If the recent "state sponsored" Yahoo hack wasn't enough motivation for users to stop using their services, the latest news about Yahoo should be. Joseph Menn, a reporter at Reuters, just revealed that Yahoo created a custom email wiretap service for the US government.
Last year, Yahoo complied with a classified government directive to create a software program to search all of its customers' incoming emails. What exactly they were searching for remains classified. However, we do know that the search was targeted towards a certain "set of characters," according to Menn.
This form of surveillance appears to be much broader than other United States data collection services such as PRISM or Upstream, with scanning occurring in real time and being directed at all users of the service, according to Andrew Crocker, an attorney with the Electronic Frontier Foundation (EFF).
Yahoo's own internal security team was not even made aware of this program. The project was developed in-house without notifying or including the security team. When the program went live in May 2015, the team thought they had been hacked. Upon discovery of the wiretapping, Chief Information Security Officer Alex Stamos resigned (he now works at Facebook).
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
This raises the possibility that this request was made to other large service providers. When asked to comment, Apple declined, instead directing to a recent letter from CEO Tim Cook about privacy.
Finally, I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.
A Google spokesperson stated that they had never received such a request, but if they did, the answer would be no. Microsoft said that they have never engaged in the secret scanning of email traffic, while Twitter stated that they had never received a such a request, but if they did, they would fight it in court.
Yahoo is a law abiding company, and complies with the laws of the United States.
If this doesn't make you want to delete your Yahoo account, I don't know what will. Either way, it's fairly simple to terminate your account when you're ready to—just follow Yahoo's helpful guide on the subject. Of course, that might be too little too late. This particular surveillance program has been in effect for over a year—and this is the first we're hearing of it. Plus, your emails may be stored for at least 90 days, since Yahoo allows users to reactivate accounts.
With so much information up for grabs and the opaque nature of government surveillance, it's more important than ever to encrypt your data. If you are unsure how to protect yourself, I recommend reading Adam Billman's article on GPG4Win. (GPG stands for GNU Privacy Guard, a public key encryption program.) If you aren't using Windows, the GPG site offers a wealth of information.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: