Yahoo, a company that has been plunging further and further downhill for a long time, was complicit in a government plot to spy on every single email that its customers received, new reporting revealed. The scope of the spying — not to mention how poorly and insecurely it was implemented — drove the company’s chief information security officer to quit.
The startling revelations were unearthed by Joseph Menn of Reuters, who spoke to sources claiming that Yahoo was approached by U.S. intelligence officials in 2015 and asked them to scan “hundreds of millions of Yahoo Mail accounts.” Rather than fight the order, as companies like Google say they would’ve done, Yahoo’s Chief Executive Marissa Mayer decided to go along with it.
This is the first instance of a major company agreeing to such a sweeping, invasive request, rather than a much more selective, reactionary scan. It’s disconcerting, to say the least, and there were people at Yahoo last year who agreed. Alex Stamos, who was the company’s chief information officer, quit in response.
Stamos, who currently holds Facebook’s top security job, reportedly was driven to quit not just because of the invasive, almost cowardly nature of Yahoo’s decision, but because it was so unsafe. The security team was cut out of the loop completely when Mayer asked Yahoo engineers to write new software that would scan all incoming email for character strings used by possible spies.
In fact, the security team only learned about the software in May, two weeks after it was implemented, when they discovered the program and feared they’d been hacked themselves.
Stamos left Yahoo in June, and while his announcement that he was ditching the company for Facebook stated only that he “had a wonderful time at Yahoo,” sources told Reuters that he resigned after learning he and his security team — increasingly justly known as “the Paranoids” — hadn’t been consulted.
He reportedly told his team that hackers could’ve accessed customers’ flagged, stored emails due to a programming flaw in the spying software.
Stamos declined a Reuters request for an interview, so it’s unclear why he didn’t, you know, say something, but he probably still deserves credit for standing on some kind of principle. There really aren’t many heroes in this story.
Meanwhile, 500 million Yahoo users were hacked back in 2014. Changing your Yahoo password and/or deleting your account seems like good advice these days.