Yahoo secretly built a custom software program to search all of its customers' incoming emails for specific information under US intelligence officials' guidance last year, according to people familiar with the matter.
As reported by Reuters, the company complied with a classified US government demand, scanning hundreds of millions of Yahoo mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.
Some surveillance experts said this represents the first case to surface of a US internet company agreeing to an intelligence agency's request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.
It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.
Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.
According to two of the former employees, Yahoo chief executive Marissa Mayer's decision to obey the directive roiled some senior executives and led to the June 2015 departure of chief information security officer Alex Stamos, who now holds the top security job at Facebook.
"Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.
Through a Facebook spokesman, Stamos declined a request for an interview.
The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.
The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company's legal team, according to the three people familiar with the matter.
US phone and internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time web collection or one that required the creation of a new computer program.
Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.
Alphabet's Google and Microsoft, two major US email service providers, separately said on Tuesday that they had not conducted such email searches.
"We've never received such a request, but if we did, our response would be simple: 'No way'," a spokesman for Google said in a statement.
A Microsoft spokesperson said in a statement, "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo." The company declined to comment on whether it had received such a request.
Yahoo's security team left out
Yahoo chief executive Marissa Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.
Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo's challenge was unsuccessful.
Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.
They were also upset that Mayer and Yahoo general counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.
The sources said the program was discovered by Yahoo's security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.
When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users' security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.
(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)