Yahoo email scandal could derail Safe Harbour replacement

Yahoo's alleged scanning of user emails on behalf of the US government could undermine the newly agreed Privacy Shield data regulations if they turn out to be true.

Ireland's data protection commissioner, which is the lead European regulator on privacy issues for Yahoo, is making inquiries as to whether any European citizens may have been affected.

"Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern," the regulator said in a statement.

According to bothReutersandThe Times(subscription required), European politicians have called on the European Commission to investigate the matter, with lawyers saying a legal challenge to the Privacy Shield agreement, which was settled on earlier this year, is now more likely.

In the US, the legality of Yahoo's reported actions has also been called into question.

Patrick Toomey, a staff attorney with the American Civil Liberties Union (ACLU), toldIT Pro: "Based on [Reuters's initial report] the order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit."

In this country, however, it has been claimed this behaviour may not be illegal even if UK citizens were among the subjects of the alleged spying.

Privacy International legal officer Camilla Graham Wood toldIT Pro: "The information on the scanning of emails by Yahoo remains sparse. It is important to note that similar powers exist in the United Kingdom, in the form of the Investigatory Powers Bill. There has been little public debate about how intrusive such powers are. The fault lies with the Government in failing to clearly inform the public about the broad spectrum of powers that will be authorised by the Investigatory Powers Bill.

"We do not know if the UK Government has already requested that companies scan their customers' emails on a bulk scale, but we do know that this will be possible under the Investigatory Powers Bill, if we look at powers such as Technical Capability Notices."

IT Pro contacted two telcos known to have used Yahoo's email services, either in the past or currently Sky and BT to find out if their customers may be among those who allegedly had their data scanned.

A BT spokesman said: "Yahoo have stated they are a law abiding company and comply with the laws of the United States." Sky did not respond to IT Pro's request for comment.

According to The New York Times, Yahoo was forced by a secret court order adapted existing software, which scans for spam and images of child abuse being sent to Yahoo Mail addresses, "to search for messages containing a computer 'signature' tied to the communications of a state-sponsored terrorist organisation", citing "several people familiar with the matter".

"With some modifications, the system stored and made available to the [FBI] a copy of any messages it found that contained the digital signature," theNYT reported.

"The order was unusual because it involved the systematic scanning of all Yahoo users' emails rather than individual accounts," the newspaper added.

Several other tech companies, including Google, Facebook, Microsoft and Twitter said they had never received this kind of request and that if they had, or do in the future, they would fight the order in court.

05/10/2016: Yahoo 'snooped on users' emails and passed data to the NSA'

Yahoo has secretly been scanning its customers' emails and sending information contained in them to the NSA, according to aReuters report.

Three former Yahoo employees and a fourth person "appraised of the events" allegedly toldReuters the beleaguered company last year "secretly created a software programme to search all [Yahoo Mail] customers' incoming emails for specific information provided by the US intelligence officials".

The details of the case are a little hazy beyond this information Reuters was unable to determine what keywords or information were being scanned for, what information (if any) was handed over, or whether any other email providers were asked to comply with the same order.

However, the news agency's sources did indicate that the decision to comply with the request was one of the reasons the company's then-CIO, Alex Stamos, resigned in June 2015.

In a statement to Reuters, a spokesperson said: "Yahoo is a law abiding company, and complies with the laws of the United States."

The situation has riled both privacy campaigners and the tech community at large.

Jim Killick, executive director of the Open Rights Group, toldIT Pro: "This could be very damaging for Yahoo and will no doubt affect the trust its customers have in their services. Surveillance should be carried out through a transparent legal framework and only in response to warrants.

"While there may be a need for companies to scan incoming emails for malware and spam ... they should not indiscriminately spy on customers who are not suspected of any crime. Yet again we need more transparency about how companies are working with law enforcement and security agencies."

Rafael Laguna, CEO of Open-Xchange said: "The integrity of Yahoo as an email provider is in tatters. As a user, if you're not having your details leaked online you can be sure the US government is rifling through your emails and attachments. This utter disregard for the consent of law abiding citizens is shocking but it is something the NSA and GCHQ increasingly believe they can do with impunity."

Only last month Yahoo confirmed a hack in late 2014 obtained 500 million people's usernames and passwords, with the search giant blaming a "nation state actor".

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.