What Yahoo’s NSA Surveillance Means for Email Privacy

Updated October 7, 2016 with additional clarification and analysis of Yahoo’s denial

Dear ProtonMail Community,

Two weeks ago, we published a security advisory regarding the mass hacking of Yahoo. Unfortunately, due to recent events, we are issuing a second advisory regarding all US email providers.

What happened?

This week, it was revealed that as a result of a secret US government directive, Yahoo was forced to implement special surveillance software to scan all Yahoo Mail accounts at the request of the NSA and FBI. Sometime in early 2015, Yahoo secretly modified their spam and malware filters to scan all incoming email messages for the phrases in the court order and then siphoned those messages off to US intelligence. This is significant for several reasons:

 

  • This is the first known incident where a US intelligence directive has indiscriminately targeted all accounts as opposed to just the accounts of suspects. Effectively, all 500 million+ Yahoo Mail users were presumed to be guilty.
  • Instead of searching stored messages, this directive forced Yahoo to scan incoming messages in real-time.
  • Because ALL incoming email messages were targeted, this program spied on every person who emailed a Yahoo Mail account, violating the privacy of users around the world who may not even have been using a US email service.

 

What does this mean for US tech companies?

This is a terrible precedent and ushers in a new era of global mass surveillance. It means that US tech companies that serve billions of users around the world can now be forced to act as extensions of the US surveillance apparatus. The problem extends well beyond Yahoo. As was reported earlier, Yahoo did not fight the secret directive because Yahoo CEO Marissa Mayer and the Yahoo legal team did not believe that they could successfully resist the directive.

We believe that Yahoo’s assessment is correct. If it was possible to fight the directive, Yahoo certainly would have done so since they previously fought against secret FISA court orders in 2008. It does not make sense that US surveillance agencies would serve Yahoo Mail with such an order but ignore Gmail, the world’s largest email provider, or Outlook. There is no doubt that the secret surveillance software is also present in Gmail and Outlook, or at least there is nothing preventing Gmail and Outlook from being forced to comply with a similar directive in the future.  From a legal perspective, there is nothing that makes Yahoo particularly vulnerable, or Google particularly invulnerable.

Google and Microsoft have come out to deny they participated in US government mandated mass surveillance, but under a National Security Letter (NSL) gag order, Google and Microsoft would have no choice but to deny the allegations or risk breaking US law (our analysis of Yahoo’s denial is at the bottom of this post). Again ,there is no conceivable reason US intelligence would target Yahoo but ignore Gmail, so we must consider this to be the most probable scenario, particularly since gag orders have become the norm rather than the exception.

In effect, the US government has now officially co-opted US tech companies to perform mass surveillance on all users, regardless of whether they are under US jurisdiction or not. Given the huge amount of data that Google has, this is a truly scary proposition.

How does this impact ProtonMail?

ProtonMail’s secure email service is based in Switzerland and all our servers are located in Switzerland, so all user data is maintained under the protection of Swiss privacy laws. ProtonMail cannot be compelled to perform mass surveillance on our users, nor be compelled to act on behalf of US intelligence. ProtonMail also utilizes end-to-end encryption which means we do not have the capability to read user emails in the first place, so we couldn’t hand over user email data even if we wanted to.

However, since email is an open system, any unencrypted email that goes out of ProtonMail, to Yahoo Mail for example, could potentially have been swept up by these mass surveillance programs and sent to US government agencies. This is why if you want to avoid having your communications scanned and saved by US government agencies, it is important to invite friends, family, and colleagues to use non-US email accounts such as ProtonMail or other email services offered by European companies.

What can the rest of the world do about this?

Unfortunately, the tech sector today is entirely dominated by US companies. Just like Google has a monopoly on search, the US government has a near monopoly on mass surveillance. Even without US government pressure, most US tech companies also have perverse economic incentives to slowly chip away at digital privacy.

This week, we have again seen how easily the massive amounts of private data retained by US tech companies can be abused by US intelligence for their own purposes. Without alternatives to the US tech giants, the rest of the world has no choice but to consent to this. This is an unprecedented challenge, but it also presents an unprecedented opportunity, particularly for Europe.

Now is the time for Europe to invest in its own tech sector, unbeholden to outside interests. This is the only way the European community can continue to safeguard the European ideals of privacy, liberty, and freedom online. It is time for European governments and citizens to act before it is too late.

The only chance for privacy to prevail against these attacks is for the global community to support a new generation of web services which protect privacy by default. These services, such as ProtonMail’s encrypted email service, must operate with a business model where users can donate or pay for services, instead of giving up data and privacy. The security community also has an obligation to make these new service just as easy to use as the ones they replace.

Services such as secure email, search, and cloud storage are now vital to our lives. Their importance means that for the good of all citizens, we need to develop private alternatives that are aligned with users, and free from corporate greed and government overreach. Crowdfunded services like ProtonMail are rising to the challenge, but we need more support from the global community to successfully take on better funded US tech giants. Privacy matters, and your support is essential to ensure the Internet of the future is one that protects our rights.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

You can support our mission by upgrading to a paid plan or donating so that we can grow beyond email.

Analysis of Yahoo Denial:

Yahoo, like every other US tech company, has issued a denial, basically denying Reuter’s account of the mass surveillance. Here is Yahoo’s denial, word for word:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

It is curious that Yahoo’s response to this incident is only 29 words, but upon closer examination, it is a very carefully crafted 29 words. First, Yahoo calls the reports misleading. This is a curious choice of words because it does not claim that the report is false. Finally, Yahoo states that, “The mail scanning described in the article does not exist on our systems.” While this could be a true statement, it does NOT deny that the scanning could have been present on Yahoo’s systems in the past.

The same day as the Yahoo denial, the New York Times obtained independent verification of the Reuter’s story from two US government officials. This allowed the New York Times to confirm the following facts:

  • Yahoo is in fact under a gag order and from a legal standpoint, they cannot confirm the mass surveillance (in other words, they must deny the story or avoid making any statements that would be seen as a confirmation).
  • The Yahoo mass data collection did in fact take place, but the collection is no longer occurring at present time. Thus, we now understand the disingenuous wording of the last sentence in Yahoo’s statement.

Yahoo’s denial (or non-denial, as the case may be), followed immediately by confirmation by the NYT demonstrates the new reality that denials by US tech companies cannot really be taken at face value anymore. It is not that US tech companies are intentionally trying to mislead their customers, but many times, they have no choice due to the gag orders that now inevitably accompany any government requests. If statements from US tech companies turn out to be suspect (as in the Yahoo example), the likelihood of the public ever knowing the truth becomes highly unlikely, and this brings us to a dangerous place.

About the Author

Andy Yen

Andy is the Co-Founder of ProtonMail. He is a long time advocate of privacy rights and has spoken around the world about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

48 comments on “What Yahoo’s NSA Surveillance Means for Email Privacy

  • There are countless reasons to switch from Yahoo to ProtonMail, however ProtonMail still does not have a way to import Yahoo emails and does not have folders.

    That is a blocker for Yahoo users who want to switch over.

    Please add those features ASAP while the Yahoo issue is still on people’s minds, otherwise they will just move to Gmail, or if they are smarter then to other secure mail services.

    Reply
    • I’d love folders too.. However, Proton does have tags.. and filters. Meaning you can create tags for different emails associated with your account, setup a filter for a particular email and sort them that way.

      I don’t know how Yahoo works, but I guess you could mark all and forward them to your new mail?

      Reply
  • I really want to use ProtonMail and I really want to pay you for it. However, I can’t easily move off of GMail because I’ve got gigs of mail history there that I can’t leave behind. Please give me an import/migration tool and I will hand over my money immediately.

    Reply
      • I started the export process. Emails from 10 years ago. I’m not sure I want to import to anywhere else. I don’t search for them. Nice to have just in case, but other than that, I’ll put them on an encrypted cloud drive. (mega.nz). I could really use imap though.

        Reply
    • after I switched over from Windows10 to Ubuntu, I loaded Thunderbird, email desktop client. After registering my Google account, all my emails of the last 8-9 years were downloaded to my computer and put in Thunderbird.
      Just archived them all and closed the Google account in Thunderbird, as now I am using Protonmail.

      a reference to an older email.
      open Thunderbird, search for that email , copy paste into Protonmail and edit for usage

      Reply
      • Yes, I switched from Yahoo and it wasn’t that hard, just a bit labor intensive:

        (a) Log in to Yahoo email and start Thunderbird,
        (b) Open one of my Yahoo email cloud-based folders (I had 100+),
        (c) Move all emails from that folder back into the cloud-based Yahoo inbox,
        (d) Retrieve (download) the contents of the inbox using Thunderbird (i.e., move the cloud-hosted inbox contents to the local-drive inbox), and
        (e) Copy emails out of the local inbox back into an almost identical folder structure on my local drive.

        It took a few hours spread over a few days. Now I have decades of Yahoo emails archived locally, nothing on the Yahoo servers, and I exclusively use Protonmail going forward. I keep the Yahoo account open but only access it occasionally and only through Thunderbird. It’s my junk/spam account now.

        Protonmail is absolutely great, simple and effective, which is why I’m a paid subscriber. Thanks, Protonmail team!

        Reply
  • Yes. This is a BIG opportunity for non-U.S. entities to provide privacy solutions.

    If you are in the U.S. government, or a U.S. corporation, it is EXTREMELY important to report these illegal schemes by your employer. Report these schemes when they are even SUGGESTED by your superiors.

    It has never been SAFER to use encrypted email, Wikileaks, etc., when reporting these schemes. With encryption, you can forward VOICE communications, as well as text!

    If you are told to promote these illegal schemes, refuse. Your career and livelihood are in danger. You will be discovered, and left hanging in the wind by your superiors!

    Reply
  • Dear Protonmail,
    I would so much like to switch and host my domain email with you. However, until you can enable access from desktop clients, or else some kind of export procedure that is compatible with those software, what happens with Protonmail is vendor lock-in (our email is forever locked in the Protonmail vault with no way out) — which, in a way, similarly undermines our very trust in handing over our important data. We can only use the service for email we’re comfortable to lose eventually, which is inherently contradictory with the idea of choosing Protonmail as a trusted partner for our communications. This is about ownership of our data, and a key missing piece in the puzzle!
    In addition, there is an inaccuracy in your blog post: ProtonMail only uses end-to-end encryption between Protonmail users, or for specially-implemented outgoing messages, *not* for incoming messages from other providers — in that case it is at best only encrypted between email gateways (not end-to-end), and also there is a large part of email parties that still don’t support Encrypted SMTP, so it is well established that Five Eyes agencies have been snooping all exchanged email already for a couple decades by plugging onto telecom links (Echelon infrastructure), regardless of whether email is stored encrypted inside the Protonmail servers.
    So, the lessons that this whole US debacle is teaching us, I believe, are:
    1) Yes, you’re absolutely right: the 1st priority is to host our email with a service which is reasonably far away from the legal arms of surveillance governements. It is a European citizenship duty to support the development of our own services (with paid subscriptions — your fee for hosted personal domain email is very reasonable).
    2) With the protection of Swiss law (I wouldn’t say this in any other country, not France, not Germany, not the UK obviously), and while that protection remains in place (with Protonmail’s activism – fingers crossed!), point 1 is more important than having our email technically encrypted in your servers *if that means* that we cannot take our email with us / export it / access it from desktop clients (a requirement before handing our data over to Protonmail). A plug-in to Apple Mail, for instance (like GPGMail), would be an elegant way to address both issues (user-controlled encryption and user’s ownership of their data).
    3) Some day, I hope you can provide true end-to-end encryption (with per-user management of PGP keys for instance). Until then, you’re really solving point 1) (the issue of trust) — which is a considerable achievement already and a good enough reason to switch to your service (provided you solve point 2).
    Kind regards, keep up the good work!
    Love,

    Reply
  • Hi, Andy ! Thank you, both for building Protonmail and for providing informative insights along this blog !

    IANAL, just wondering here : could Ya.oo (as an egregious example; not them only) be sued/prosecuted for breach of privacy and abusing their customers confidence?
    Then, assuming they were compelled by a sovereign government to commit this abuse, would this be accepted as an excuse by US/non-US/international prosecutors and courts of justice ?
    And assuming it were alleged or proved that they were compelled by a sovereign government (or agents thereof), could Ya.oo (for example) and the government in question be brought to Courts for, say, conspiration, in addition to other crimes ?

    I’d be delighted to read your opinion as well as that of others, especially legally informed opinions.

    Yours,

    Czerno

    Reply
  • Having served the US military for a little more than a decade, I was seeing the focus shifting from National defense to global governance. I served with a Force Recon Black Ops team. Within the Pentagon there are multiple factions, each having loyalty to their own agendas. There are still Commissioned Officers loyal to the Republic and the populace, but their numbers are dwindling. Most are leaning towards alliance with the UN take over of the United States Inc. It’s very scary. I love my country but I strongly distrust my government. Congress should wear NASCAR style uniforms, so we know who is owned by what foreign entity. When I was a guard at the White House (USMC) the Trump’s and the Clinton’s were tight like, two peas in a pod. But I am thinking more and more lately, “I wonder what Kazakhstan is like this time of year?”-

    Reply
    • We operate a 24/7 support desk with tech support staff in both the US and Europe. Depending on the time of day, your inquiry will be handled from either the US or Europe.

      Reply
  • I am chopping at the bits to fully move to my Protonmail account, bring my domain name and family members over. I just need the domain name feature to be sorted with a Proton Drive, calendar and I’m in. I hear it is for the end of this year.

    With Protonmail, Signal for messaging, Qwant as search engine, we’re on a very good path.

    Thanks to the entire Protonmail team, great, great job and service to a sane digital future

    Reply
  • Plenty of people would undoubtedly want to switch to Protonmail from services like Gmail, Yahoo and Outlook, and many of those would probably pay. But the fact is that the functionality isn’t there. Compare to Gmail, Yahoo and Outlook, Protonmail is underdeveloped severely in its Contacts (why, oh why can’t I add address details or phone numbers?), it has no Calendar and no import/export. So yes, it’s more secure and private, but it’s not a replacement exactly. Sort these things out. Make usable Contacts and Calendars and THEN say that you present a viable alternative to Gmail, Yahoo and Outlook.

    Reply
    • Also, whilst Protonmail is more private than Gmail, Yahoo and Outlook, it is not necessarily more secure since Protonmail does not offer Two Factor Authentication (2FA). The same method, e.g. a keylogger, could be used to capture both my Protonmail passwords. If I have 2FA with Gmail, Yahoo or Outlook, a keylogger is not enough. So if you want to present a viable alternative in terms of general security, Protonmail should as soon as possible implement 2FA options, such as Yubikey.

      Reply
    • @Göran
      “Protonmail is underdeveloped severely in its Contacts (why, oh why can’t I add address details or phone numbers?)”

      Oh, I see you are one of those really annoying contacts that undermine my privacy by sharing my personal data with Google without my knowledge ?

      Dude, don’t add people’s phone numbers or real address to your Gmail account, that’s just rude. It’s downright offensive if your contact is on ProtonMail or is otherwise an obviously privacy-conscious user.

      Reply
    • Make sure that you opt now for paying account. This way developers can add features you want, instead of looking for a second round. Vote for your bright future with dollars today.

      Reply
  • On the 26th of September Swiss citizens voted in a referendum by a large margin in favour of a mass surveillance programme. After this referendum the Swiss Secret Services gain the power to indiscriminately tap phone conversations and internet communications taking place in the country. It includes access to communications stored in Swiss data centres. This is not very different from the surveillance programmes the American companies are subject.

    This development is particularly worrying since ProtonMail stores in its data centres both the private and public keys of all its users. I hope you can solve this issue quickly (e.g. pass on private keys to users), because right now ProtonMail appears as secure as Yahoo.

    Regards.

    Reply
  • Whilst I generally do agree with the statements and sentiments from this blog post in regards to mass surveillance on US based E-Mail providers, the recent developments in Switzerland don’t do much to contribute to Switzerland being a “Privacy”-focused location.
    The last – clear – vote for more Government Surveillance – especially in the Tech-Sector makes me question how Services like Protonmail and others who have so far proclaimed their swiss location as a bastion for privacy, tend to uphold privacy aspects after that vote becomes law?

    Last but not least, the one feature that Protonmail truly lacks for me to choose it as my (paid-for) company E-Mail Services is a robust Calendar with full syncing (android/iOS) support.

    Reply
  • Good article and I think most protonmail users expected this behavior from other email operators anyway.

    It’s interesting you mention the following:

    “ProtonMail’s secure email service is based in Switzerland and all our servers are located in Switzerland, so all user data is maintained under the protection of Swiss privacy laws.”

    Recently the swiss public voted to allow their government to be able to use more surveillance etc but there has been no blog about this. how does this affect protonmail ?

    Reply
  • While you are on a topic of policies, can you comment Swiss referendum that confirmed the new law, which you were rallying against.
    Give us an update. Cause all we saw were glorious news about harmonization of Swiss approach with a less respecting regimes.

    Reply
  • Words Cannot express my Disapproval and Disgust at what is happening with Privacy.
    It is too bad we cant just Flush a Giant toilet to remove this infection.
    Where do they find these incredibly (the words escape me ) Humans.
    So Many questions with No answers.
    This problem is beyond my comprehension because it would Never occur to me.
    I would starve to death before I would work for vermin like this.
    Long Live protonmail.ch and private Internet access.

    Reply
  • Andy,

    wouldn’t it be nice if Protonmail were to open an alternate access through Tor as a so-called hidden (onion) service ?
    It is not something particularly difficult to set-up, at no or maginal costs to you, especiailly for a tehcnically briliant company like yours – hey, even Facebook managed to achieve it !

    Well, just my 2 cents … BTW, do you have versions of these blog posts and announcements in the languages of the Swiss confederation ?

    Reply
    • An onion hidden service is on our todo list. We did use to do French and German blog posts, but the Germans couldn’t read the French ones and the French couldn’t read the German ones so we got complaints all around. So now they are in English that everybody can read.

      Reply
      • Wow, looking forward to Prot-on-ion-mail ! It’s great news – the perspective was not mentioned in the 2016 roadmap, can you hazard an estimated date of arrival ?

        Reply
      • And that’s the irony in Europe: Due to the lack of interest to establish a real lingua franca, be it esperanto, Interlingua, modernized latin, whatever non national language so no cultural nor economic colonization would be implied, we have ended speaking the language of the anglo Amercia, a language who nobody speaks natively in the European continent since it’s oboriginal from the british isles, not continental europe. Absurd (>_<)

        Off-topic reflexion, I know, but couldn't resist. xD My apologies.

        Reply
  • Another interpretation of the statement “The mail scanning described in the article does not exist on our systems.” is that the system(s) which do this are owned by the NSA (or at least not by Yahoo) even if they are in the Yahoo racks.

    Reply
    • Another interpretation of “does not exist on our systems” is that a very similar feature, differing in some details from how it was described in the article, does exist on Yahoo’s systems.

      Reply
  • I am a moron but the thought of someone asking a mailman to deliver a blank envelope came to mind.

    I do have a couple of comments about what I read and the first one was when I signed up I was asked which proton the usa .com or the swiss . ch and stupidly I chose the .com Does that matter or affect my safety?
    Is it possible to switch?
    The second thought was also concerning the .com and was wondering if the .com part of proton is acting under a gag order.
    Could this post be your way of saying we are being snooped on and to switch to the .ch part of proton?
    Like I said I am a moron but the only way to change is through asking questions.
    thank you

    Reply
  • Proton and “Others” need to include ways to ensure that USER: hardware based toolsets and APIs can be used as a means to package and address messages. This would include pre-and post message creation authentication that could be from any source the end-user wishes.. (fingerprint, thumb drive, yubi-key, VR headset with eye-tracking, pattern-draw, etc.)

    Included in this would be a purchased drop-box and a forwarding service.. BUT being that ProtonMail would only be the purveyor of content with no keys or authenticators, etc.. it would be close to a P2P system with value paid (money) for backend-store-transport to support ProtonMail servers and services!

    Reply