ProtonBlog(new window)

What Yahoo’s NSA surveillance means for email privacy

Share this page

Updated October 7, 2016 with additional clarification and analysis of Yahoo’s denial

Dear Proton Mail Community,

Two weeks ago, we published a security advisory regarding the mass hacking of Yahoo(new window). Unfortunately, due to recent events(new window), we are issuing a second advisory regarding all US email providers.

What happened?

This week, it was revealed(new window) that as a result of a secret US government directive, Yahoo was forced to implement special surveillance software to scan all Yahoo Mail accounts at the request of the NSA and FBI. Sometime in early 2015, Yahoo secretly modified their spam and malware filters to scan all incoming email messages for the phrases in the court order and then siphoned those messages off to US intelligence. This is significant for several reasons:

  • This is the first known incident where a US intelligence directive has indiscriminately targeted all accounts as opposed to just the accounts of suspects. Effectively, all 500 million+ Yahoo Mail users were presumed to be guilty.
  • Instead of searching stored messages, this directive forced Yahoo to scan incoming messages in real-time.
  • Because ALL incoming email messages were targeted, this program spied on every person who emailed a Yahoo Mail account, violating the privacy of users around the world who may not even have been using a US email service.

What does this mean for US tech companies?

This is a terrible precedent and ushers in a new era of global mass surveillance. It means that US tech companies that serve billions of users around the world can now be forced to act as extensions of the US surveillance apparatus. The problem extends well beyond Yahoo. As was reported earlier, Yahoo did not fight the secret directive because Yahoo CEO Marissa Mayer and the Yahoo legal team did not believe that they could successfully resist the directive.

We believe that Yahoo’s assessment is correct. If it was possible to fight the directive, Yahoo certainly would have done so since they previously fought against secret FISA court orders in 2008(new window). It does not make sense that US surveillance agencies would serve Yahoo Mail with such an order but ignore Gmail, the world’s largest email provider, or Outlook. There is no doubt that the secret surveillance software is also present in Gmail and Outlook, or at least there is nothing preventing Gmail and Outlook from being forced to comply with a similar directive in the future. From a legal perspective, there is nothing that makes Yahoo particularly vulnerable, or Google particularly invulnerable.

Google and Microsoft have come out to deny they participated in US government mandated mass surveillance, but under a National Security Letter (NSL) gag order, Google and Microsoft would have no choice but to deny the allegations or risk breaking US law (our analysis of Yahoo’s denial is at the bottom of this post). Again ,there is no conceivable reason US intelligence would target Yahoo but ignore Gmail, so we must consider this to be the most probable scenario, particularly since gag orders have become the norm rather than the exception(new window).

In effect, the US government has now officially co-opted US tech companies to perform mass surveillance on all users, regardless of whether they are under US jurisdiction or not. Given the huge amount of data that Google has(new window), this is a truly scary proposition.

How does this impact Proton Mail?

ProtonMail’s secure email service is based in Switzerland and all our servers are located in Switzerland, so all user data is maintained under the protection of Swiss privacy laws. Proton Mail cannot be compelled to perform mass surveillance on our users, nor be compelled to act on behalf of US intelligence. Proton Mail also utilizes end-to-end encryption which means we do not have the capability to read user emails in the first place, so we couldn’t hand over user email data even if we wanted to.

However, since email is an open system, any unencrypted email that goes out of Proton Mail, to Yahoo Mail for example, could potentially have been swept up by these mass surveillance programs and sent to US government agencies. This is why if you want to avoid having your communications scanned and saved by US government agencies, it is important to invite friends, family, and colleagues to use non-US email accounts such as Proton Mail or other email services offered by European companies.

What can the rest of the world do about this?

Unfortunately, the tech sector today is entirely dominated by US companies. Just like Google has a monopoly on search, the US government has a near monopoly on mass surveillance. Even without US government pressure, most US tech companies also have perverse economic incentives(new window) to slowly chip away at digital privacy.

This week, we have again seen how easily the massive amounts of private data retained by US tech companies can be abused by US intelligence for their own purposes. Without alternatives to the US tech giants, the rest of the world has no choice but to consent to this. This is an unprecedented challenge, but it also presents an unprecedented opportunity, particularly for Europe.

Now is the time for Europe to invest in its own tech sector, unbeholden to outside interests. This is the only way the European community can continue to safeguard the European ideals of privacy, liberty, and freedom online. It is time for European governments and citizens to act before it is too late.

The only chance for privacy to prevail against these attacks is for the global community to support a new generation of web services which protect privacy by default. These services, such as Proton Mail’s encrypted email service, must operate with a business model where users can donate or pay for services, instead of giving up data and privacy. The security community also has an obligation to make these new service just as easy to use as the ones they replace.

Services such as secure email, search, and cloud storage are now vital to our lives. Their importance means that for the good of all citizens, we need to develop private alternatives that are aligned with users, and free from corporate greed and government overreach. Crowdfunded services(new window) like Proton Mail are rising to the challenge, but we need more support from the global community to successfully take on better funded US tech giants. Privacy matters, and your support is essential to ensure the Internet of the future is one that protects our rights.

Get a free secure email account from Proton Mail.

You can support our mission by upgrading to a paid plan so that we can grow beyond email.

Analysis of Yahoo Denial:

Yahoo, like every other US tech company(new window), has issued a denial, basically denying Reuter’s account(new window) of the mass surveillance. Here is Yahoo’s denial, word for word:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

It is curious that Yahoo’s response to this incident is only 29 words, but upon closer examination, it is a very carefully crafted 29 words. First, Yahoo calls the reports misleading. This is a curious choice of words because it does not claim that the report is false. Finally, Yahoo states that, “The mail scanning described in the article does not exist on our systems.” While this could be a true statement, it does NOT deny that the scanning could have been present on Yahoo’s systems in the past.

The same day as the Yahoo denial, the New York Times obtained independent verification of the Reuter’s story(new window) from two US government officials. This allowed the New York Times to confirm the following facts:

  • Yahoo is in fact under a gag order and from a legal standpoint, they cannot confirm the mass surveillance (in other words, they must deny the story or avoid making any statements that would be seen as a confirmation).
  • The Yahoo mass data collection did in fact take place, but the collection is no longer occurring at present time. Thus, we now understand the disingenuous wording of the last sentence in Yahoo’s statement.

Yahoo’s denial (or non-denial, as the case may be), followed immediately by confirmation by the NYT demonstrates the new reality that denials by US tech companies cannot really be taken at face value anymore. It is not that US tech companies are intentionally trying to mislead their customers, but many times, they have no choice due to the gag orders that now inevitably accompany any government requests. If statements from US tech companies turn out to be suspect (as in the Yahoo example), the likelihood of the public ever knowing the truth becomes highly unlikely, and this brings us to a dangerous place.

Protect your privacy with Proton
Create a free account

Share this page

Andy Yen(new window)

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail