Yahoo Inc. reportedly built a program allowing the U.S. government to scan millions of customers' emails for a specific phrase last year, raising questions in the tech industry about why Yahoo didn't fight the demand.
Generally, tech firms have sought to bring more transparency to government surveillance orders across the world. But Yahoo not only secretly complied with the broad demand to search all incoming messages, but also dedicated its own staff to craft custom software to help facilitate the investigation, the news agency Reuters reported Tuesday.
The report, which cited anonymous former employees and a person with knowledge of the situation, didn't identify the search term but narrowed down the searching party to either the National Security Agency or FBI.
Yahoo Chief Executive Marissa Mayer's decision to obey the demand apparently led to a major security hole in Yahoo's email system, which frustrated the company's security chief enough that he soon defected to Facebook.
Now, privacy advocates and a federal lawmaker are piling on.
"It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order because customers are counting on technology companies to stand up to novel spying demands in court," Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.
Rep. Ted Lieu (D-Torrance), a member of a national security subcommittee, said "private sector companies and private citizens are not an arm of law enforcement or an extension of our intelligence agencies."
Earlier this year, Apple Inc. successfully fended off a demand from the FBI that would have seen it develop software to unlock a cellphone used by one of the attackers in last year's San Bernardino shooting. Apple voiced concerns about opening a security gap in its devices.
Yahoo publicly has championed similar practices to protect its users. On a website for a tech industry group calling for reform of government surveillance laws, Mayer is quoted: "Recent revelations about government surveillance activities have shaken the trust of our users, and it is time for the United States government to act to restore the confidence of citizens around the world."
In a brief statement to Reuters, the company said it "complies with the laws of the United States."
The report comes the month after Yahoo acknowledged that at least 500 million email accounts were comprised in a 2014 data breach.
It's not surprising for the NSA or the FBI to be asking a company like Yahoo to search incoming messages, Stewart Baker, a former NSA general counsel, said in a telephone interview. Now that more Internet traffic has been encrypted by tech companies, it makes sense that the NSA and FBI would tell firms the only way to get that information is for the firms themselves to search incoming traffic for specific terms and hand over relevant messages to authorities.
"If they can't do it wholesale, they must do it retail and have a company do the search and hand over only the relevant information," Baker said.