Yahoo E-Mail Scan Just Tip of the Surveillance Iceberg

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Oct. 6 — Yahoo! Inc.'s alleged user e-mail scanning for the government is but one example of the increasing frequency and scope of official demands for consumer data, a cybersecurity analyst told Bloomberg BNA.

The government's surveillance will “only increase in scope because every time a new technology comes out that makes surveillance more difficult, the government shifts its focus to other technologies and potential sources of evidence,” Edward J. McAndrew, a cybersecurity partner at Ballard Spahr LLP in Philadelphia, said

The “government has been using warrants and orders to get data from companies for years,” McAndrew said. What is different today is the extent to which companies are asked to comply, he said.

An Oct. 4 Reuters report alleged that Yahoo complied with U.S. government orders to scan hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or Federal Bureau of Investigation to search for a set of characters—which could mean a phrase in an e-mail or an attachment (15 PVLR 1981, 10/10/16). Following the report, Alphabet Inc.'s Google and Microsoft Corp. said Oct. 4 that they hadn't conducted similar e-mail scans. Yahoo said Oct. 5 that the news report was “misleading.”

Reuters also reported that Ireland’s Data Protection Commission plans to make inquiries about whether EU citizens’ data had been compromised. In 2015, the European Union's top court struck down an EU-U.S. data transfer mechanism following disclosures by Edward Snowden on the scope of NSA surveillance (14 PVLR 1825, 10/12/15).

More recently, the conflict between the U.S. government and tech companies over access to certain data was highlighted when the FBI tried to compel Apple Inc. to unlock an encrypted iPhone related to the San Bernardino, Calif. terrorist attack (15 PVLR 691, 4/4/16).

Third Parties

McAndrew also said that there are tremendous amounts and types of information available from third parties. “The role that third parties are being asked to play through subpoenas are changing,” he said.

The Electronic Frontier Foundation has said that if the reports on Yahoo's e-mail scanning are accurate, the government's demand “represents a new—and dangerous—expansion of the government’s mass surveillance techniques.”

The “sweeping warrantless surveillance of millions of Yahoo users' communications” violates the Fourth Amendment's prohibition against unreasonable searches, the privacy advocacy group said in a statement issued Oct. 4. “Surveillance like this is an example of ‘general warrants' that the Fourth Amendment was directly intended to prevent,” the EFF said.

Yahoo didn't immediately respond to Bloomberg BNA's e-mail request for comments.

Demands Beyond Tech Giants

The government's use of warrants or subpoenas isn't limited to large multinational corporations.

Recently, Open Whisper Systems—a nonprofit software group that developed encrypted instant messaging and voice calling application Signal— released a subpoena from the U.S. District Court for the Eastern District of Virginia.

The subpoena sought to compel Open Whisper Systems to provide information about two Signal users for a federal grand jury investigation. According to the company, however, Signal was designed to minimize data retention and the only information that it could have produced is the date and time a user registered with the app and the last date of a user's connectivity to the service.

“All message contents are end to end encrypted, so we don't have that information either,” it said.

McAndrew said that a company can't provide what it doesn't have or can't access. This is the first subpoena that Open Whisper Systems received and “that's why it's a big deal,” he said.

According to McAndrew, due to the platform and the data that they have, “technology companies are being asked to take a more active role.” By obtaining the data from these companies, government agencies are able to “make invisible connections between events” that would have been impossible to do so otherwise, he said.

Government data requests will “escalate in frequency and scope,” McAndrew said.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security