- Kimberly White/Getty Images for Fortune
Yahoo has denied that it’s currently spying on customer emails on behalf of U.S. intelligence programs, but that doesn’t mean it didn’t do so in the past.
On Tuesday, Reuters reported that two former employees and a third person aware of the events claimed the company had last year secretly built software that would scan all of its’ customers emails to look for certain keywords. The scanning, at the direction of the NSA or FBI, led to the resignation of then-CISO Alex Stamos, who resigned in protest after learning the decision was made by CEO Marissa Mayer without his knowledge.
“The article is misleading,” a Yahoo spokesperson told Business Insider. “We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”
There’s a lot of wiggle room in that statement, however. Yahoo says the article is misleading but doesn’t offer specifics, and it says the scanning software does not exist on its systems – a claim that could be true now that doesn’t rule out whether the company had used such a tool in the past.
When Business Insider asked for clarification, a Yahoo spokesman declined to comment further than the statement.
Yahoo’s approach to the security of its hundreds of millions of users has been put under a microscope amid revelations of a massive hack that went unreported for years and the company’s undisclosed collaboration with the nation’s top spy agency.
According to the former Yahoo executive that Business Insider spoke to, Yahoo’s culture of secrecy and its prioritization of other business goals led to troubling security practices that made it much more difficult for Yahoo to defend from hackers.
Yahoo’s security team was often denied funding and sometimes kept in the dark at Mayer’s direction, as she feared more emphasis on security could potentially spur a decline in the company’s user base.
“In the Mayer world, it became highly secretive,” to the point where the head of security wasn’t always “even part of the discussion,” the executive told Business Insider.
One such example was highlighted Tuesday, with some former Yahoo employees telling Reuters that Alex Stamos, the chief information security officer in 2015, was left completely out of a decision by Mayer to scan user emails for the government. Stamos and the security team only learned of the program after testing Yahoo’s systems for vulnerabilities and discovering software they thought had been inserted by hackers.
Instead, it was Yahoo’s own software engineers who had secretly installed the email scanning software. Stamos, who had been on the job for just one year, resigned in protest.
The executive told Business Insider it wasn’t the first time a secret was kept from Yahoo’s security team.
When news of the reported government-directed spying first broke, Yahoo said in a statement: “Yahoo is a law abiding company, and complies with the laws of the United States.”