04-10-2016, 17:58 #1
[EN] Yahoo scanned customer emails for US intelligence
Yahoo’s CISO resigned in 2015 over secret e-mail search tool ordered by feds
Oct 4, 2016
Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.
Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to a spy agency's demand by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.
Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to the two former employees, Yahoo Chief Executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc."Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.
Through a Facebook spokesman, Stamos declined a request for an interview.
The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.
The demand to search Yahoo Mail accounts came in the form of a classified directive sent to the company's legal team, according to the three people familiar with the matter.
U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad directive for real-time Web collection or one that required the creation of a new computer program.
"I've never seen that, a wiretap in real time on a 'selector,'" said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.
"It would be really difficult for a provider to do that," he added.
Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.
Reuters was unable to confirm whether the 2015 demand went to other companies, or if any complied.
Alphabet Inc's Google and Microsoft Corp, two major U.S. email service providers, did not respond to requests for comment.
CHALLENGING THE NSA
Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.
Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led U.S. authorities to modestly scale back some of the programs, in part to protect privacy rights.
Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal.
Some FISA experts said Yahoo could have tried to fight last year's directive on at least two grounds: the breadth of the demand and the necessity of writing a special program to search all customers' emails in transit.
Apple Inc made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.
Other FISA experts defended Yahoo's decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called "upstream" bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies' mail.
As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.
Former NSA General Counsel Stewart Baker said email providers "have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies."
SECRET SIPHONING PROGRAM
Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.
Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo's challenge was unsuccessful.
Some Yahoo employees were upset about the decision not to contest the more recent directive and thought the company could have prevailed, the sources said.
They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
Stamos's announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. (bit.ly/2dL003k)
In a separate incident, Yahoo last month said "state-sponsored" hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo's security practices as the company tries to complete a deal to sell its core business to Verizon Communications Inc for $4.8 billion.
(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)
Última edição por 5ms; 04-10-2016 às 18:08.
04-10-2016, 18:19 #2
22 Sep, 2016
Microsoft announced its first European Azure service, which offers organisations the extra reassurance that their data will be held according to local data regulations.
Microsoft Azure is available on Microsoft Cloud Germany, which is a solution developed specifically for the German market.
Like all regional European Azure services, it features a data trustee, that will be tasked with overseeing the treatment of data. In the case of Microsoft Cloud Germany, the chosen trustee is T-Systems International, an independent German company and subsidiary of Deutsche Telekom.
It will ensure any data passing through the datacentres located in Magdeburg and Frankfurt is managed according to data handling regulations, giving customers the additional choices of how and where their data is processed.
The underlying context here is ongoing European concern over U.S. government mass surveillance practices and the impact those intelligence dragnets are having on the perception of data security in the commercial cloud. Also relevant: ongoing legal uncertainty following the landmark decision by Europe’s top court to invalidate the fifteen-year-old Safe Harbor transatlantic data transfer agreement between the U.S. and the EU last month — itself triggered in large part by the 2013 revelations of NSA whistleblower Edward Snowden.
Microsoft said its ‘cloud in Germany’ will launch in the second half of 2016, and will be operated under German law by T-Systems, a subsidiary of telco Deutsche Telekom. The two data centers will be based in Magdeburg and Frankfurt am Main, with Microsoft stressing this “data trustee” model means it will not have any access to customer data without the consent of the trustee, and that it cannot therefore be compelled — “even by a third party” — to hand over customer data.
However local data centers that are still operated by Microsoft currently offer little protection against U.S. intelligence agency demands for data — hence the additional option of a trustee model, relying on pro-privacy German law, in a bid to reassure European customers their data will not be sucked up by intelligence agency dragnets.
Despite Microsoft’s claims that customer data in its German trustee ran data center will be subject to German, rather than U.S., law, Forrester cloud computing analyst Paul Miller notes this is still an untested assumption, legally speaking.
“Microsoft’s lawyers and T-Systems’ lawyers argue that the German Data Trustee model, which is at the heart of this week’s deal and is governed by German law, will be effective in shielding data from U.S. demands. But, to be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal,” he said statement.
Última edição por 5ms; 04-10-2016 às 18:31.
04-10-2016, 19:03 #3
Former Yahoo exec reckons megahack affected 'billions' not millions of users
04 October 2016
A FORMER Yahoo executive reckons that the firm has not been 100 per cent honest about the number of people affected by the hack that has only recently been acknowledged.
Yahoo was hacked in 2014, so it is possible that even ex-employees know the scale of the problem, particularly when you consider that it must have been a pretty hot topic behind the company's walls.
Business Insider quoted the ex-exec as saying that the few hundred million hacked accounts to which the firm confessed is one of those iceberg tips that we often hear about.
"I believe it to be bigger than what's being reported. How they came up with 500 [million] is a mystery," said the unnamed person.
Yahoo is a few zeroes away from the actual total, according to the exec, who suggested that it could be anywhere from one to three billion.
This is because Yahoo hosted a lot of eggs in the same basket at the time of the hack, and all personal data resided in one main user database.
"That is what got compromised: the core crown jewels of Yahoo customer credentials," the executive said.
The official line from Yahoo is that the number is much lower. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information," said the firm at the time.
"Payment card data and bank account information are not stored in the system that the investigation has found to be affected.
"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen, and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter."
The firm is not likely to come out of this with any medals. The newly installed UK Information Commissioner has already said that Yahoo will be subjected to a thorough investigation.
04-10-2016, 20:04 #4
Yahoo may have let the government spy on emails. Now will we embrace encryption?
Not only would this likely violate the Fourth Amendment; giving the NSA or FBI a backdoor into a tech company’s innards could let hackers in too.
4 October 2016
In a blockbuster scoop, Reuters’ Joseph Menn is reporting that Yahoo secretly built a software program in 2015 that scanned all its millions of customers’ incoming emails at the behest of US intelligence officials, which led to its chief security officer resigning in protest.
We don’t know exactly what the US government might have been searching for, but we do know that this is potentially a massive privacy violation that strikes at the heart of the Fourth Amendment’s prohibition on indiscriminate search and seizure. Yahoo’s reported secret collaboration with the US government also brings up several points that warrant further investigation. (“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a statement to Reuters.)
Much of the discussion about Edward Snowden’s 2013 revelations have focused on the NSA’s mass phone spying program that the courts later ruled illegal. But many people forget that the New York Times also reported, in 2013, based on previously published Snowden documents, that the NSA had been scanning countless emails going into and out of the US for years, looking for certain keywords.
This Yahoo story seems to be an escalation of this type of “about” or “upstream” surveillance, which was once done by the NSA by secretly wiretapping internet cables owned by AT&T and others. Since many email companies have started encrypting their emails in transit since that story came out, the NSA likely can’t do that type of surveillance unilaterally (or with the help of AT&T) anymore. The US government now seems to be moving to force internet companies to do this type of mass surveillance for them, on the companies’ servers, where the data remains accessible.
Civil liberties groups have been calling this type of “about” mass surveillance - where the government scans all emails for certain keywords - illegal and unconstitutional for years. But so far, no court has ruled definitely one way or another (mainly because the US has been hiding behind official secrecy to prevent it).
Now the question reporters should be asking is: if Yahoo received this secret order, what about the other tech giants? Did Google, Facebook and Microsoft also receive similar demands to wiretap their own systems for searching all emails at the behest of the US government or others?
The Yahoo story, if borne out, would be the quintessential example of how government mandated backdoors are dangerous for everyone’s security, and why end-to-end encryption needs to be standard on all our communications platforms going forward.
Incredibly, Yahoo apparently built this backdoor into its email system without even telling its then-security chief Alex Stamos. “The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation,” Menn reported. “The security team initially thought hackers had broken in.”
Stamos was reportedly furious and resigned in protest. “Due to a programming flaw [in the software], he told [Yahoo executives] hackers could have accessed the stored emails,” Menn explained. Security experts have been highlighting for years how backdoors not only give access to the “good guys” but also could let other criminals or foreign governments into our communications systems.
This also is exactly the type of mass surveillance that end-to-end encryption would prevent. Currently, Yahoo emails are encrypted as they travel from one server to another, but can be read by Yahoo at their discretion.
Stamos is now the director of security at Facebook, which coincidentally just rolled out end-to-end encryption on its popular Facebook Messenger app, which is used by more than 900 million people around the world. Unfortunately, much like Google’s just launched (and much maligned) new chat Allo, Facebook Messenger’s end-to-end encryption is only opt-in, and so only a tiny fraction of users are likely to turn it on and use it.
This type of encryption should be standard and turned on by default in all messaging apps (and ideally email as well). Users should consider switching to apps where default end-to-end encryption is already turned on, including WhatsApp, Signal and Apple’s iMessage.
Finally, Yahoo’s possible betrayal of its users is another example of why whistleblowers and leaks to the press are so important. The US government considers this type of surveillance “legal” even though it shocks the conscience of many ordinary Americans and dozens of civil liberties groups have been attempting to have courts rule it illegal for years. The only reason we know about it is because brave people came forward at the risk of their freedom to tell us. For that, we owe them a great debt.
04-10-2016, 20:30 #5
Snowden on Google "Surveillance" Allo: ‘Whatever you do, do not use it’
Following the launch of Google’s messaging app ‘Allo‘, security experts are up in arms over Google reneging on a promise better protect its users.
Sep 22, 2016
NSA-contractor-turned-whistleblower Edward Snowden did a hot take on Allo yesterday, after its US launch, and came to the conclusion that it was nothing more than a honeypot for US surveillance efforts.
The controversy goes back to Google’s developer conference, I/O, back in May. There, Google demonstrated the new application to a crowd at Shoreline Amphitheater while promising Allo would be encrypted and safe for users. I was in attendance, as was TNW alum Nate Swanner, who penned this after the announcement:
Allo uses end-to-end encryption, too — at least via an incognito mode (just like Chrome!). You’ll also be able to decide how long messages stick around.
If you’re looking for something similar, Allo is a bit like a private, semi-automated Facebook social layer that you can use privately.
Comments made by Google representatives we spoke with after the event suggested that the data sent and received by Allo would be stored, albeit ‘transiently’ on its own servers, meaning: Google won’t keep your chat logs in a place where they could be subpoenaed and it doesn’t assign an identity to the stored messages. Or, you could enable Incognito Mode to encrypt the conversation end-to-end and Google can’t read it at all.
Months later, Google backed off of the previously announced privacy feature and opted to store all non-Incognito messages by default. This is a complete 180 from its original plan and it never formally announced the change. In fact, we only found out after Allo’s public launch.
As it stands, Allo is currently on par with most chat applications, in that it uses HTTPS to secure transmission between devices. Put simply, it’s mostly safe from hackers, but the data is readily available at Google datacenters and readable by anyone with the clearance to do so. Like Snowden said, it’s essentially a honeypot for three letter government agencies. The information is stored in an identifiable way and just waiting for a subpoena to access it. As Snowden pointed out, it’s not like the subpoenas are difficult to get; the US foreign intelligence surveillance court approved all of nearly 1,500 communication intercept requests made by the NSA and FBI last year.
That’s not to say Allo is completely unsafe. When enabled, Incognito Mode uses the same encryption protocol as Signal, which Snowden previously vouched for. By default though, it’s basically a grab bag of awful. Maybe it’s best to stick with known commodities in the security space and avoid shiny new toys like Allo.
04-10-2016, 20:59 #6
Alô, alô, cinismo e hipocrisia. Aquele abraço.The version of Allo rolling out today will store all non-incognito messages by default — a clear change from Google’s earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app.
According to Google, the change was made to improve Allo's smart reply feature, which generates suggested responses to a given conversation. Like most machine learning systems, the smart replies work better with more data. As the Allo team tested those replies, they decided the performance boost from permanently stored messages was worth giving up privacy benefits of transient storage.
The decision will also have significant consequences for law enforcement access to Allo messages. By default, Allo messages will now be accessible to lawful requests, similar to message data in Gmail and Hangouts and location data collected by Android.
05-10-2016, 16:55 #7
Yahoo Slams Email Surveillance Story: Experts Demand Details
October 5, 201
Bombshell revelations that Yahoo conducted mass email surveillance is raising hackles among legal, civil liberties and security experts that demand Yahoo and the U.S. government come clean. Meanwhile Yahoo challenged the accuracy of Tuesday’s report by Reuters.
“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems,” Yahoo said in a statement.
The Electronic Frontier Foundation and others say the Reuters report, while incomplete, drives more distrust between US citizens, government spy agencies and one of the nation’s largest Internet companies. They assert, whatever the truth, American citizens have a constitutional right to know the truth.
“There’s still much that we don’t know at this point, but if the report is accurate, it represents a new—and dangerous—expansion of the government’s mass surveillance techniques,” said Andrew Crocker and Mark Rumold, attorneys with the EFF in a post responding to the Yahoo revelation.
Reuters reported Tuesday that last year Yahoo had created an internal program to scan “all arriving messages” to Yahoo email inboxes for “a set of characters.” According to three Reuters sources, the request was made by either the National Security Agency or the FBI. It’s also unknown what the officials were looking for.
According to the Reuters report, the surveillance program was discovered by Yahoo’s security team in May 2015. The reports claims the Yahoo security team initially believed hackers had infiltrated its system.
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.
If the report is true, the surveillance would be unprecedented in scope and go beyond NSA’s PRISM program, revealed by Edward Snowden in 2013, according to the EFF. “This is the first public indication that the government has compelled a U.S.-based email provider—as opposed to an Internet-backbone provider—to conduct surveillance against all its customers in real time,” it wrote.
The Yahoo surveillance program represents a troubling new twists to government surveillance, the EFF believes.
Under the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to hand over customer data to aid foreign intelligence-gathering efforts in an effort to prevent terrorist attacks and for a variety of reasons.
The EFF said the government has said these programs only “target” foreigners outside the U.S. and wouldn’t impinge on American citizens’ constitutional rights. “Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving millions of Yahoo users,” Crocker and Rumold state.
Ironically, in 2007 Yahoo fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant.
According to statements from leading Internet companies Microsoft, Twitter, Google, Facebook and Apple, the government surveillance program highlighted by Reuters appeared to single out Yahoo.
Twitter spokesperson Nu Wexler said: “We’ve never received a request like this, and were we to receive it we’d challenge it in a court. Separately, while federal law prohibits companies from being able to share information about certain types of national security related requests, we are currently suing the Justice Department for the ability to disclose more information about government requests.”
A spokesperson for Google said in a statement, “We’ve never received such a request, but if we did, our response would be simple: ‘No way’.”
“We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” Microsoft said in a statement.
For its part Yahoo, reacting to the Reuters story, issued the initial statement, “Yahoo is a law abiding company, and complies with the laws of the United States.”
Still Robert Graham, a security researcher and the owner of Errata Security, says there are too few details regarding the revelations to draw solid conclusions. Unclear to Graham, based on the Reuters report, is whether Yahoo searched all incoming emails or scanned email accounts. “Did they ‘search incoming emails’ or did they ‘scan mail accounts’?” he wrote in a blog post. He asserts there are still many big details that need to be better understood.
“The story is full of mangled details that really tell us nothing. I can come up with multiple, unrelated scenarios that are consistent with the content in the story,” Graham said.
One of those theories posited by journalist and entrepreneur Declan McCullagh is that the Department of Homeland Security “provided Yahoo with classified malware signatures to use when scanning incoming email.
“This is very plausible. There is a lot of information sharing between government and private agencies,” said Tyler Shields, vice president of strategy at Signal Sciences, a web security firm. He explains, a government agency may have been investigating previously unknown malware used in a nation state attack, or similar. “It’s feasible that the DHS reached out to Yahoo with knowledge the malware was being used against one or many of its users. Further identifying other targets of the malware would help DHS determine the malware’s sender and authors.”
05-10-2016, 18:13 #8
U.S. Tech Giants Are Investing Billions to Keep Data in Europe
Facebook’s Lulea data center at the edge of the Arctic Circle in Sweden
Oct. 4, 2016
In the battle to dominate Europe’s cloud computing market, American tech giants are spending big to build up their local credibility.
Amazon Web Services, the largest player, announced last week that it would soon open multiple data centers in France and Britain. Google, which already has sites in countries like Finland and Belgium, is expected to finish a new multimillion-dollar data complex in the Netherlands by the end of the year.
And Microsoft, by some measures the second-largest cloud computing provider in Europe, said on Monday that it had spent $1 billion in the last 12 months to expand its offerings, taking its total investment in European-based cloud services to $3 billion since 2005.
“We’re building our global cloud infrastructure in Europe so it can be trusted by the multiple constituents,” Satya Nadella, Microsoft’s chief executive, said in an interview. “We can meet the data residency needs of our European customers.”
With many in Europe questioning why America’s largest tech companies control how many of the region’s 500 million citizens use everyday digital services, it is not surprising that the likes of Microsoft and Amazon are eager to play up their local roots.
As the European Union continues to clamp down on the perceived misuse of people’s digital information, analysts also say that many Silicon Valley giants are responding to these privacy concerns by increasingly offering individuals and companies the ability to keep information close to home, whereas in the past, data might have been stored solely in the United States.
“Countries like Germany are well aware of data privacy, and it has made them more wary of where data is kept,” said Gregor Petri, a cloud computing analyst at the technology research firm Gartner in Veghel, the Netherlands. “Local data sovereignty has become important, and American companies are now aware of that.”
There is also a more basic explanation for American companies’ expansion into European cloud computing: a growing amount of money to be made.
Europe’s market for so-called cloud application services, or software that is run virtually across the internet, is expected to more than double, to $16.1 billion, by the end of the decade, according to Gartner. That will still correspond to just one-third of the North American market, whose value is expected to reach $47 billion over the same period.
Despite that relatively small size, Europe’s market remains one of the largest for American cloud providers, many of which are increasing investments worldwide as companies and individuals increasingly rely on cloud-based services — such as iCloud, from Apple, and Dropbox, the online storage company — in their daily lives.
In 2014, for instance, Amazon opened a number of data centers in Germany, partly in response to that country’s strict privacy laws. Last year, Microsoft followed suit, teaming up with Deutsche Telekom — the local carrier and the owner of T-Mobile — which has control of the sites, again to comply with German legislation. (Microsoft charges a premium for the service.)
In an interview, Rainer Strassner, manager of Microsoft’s cloud program in Germany, said the country’s law protected data stored on the servers there from information requests by foreign governments, including the United States.
“All the data stays in Germany,” he said. The company recently won an appeal against the United States government, which had tried to obtain digital information held in a Microsoft data center in Ireland.
While such investments have focused primarily on business customers, other American tech companies have made similarly large investments aimed at speeding up digital services for everyday users across the 28-member European Union.
Apple, which has faced a number of European regulatory issues, including a demand that it repay $14.6 billion in back taxes to Ireland, is spending almost $2 billion building two data centers in the region. The facilities, its first such centers in Europe, will open in Denmark and Ireland by early 2018.
Facebook is also working on its own Irish cloud computing center, while expanding an existing site in Sweden.
“We’re starting deep in the forests of northern Sweden with the Lulea data center,” Mark Zuckerberg, the company’s chief executive, wrote on his Facebook page on Wednesday when talking about the Facebook’s tech investments. “You probably don’t think about Lulea when you share with friends on Facebook, but it’s an example of the incredibly complex technology infrastructure that keeps the world connected.”
05-10-2016, 22:29 #9
Yahoo email scanning prompts European ire
In addition to retail users in Europe, Yahoo also provides email services for other companies, including UK-listed groups Sky Plc and BT Plc.
Oct 5, 2016
Yahoo's decision to scan clients' email accounts at the behest of the U.S. authorities has prompted questions in Europe as to whether EU citizens' data had been compromised, and could help derail a new trans-Atlantic data sharing deal.
Reuters reported on Tuesday that Yahoo complied with a classified U.S. government demand to search customers' incoming emails for specific information provided by U.S. intelligence officials.
Ireland's Data Protection Commissioner, the lead European regulator on privacy issues for Yahoo, said on Wednesday it was making enquiries about the matter.
European politicians called on the European Commission, the European Union’s executive body, to look into the issue and lawyers said a legal challenge to the new EU-U.S. data sharing deal agreed earlier this year was now more likely in Europe.
"Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern," the regulator in Dublin, where Yahoo's European headquarters is based, said in a statement.
Yahoo said in response to the original Reuters story that it was "a law abiding company, and complies with the laws of the United States".
It declined to confirm whether it scanned users' emails or to say whether Europeans' emails were intercepted as part of the program.
Johannes Kleis a spokesman with BEUC, an umbrella group for European consumer organizations, called on other EU data protection authorities to investigate Yahoo.
Fabio de Masi, a German member of the European Parliament with the leftist Die Linke party, said he had submitted a formal request to EU High Representative for External Affairs Federica Mogherini asking her to seek clarification from U.S. authorities about the treatment of EU data.
Ashley Winton, a data protection and privacy lawyer with Paul Hastings, said the revelations that Yahoo had helped the authorities scan user emails could prompt clients to ditch Yahoo.
In addition to retail users in Europe, Yahoo also provides email services for other companies, including UK-listed groups Sky Plc and BT Plc.
Sky did not respond to a request for comment. When asked about the matter, BT referred to Yahoo’s comment about being a law abiding group.
In February, the United States and Europe published a new deal -- the so-called 'Privacy Shield' -- to allow U.S. companies to move data on EU clients to the United States.
The full list of all companies which have applied to benefit from the Privacy Shield has not yet been published as a deadline for early applications passed just last week.
ahoo declined to say whether it hoped to be able to participate in the new arrangement, which has been criticized by some European politicians as not offering enough protection to consumers against mass surveillance by U.S. intelligence agencies.
Winton said EU data regulators would probably deem the kind of scanning the sources told Reuters that Yahoo had engaged in last year -- sifting through millions of emails for those with specific characteristics -- as being not consistent with the terms of the Privacy Shield.
As part of the Privacy Shield, the United States has ruled out indiscriminate mass surveillance, a European Commission spokesman said.
"The U.S. will be held accountable to these commitments both through review mechanisms and through redress possibilities," he added.
Yahoo could use other legal mechanisms to transfer data to the United States from Europe but these are more complicated and involve additional expense, lawyers said.
Winton added that the Yahoo news increased the chances of a legal challenge in Europe against the agreement.
(Additional reporting by Padraic Halpin in Dublin, Eric Auchard in Frankfurt and Julia Fiorretti in Brussels; Editing by Alexandra Hudson and Gareth Jones)
06-10-2016, 12:59 #10
Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter
Episódio da série Acredite Se Quiser.
By CHARLIE SAVAGE and NICOLE PERLROTH
OCT. 5, 2016
A system intended to scan emails for child pornography and spam helped Yahoo satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization, several people familiar with the matter said on Wednesday.
Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year. Yahoo was barred from disclosing the matter.
To comply, Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.
With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, those two people said.
The order was unusual because it involved the systematic scanning of all Yahoo users’ emails rather than individual accounts; several other tech companies said they had not encountered such a demand.
News of the order has opened a new chapter in a public debate over the trade-offs between security needs and privacy rights that has cast a spotlight on the sometimes cooperative, sometimes antagonistic relationship between Silicon Valley companies and the United States government.
It comes six months after a standoff between the F.B.I. and Apple, in which the government obtained a federal magistrate's order to force the company to help it unlock an encrypted iPhone from one of the attackers in the December mass shooting in San Bernardino, Calif. The F.B.I. gave up the fight with Apple after it found a way into the iPhone without the company’s help.
By contrast, Yahoo cooperated with the Foreign Intelligence Surveillance Court order, although the technical burden on the company appears to have been significantly lighter than the one the F.B.I. placed on Apple.
Details of Yahoo’s cooperation with the court order come two weeks after the company reported that hackers had broken into its computer network, stealing the credentials of 500 million users. Yahoo engineers discovered the breach this summer, two years after it had occurred, and just weeks after Verizon Communications announced plans to buy the troubled internet company for $4.8 billion.
The two government officials familiar with the matter said the digital signature Yahoo was ordered to look for last year was individually approved in an order issued by a judge, who was persuaded that there was probable cause to believe that it was uniquely used by a foreign power.
Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the officials said.
The officials’ description of the unusual surveillance operation carried out at Yahoo shed new light on a report by Reuters that has attracted widespread attention and provoked outrage among privacy and technology specialists.
The Reuters article reported that in response to a “broad demand” from the government, Yahoo had “secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials.”
According to the government officials, Yahoo was served with an individualized court order to look only for code uniquely used by the foreign terrorist organization. Two sources, including one of the officials, portrayed it as adapting the scanning systems that it already had in place to comply with that order rather than building a brand-new capability. The other official did not comment on the technology. The officials did not name the terrorist organization.
Asked on Wednesday about the information obtained by The New York Times, Suzanne Philion, a Yahoo spokeswoman, said the company had nothing further to say. Earlier in the day, the company said in a statement that the Reuters article was “misleading.”
“We narrowly interpret every government request for user data to minimize disclosure,” the Yahoo statement said. “The mail scanning described in the article does not exist on our systems.”
Richard Kolko, a spokesman for the Office of the Director of National Intelligence, declined in a statement to discuss specific foreign intelligence collection techniques, but referred to the Foreign Intelligence Surveillance Act, or FISA.
“Under FISA, activity is narrowly focused on specific foreign intelligence targets and does not involve bulk collection or use generic key words or phrases,” he said. “The United States only uses signals intelligence for national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people.”
Technology companies like Yahoo, Google and Microsoft scan for child pornography and are required to report any discoveries to the National Center for Missing and Exploited Children. They similarly search traffic for malware and spam, which companies disclose in their terms of service.
There is no engineering limitation preventing technology companies from using their spam and child pornography filtering systems to search email traffic for other sorts of digital signatures, said Hany Farid, chairman of the computer science department at Dartmouth, who helped develop the child pornography scanning system with Microsoft.
But the use of that technology to carry out an order from the Foreign Intelligence Surveillance Court to search for a digital signature used by a foreign power is rare, and one of the officials portrayed it as innovative.
“This is another example of how the government is pushing secretly novel or innovative interpretations of surveillance law” to conduct wiretapping in broader ways than the public realizes, said Jennifer Granick, the director of civil liberties at the Stanford Law School Center for Internet and Society.
The government has not released any intelligence court opinion explaining how the judge interpreted FISA to authorize such surveillance. Although Congress in June 2015 enacted a law that required the government to make public novel and significant rulings by the court, the order to Yahoo appears to have predated that legislation, the USA Freedom Act, by several months.
Yahoo has an inconsistent record with meeting government data demands. In 2007, the company settled a lawsuit related to allegations that it helped the Chinese government crack down on journalists by passing along their Yahoo emails.
But that year, the firm fought a legal battle, then secret, before the Foreign Intelligence Surveillance Court, challenging a mandate that it turn over, without a warrant, emails from user accounts the F.B.I. and the National Security Agency said belonged to noncitizens abroad who had been targeted for surveillance.
That litigation became an important test of whether Congress could legalize the Bush administration’s warrantless surveillance program through the Protect America Act and, later, the FISA Amendments Act. Ultimately, the intelligence court ruled against Yahoo, and after being threatened with a huge fine, the company cooperated.
Yahoo was not able to clarify details of the Reuters article on Tuesday because orders from the Foreign Intelligence Surveillance Court are secret by law, and an increasing number of other government requests come with gag orders that prohibit tech companies from even acknowledging they exist.
Tech companies complain that such gag orders make it impossible for them to explain to customers what sort of data they do and do not turn over. Twitter and Microsoft have separately sued the Justice Department over the gag order practice, and both cases are pending.
Dozens of other companies have filed briefs in support of Microsoft. In its brief, Apple said it had received about 590 gag orders, of unlimited or indefinite durations, in the first eight months of 2016.