Yahoo Reputation Damaged After Report of Secret US Government Cooperation, Say Experts

Yahoo allegedly built a custom software program last year that scanned customers' emails for information either the NSA or FBI sought under a classified edict, Reuters reported Tuesday. A Yahoo spokeswoman emailed that “the article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.” Other companies, including Google and Microsoft, also emailed that they have never engaged in secret scanning of email traffic or have never received any such government request. Google added, "But if we did, our response would be simple: 'No way.'"

“It would be hard to find a company that seems more determined to squander whatever public, investor and customer goodwill they had than Yahoo!," emailed Nick Kalm, president of communications firm Reputation Partners. "The data breach, followed by the decision to scan customers’ emails on behalf of the government, together serve to erode trust to a level that it will not soon be rebuilt."

The House Judiciary Committee is aware of the media reports and is looking into the issue, said a spokesman. Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee, said in a statement it's public record that data collection under Section 702 of the Foreign Intelligence Surveillance Act (FISA) "is the basis for warrantless searches of Americans’ emails, and that the government has never even counted how many. The FISA court has publicly stated that tens of thousands of wholly domestic communications are caught up under 702 collection every year and that the potential number of Americans impacted is even larger than that. The NSA has said that it only targets individuals under Section 702 by searching for email addresses and similar identifiers. If that has changed, the executive branch has an obligation to notify the public.”

At the White House Wednesday, Press Secretary Josh Earnest said he couldn't discuss details of the report or even if it's accurate. He said the Obama administration instituted changes that offer more oversight and transparency into such intelligence programs. He said such intelligence is used only "for national security purposes and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary people and certainly not of law-abiding American citizens."

The news is "incredibly damaging" especially to its Yahoo's email properties, said technology analyst Rob Enderle. He said Verizon's pending $4.8 billion acquisition (see 1607250016) "opens up a whole different can of worms," including whether Yahoo disclosed the cooperation with the government to Verizon. "If that disclosure wasn’t done, Verizon would clearly have recourse, at least against the principals, if not the option of undoing the sale, though it’s pretty difficult with a public company," he said. While he would pull the plug on the deal, Enderle added it depends on what's in the purchase contract. Verizon declined to comment.

Kalm said Verizon may have been willing to overlook Yahoo's data breach, but the telco may "decide there is too much ‘hair’ on this deal to consummate their acquisition." He said Yahoo's board may have "to take a good, long look at the company’s governance and operations [and] consider making some pretty dramatic changes moving forward.”

Enderle didn't think the hit on Yahoo's brand would affect advertisers, which are still "going to pay based on eyeballs." Unlike when people boycott an advertiser connected with an objectionable magazine or TV show, the cause and effect between doing something bad and its impact on an advertiser's brand doesn't exist on the internet, he said. But he said Yahoo's alleged activity could create "collateral damage" and more distrust for U.S. brands and cloud companies among foreign users because of government involvement. "Will people believe them?" he asked. "This is a case where a U.S. company may be guilty until proven innocent and it’s virtually impossible for you to prove yourself innocent. You’d be under federal and potential criminal exposure if you disclose it."

But Kalm said he doesn't think it will have a "downstream effect" on other U.S. companies. "Apple, for instance, fought the FBI vigorously on unlocking the San Bernardino terrorists’ phone (see 1604190002), and other US tech players clearly view their customers’ privacy more seriously than Yahoo," he emailed. But if more reports emerge that other companies did what Yahoo allegedly did, "all bets would be off," he said. "Mitigating all of this, we do have the fact that several foreign governments with state- and privately-owned businesses prominent in the tech sector treat customers’ privacy even more cavalierly than Yahoo did, so it’s not as if foreign users have a lot of viable alternatives to consider.”

Privacy advocates raised concerns about Yahoo's alleged practice. In a Tuesday blog post, Electronic Frontier Foundation staff attorneys Andrew Crocker and Mark Rumold wrote that, if true, the activity "represents a new -- and dangerous -- expansion of government's mass surveillance techniques." American Civil Liberties Union staff attorney Patrick Toomey said in an emailed statement the government order seems "unprecedented and unconstitutional." He said it's "disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court." He said if the surveillance was conducted under Section 702, Congress needs to change the law and improve transparency (see 1605100001 and 1607060054).