This story has been updated.
Yahoo in April of last year began secretly scanning the incoming emails of its hundreds of millions of users to comply with an order from the U.S. intelligence community, a move that prompted at least two company officials to leave, according to a former Yahoo employee familiar with the matter.
The company’s decision not to fight the order from intelligence officials caused Yahoo’s then-chief information security officer Alex Stamos to resign last year — and at least one other security staffer left the company — due to ethical concerns about the surveillance program, according to the person, who spoke on the condition of anonymity because the matter was confidential. Reuters, citing unnamed former employees, first reported the news Tuesday.
The government's demand to scan email in real time alarmed privacy advocates, as did Yahoo's compliance with such a broad order. Patrick Toomey, a staff attorney with the American Civil Liberties Union, called the order “unprecedented and unconstitutional.”
“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” he said in a statement.
Google, which runs Gmail, said in a statement: “We've never received such a request, but if we did, our response would be simple: 'no way'." Microsoft, another major email provider, said, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” Apple, in a statement said, “We have never received a request of this type. If we were to receive one, we would oppose it in court.”
It was unclear which intelligence agency directed Yahoo to scan emails, the person familiar with the matter said. It’s also unknown what the government officials were looking for and what, if any, data Yahoo turned over to the government, the person said. The Office of the Director of National Intelligence did not respond to a request for comment.
“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a statement Tuesday.
In a second statement sent Wednesday morning after this story was first published, Yahoo called the Reuters story “misleading” and said that it narrowly interprets government data requests to minimize the disclosure of users' information. “The mail scanning described in the article does not exist on our systems,” Yahoo's second statement said.
The company has fought a previous government request for data. In 2007, Yahoo unsuccessfully argued as unconstitutional an intelligence community demand that it hand over user communications to and from foreign targets without individual search warrants.
The challenge was heard in the secretive Foreign Intelligence Surveillance Court and some details about the case have remained under seal. But documents declassified in 2014 showed that the government threatened Yahoo with a massive $250,000 per day fine if it did not comply.
But Yahoo chief executive Marissa Mayer’s decision to obey the order last year upset Stamos and some other senior executives, according to Reuters. Instead of looping in the security team, Mayer turned to the Yahoo’s email engineers to develop the software, Reuters reported. That decision led to a programming error that left all Yahoo email vulnerable to hackers, the former Yahoo employee said.
When reached via Twitter direct message, Stamos, who is now Facebook’s chief security officer, said, “I'm not commenting at all.”