Yahoo called the report that the company scanned its customers’ incoming emails “misleading.” This comes as new revelations about its cooperation with the government emerge.
“This article is misleading,” Yahoo said in a statement on Wednesday, according to Bloomberg. “We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”
Reuters asked Yahoo to “identify any specific way in which the story was misleading, or whether the operation described by Reuters had previously existed.” Yahoo declined to comment.
Reuters reported Tuesday that Yahoo complied with a classified US government demand to search customers’ incoming emails for specific information provided by US intelligence officials.
Yahoo had “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by US intelligence officials,” Reuters reported.
New details emerged Wednesday that showed Yahoo was ordered by the Justice Department last year, through an order for a judge of the Foreign Intelligence Surveillance Court, to search incoming emails for the digital “signature” of a communications method used by a state-sponsored, foreign terrorist organization, according to The New York Times.
“To comply, Yahoo used a modified version of its existing systems that were scanning all incoming email traffic for spam, malware and images of child pornography,” the newspaper reported. “The system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature.”
@LizaGoitein If Yahoo repurposed pre-existing CP/spam scanning systems as claimed in the articles, scan would likely included content.
— Edward Snowden (@Snowden) October 5, 2016
Yahoo was prohibited from disclosing anything about the order and reportedly the collection is no longer taking place.
Sources told Reuters the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
Technology companies such as Yahoo, Google and Microsoft are required by law to report any child pornography they pick up in their email traffic and digital uploads to the National Center for Missing and Exploited Children. They similarly search traffic for malware and spam, which companies disclose in their terms of service.
The New York Times said the use of that technology to carry out a FISA order “to search for a digital signature used by a foreign power is rare.”
Alphabet Inc’s Google and Microsoft Corp told Reuters that they had not conducted such email searches.
“We’ve never received such a request, but if we did, our response would be simple: ‘No way,'” a spokesman for Google said in a statement.
Yahoo CEO Marissa Mayer is facing increasing criticism about how she handles user data after Verizon agreed to pay $4.8 billion for Yahoo’s core assets in a deal expected to wrap up next year. The report came less than two weeks after the web portal admitted the personal information of at least 500 million users was stolen in an attack on its accounts in 2014.
The revelations have also prompted questions in Europe over whether EU citizens’ data has been compromised and could thwart a new trans-Atlantic data sharing deal.
Under the so-called Privacy Shield data sharing deal, which the US and EU agreed to in February, US companies are allowed to move data on EU clients to the United States. As part of the agreement the US ruled out indiscriminate mass surveillance.