National Security Agency Director Adm. Michael Rogers and Yahoo are both denying a Reuters report that the agency secretly ordered the company to search every incoming email, but the New York Times has confirmed important elements of the story.
“That would be illegal,” Rogers said Wednesday of the mass surveillance described in the Reuters article. “We don’t do that, and no court would ever grant us the authority to do that. We have to make a specific case. And what the court grants is specific authority for a specific period of time for a specific purpose. It’s not a blanket [authority, allowing us to search] just everything.”
Speaking at the Aspen Institute’s Cambridge Cyber Summit at MIT, Rogers called the Reuters article, which said special software was built by Yahoo engineers to scan incoming email for a specific character string, “a little speculative.”
“We have a legal framework in this nation,” Rogers said, “that enables the government … for specific reasons, under specific conditions, to make a case before a judge in which we’re able to show … that there is threat here to the United States associated with specific individuals and a judge grants, simplistically, authority for a specific purpose for a specific period of time to access data. And the court order is then given to the private sector to execute.”
The New York Times reported Wednesday afternoon that the character string was some kind of digital signature for “a communications method used by a state-sponsored, foreign terrorist organization.” It cited an anonymous government official, who said the secret order was issued by a judge on the Foreign Intelligence Surveillance Court, or FISC.
The Times reported that Yahoo engineers, rather than building a special system, modified existing software used to scan incoming email for spam, malware and images of child pornography. The company gave copies of any message containing the signature to the FBI, but the collection is no longer taking place.
The Times said that the scanning for child pornography was a requirement of federal law, and that the scanning for spam and malware was covered under under Yahoo’s terms of service. In fact, federal law requires only that email and other communications providers report to the National Center for Missing and Exploited Children if they “obtain actual knowledge” of child exploitation offenses. The law allows them to use digital signatures provided by the center to scan emails but doesn’t require it.
In a brief statement released earlier Wednesday, Yahoo called the Reuters story “misleading,” adding that they interpret government orders for user data “narrowly” so as to minimize the amount of data they have to disclose. “The mail scanning described in the article does not exist on our systems,” the statement concludes.
Several other large email and social media providers, including Facebook, Twitter, Google and Microsoft, have also issued carefully worded denials.
The denials, in part because of their careful wording, drew skepticism from privacy advocates. “Yahoo has a history of putting out carefully written, deceptive denials when it comes to NSA surveillance,” tweeted ACLU’s Chris Soghoian Wednesday.
“It’s shocking, post the Snowden revelations and the reforms that were trumpeted after that, to see this kind of mass [domestic] surveillance,” Alan Butler, senior counsel at the Electronic Privacy Information Center told CyberScoop Tuesday.
The Reuters story did not say what information the company handed over, what character string the government was searching for, or if any other email providers were slapped with similar government directives.
Section 702 surveillance
Section 702 of the 2008 FISA Amendments Act — the legal basis for the PRISM internet mass surveillance program revealed by NSA contractor Edward Snowden — gives the director of national intelligence and the attorney general the power, under an annually renewed mandate from the Foreign Intelligence Surveillance Court, or FISC, to issue secret directives to Internet companies to hand over customer data.
In 2011, according to a legal opinion declassified after the Snowden mega-leak, FISC presiding judge John D. Bates found certain aspects of the 702 program “deficient on statutory and constitutional grounds.”
“Bates found that some methods [the government was using] were effectively searching too much domestic email traffic,” said Butler. “The program had to be changed,” so that it was essentially only searching for emails to and from certain addresses.
“Why was this [newly revealed Yahoo collection] allowed and that wasn’t?” asked Butler of the Bates opinion. “Well, the answer is we don’t know if it was allowed because the company never challenged it … Under 702, the court doesn’t get to look at the case unless the company challenges it,” he said.
The Yahoo directive is the first known instance of a company using special software to search its customers’ data for U.S. intelligence agencies. Under the PRISM program, the NSA combed internet traffic for communications to or from certain individuals, but that traffic was monitored on global internet pipelines or collected for further search.
That program “didn’t co-opt the email providers as an agent of the government” like the Yahoo special search software did, Butler pointed out.
Sen Ron Wyden, D-Ore., has long campaigned for the reform of section 702, which he has said “has a significant impact on Americans’ privacy.”
“The FISA court has publicly stated that tens of thousands of wholly domestic communications are caught up under 702 collection every year and that the potential number of Americans impacted is even larger than that,” Wyden told CyberScoop via email.
He said the new Yahoo revelations were especially disturbing because it was unclear what kind of search term was being used. Following the Bates judgment, the exact way search terms are deployed is clearly of constitutional significance, and the government ought to come clean about any changes.
“The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers,” Wyden said. “If that has changed, the executive branch has an obligation to notify the public.”
Reformers using sunset
Section 702 authorities were designed with a sunset and will expire at the end of 2017 unless Congress renews them, pointed out Andrew Crocker, a staff attorney with the Electronic Frontier Foundation.
This means that lawmakers who want to reform 702 don’t have to get a bill to the floor, they just have to wait for the reauthorization to be brought up.
“I hope that these revelations add fuel to the demands for reform,” said Crocker.
At the White House press briefing Wednesday, Spokesman Josh Earnest made a spirited defense of section 702, while not commenting on the Reuters story specifically.
“Collection under [the Foreign Intelligence Surveillance Act or] FISA is subject to rigorous oversight from all three branches of government,” he told reporters. “Under FISA, activity is narrowly focused on specific foreign intelligence targets and does not involve bulk collection or the use of generic key words or phrases.”
He added that U.S. agencies only eavesdrop email and other electronic communications “for national security purposes and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people, and certainly not of law abiding American citizens.”
Nonetheless, critics have seized on the Yahoo revelations as ammunition to advance their efforts to reform the law.
Rep. Ted Poe, R-Texas, a member of the House Judiciary Committee told Morning Consult Wednesday that “We have the votes in Judiciary on a bipartisan basis to narrow 702 or eliminate it.”
“It’s pretty clear now that it’s just being abused by the NSA, and it may come to the point that we have to eliminate 702 completely if the NSA doesn’t quit abusing it,” Poe said. “The law right now doesn’t give them the authority to do the dragnet approach and collect all of these emails from a provider based on a certain word.”
A House Judiciary aide told Morning Consult that the committee will hold an oversight hearing on Section 702 either this year or in early 2017.
According to Reuters, the special search software was approved by Yahoo CEO Marissa Mayer after executives determined the company would lose a legal battle before the FISC. Alex Stamos, Yahoo’s Chief Information Security Officer at the time, was not made aware of the custom search program, and resigned in May 2015.
The company lawyers might have had good reason to conclude they would lose, noted Butler. They had lost an earlier FISC challenge to internet mass surveillance powers in 2007-8. That case, known as In re: directives, could have drained company coffers, as the government asked for fines of $250,000 per day — doubling every week — for non-compliance with the secret surveillance order.
“The government pushed for crippling fines,” said Butler, adding that was important context to consider when assessing the company’s reaction to the 2015 order.
Nonetheless, Butler said he expected that “This [revelation] will get traction domestically … I think [officials] will struggle to explain why this [directive] doesn’t have exactly the problem that Judge Bates identified in 2011 … too much domestic communication being swept up and searched.”
The email bombshell comes during a delicate time for Yahoo. Last month, it was revealed that User details from more than 500 million Yahoo accounts— including names, birth dates and encrypted passwords — were stolen nearly two years ago. The company has blamed state-sponsored hackers.
Additionally, Verizon is in the process of acquiring Yahoo in a deal worth around $4.8 million.
Verizon declined comment on the Reuters report.