph Menn has revealed that those users’ emails weren’t just being scanned to improve targeted advertising:

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials, according to people familiar with the matter.

Some of those people – three or four former employees – have revealed that the company complied with a classified US government demand to scan hundreds of millions of Yahoo Mail accounts for the NSA (National Security Agency) or FBI.

It is understood that the request came in the form of a classified edict sent to the company’s legal team that asked Yahoo to search incoming correspondence for something specific (it isn’t clear what though.)

Reuters was unable to determine what, if any, data was handed over. Yahoo did, however, offer a brief – though not very insightful – statement:

Yahoo is a law abiding company, and complies with the laws of the United States.

The decision by Yahoo to spy on its users on behalf of the US government is also alleged to have led to the hitherto unexplained departure of Chief Information Security Officer Alex Stamos, who is now at Facebook.

A first

This seems to be the first case of a company being asked to search emails in real time, although US agencies have in the past asked US internet companies to search stored correspondence. One example of that is the Microsoft vs the US Department of Justice case, when Microsoft was deemed as being in contempt of court for not handing over the information requested.

It seems that this kind of surveillance might be an unintended consequence of tech companies’ rush to better encrypt their communications following the discovery of PRISM, XKeyscore and the rest of the NSA bag of tricks revealed by Edward Snowden. According to former NSA General Counsel Stewart Baker:

…with that [encryption] comes added responsibility to do some of the work that had been done by the intelligence agencies.

Yahoo was actually something of a latecomer to the email encryption party, and Menn cites intelligence experts who note that it’s “likely that the NSA or FBI had approached other internet companies with the same demand.”

The other tech giants

Yahoo’s peers have reacted with what the The Wall Street Journal describes as overwhelming denial. Here’s the rundown:

Google has firmly denied even receiving such a demand:

We’ve never received such a request, but if we did, our response would be simple: ‘No way’

Microsoft denied any secret scanning without commenting on whether it had received any demands:

We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.

Meanwhile, Twitter referred to its transparency lawsuit when it spoke to TechCrunch:

We’ve never received a request like this, and were we to receive it we’d challenge it in a court. […] we are currently suing the Justice Department for the ability to disclose more information about government requests.

Apple, who famously declined to help the FBI crack a dead terrorist’s iPhone earlier this year said:

We have never received a request of this type. If we were to receive one, we would oppose it in court.

And when it asked Facebook, TechCrunch reports that the company responded:

Facebook has never received a request like the one described in these news reports from any government, and if we did we would fight it.

Was information shared?

We took a look at Yahoo’s transparency report for around the time this scanning would have taken place: the spring of 2015.

The actual number of accounts shared was relatively low at 21,000 to 21,499 for the six months from January 1 2015 to June 30 2015. Just one year earlier, an additional 6,000 accounts were shared and two years earlier an additional 9,000 accounts were shared.

While we may never know whether Yahoo did actually share any data as a result of this reported US government request, the company isn’t making the same strong public denial of being involved in secret government email scanning that its competitors are.

This latest revelation comes after a disastrous month for a company that remains huge despite giving the appearance of almost perpetual decline since the 1990s.

In September, the company revealed that “at least” half a billion user accounts had been stolen in a security breach in 2014. Not only did the company take two years to disclose the breach, it also declined to offer its users the most basic protection of a password reset in its aftermath, apparently for fear of losing customers.


Never had much confidence in this company, always considered the name they’d adopted to be warning enough!

Yahoo: noun, informal
A rude, noisy, or violent person.


As much as any company would want to deny it happened to them, and loose the trust of their customers. I seriously doubt anyone can get away with saying No to the most powerful gangs on earth. When those other companies say they would say no, it’s the nondisclosure/gag orders that will keep them from admitting it if they wanted to.
The only way you can test this is,, maybe to have a conversation over Gmail that talks about the planning of a (although fake) terror attack. Unfortunately, you will likely end up in a real jail or worse – since the NDAA allows torture and indefinite detention (jail or death with no trial, phone call, or anyone knowing you were taken). I would advise against testing it.


When I was a teenager (which was a while ago) I first heard about Echelon, the original blanket surveillance program that may or may not have ever existed. I read that it was triggered by keywords – say them and your call would be monitored – so I agreed with my best friend that we would start *all* of our phone calls with “Prince Charles, terrorist, bomb”, a phrase we felt sure would trip the ‘listen’ switch. We were amused by the thought that by starting with those words we’d force some poor guy or girl to listen in on our otherwise entirely unexciting calls full of teenage drivel.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!