Internet companies’ fortunes are tied to user trust. Yahoo just lost that trust.
News reports this week suggest the company helped the United States government search the incoming emails of Yahoo users, a massive violation of privacy of hundreds of millions of accounts.
Citing information from several former Yahoo employees, Reuters reported Yahoo built a custom program to scan all incoming emails for a specific set of characters in response to a classified request from the US government. The details of the US demand are not clear, nor is the legal basis of the request. Regardless, this incident underscores that US’s surveillance reforms post-Snowden haven’t gone far enough to prevent mass, disproportionate surveillance.
It also discredits Yahoo’s public and private opposition to US surveillance. Yahoo gained respect when previously classified documents revealed it challenged national security surveillance demands as early as 2008, though that challenge was unsuccessful. But CEO Melissa Mayer and other executives did not challenge the government this time, according to reports, secretly ordering engineers to comply. The reports suggest that these actions led the firm’s chief information security officer to resign in protest.
If true, these actions call into question the company’s claims in its transparency report that it will “fight any requests that we deem unclear, improper, overbroad, or unlawful,” as well as the human rights commitments it has made to safeguard privacy.
Yahoo issued a statement calling the article “misleading” and stated that the “mail scanning described in the article does not exist on our systems.” But the company’s response does not explain what aspects are misleading, nor does it foreclose the possibility that the company conducted mass scanning for the US in the past, even if it isn’t currently doing so now.
Users of other US email services shouldn’t feel too sanguine; it is possible similar orders have been served on other companies. If so, they are likely prohibited to speak about them under broad gag orders the government reflexively demands in these situations. However, several firms, including Google, Microsoft, Twitter, and Facebook, have issued carefully crafted statements, some stating they would fight any such request if they receive one.
These companies operate globally in many challenging political environments, where courts exercise no independent judgment and litigation may be futile. But the US is not one of those places. The US government still has much work to do to ensure privacy abuses can be identified and remedied; for one thing, it should explain this program – and its legal foundation – to the public. In the meantime, tech companies should be exhausting all available avenues to legally challenge the National Security Agency’s (NSA) invasive surveillance practices, as well as fighting for their ability to disclose the US’s privacy abuses to their users.
Earlier this year, Yahoo announced it was selling itself to Verizon, marking an end to one of the web’s first corporate giants. To Yahoo’s hundreds of millions of users, this week’s allegations mark a more ignominious end to Yahoo’s credibility. Other tech companies should take note.