Tuesday’s Reuters report that internet giant Yahoo had collaborated with the NSA to scan every email coming in to its millions of users roiled the online community. There is quite a lot of important technical detail we still don’t know about this potentially major expansion of known NSA surveillance, but what is out there is enough to raise some serious questions.
First, the basics. According to Reuters, the NSA issued Yahoo a confidential directive last year to search all incoming messages for some given selector the NSA provided. Yahoo apparently complied, and in doing so actually built a custom bit of software that would scan for this selector as new messages flowed through their network.
Companies like Yahoo, Google, and Microsoft have been very cooperative in turning users’ info over to the government for a long time — under specific court orders. It’s perfectly appropriate and necessary for law enforcement to demand such information for individuals or groups of individuals for whom there’s probable cause to suspect involvement in illegal activity.
But this Yahoo revelation raised the hackles of every surveillance reform and privacy advocate out there. The idea that a single request (even what kind of request it was is not clear) could compel a company to scan literally every email on its network is quite new.
However, another key detail was provided by the New York Times the next day — what Yahoo appears to have done was modify the filter they use to weed out child pornography, spam, and malware “to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization…”
Now that complicates things a bit. If there is a truly distinctive signature — be that a cryptographic key or an embedded logo — that connects an email account specifically to a foreign, state-sponsored terrorist group (like Hamas or the Revolutionary Guard), then it’s a little harder to argue with the search in this case.
But it does raise an important question. If the NSA/FBI can get a company like Yahoo to use its built-in scanning capability to target a legitimately bad group of subjects like foreign terrorists, can they use it (or have they?) for other selectors that end up looping in a lot of American citizens here?
The seriousness of that thought was enough that Microsoft and Google immediately gave statements that they had never received similar search requests from the feds. Google went so far as to add on that if they had received such a request, “our response would be simple: ‘no way’.” One would hope that Yahoo, too, would have refused the request if it had been too invasive or if it had violated the due process of Americans.
Then again, Yahoo has fought illegal surveillance practices by the NSA before and lost, so saying “no” is difficult even for egregiously bad requests.
The constitutional threat here is that although some electronic signatures might well be isolated to foreign sources, others might not be, leading large quantities of Americans’ data to end up sucked into the government’s surveillance dragnet. We know that this has already occurred via the “backdoor search loophole” under Section 702 of the Foreign Intelligence Surveillance Act to an unknown but large number of Americans.
At the very least, this mass-scanning request Yahoo was sent appears to be a novel tactic for bulk surveillance, and the criterion for how the NSA employs such a request should be known to the public. For too many authorities like this one, the legality and constitutionality of a given tactic are decided behind tightly closed doors, in secret courts with little oversight.
As we’ve seen in the case of the bulk collection of Americans’ communications metadata that was revealed by Edward Snowden, having the capability to step beyond the bounds of due process can create the temptation to do it. Once such a precedent exists, the ability of a lawless administration to turn that surveillance capability upon lawful American citizens poses a threat to the balance of power between us and the government that is too dangerous to ignore.
Section 702 of FISA, which many have speculated may be the legal authority under which the Yahoo request was carried out, is up for reauthorization in 2017. The debate over Section 702 would be a perfect time to demand answers about this and many other questionable government surveillance practices revealed by whistleblowers these past several years.
This article originally appeared on Conservative Review.