US explanation for scanning Yahoo emails unsatisfactory: EU

The 'relatively late and relatively general' explanation from the US for why it forced Yahoo to scan all user emails under a secret court order has been deemed unsatisfactory by the EU's justice commissioner.
Written by Corinne Reichert, Contributor

The United States government's explanation for why it made a court order forcing Yahoo to scan all users' incoming emails for intelligence purposes was unsatisfactory, the European Union's justice chief has said.

The European Commission had asked for clarification from the US government back in November last year on the secret court order served to Yahoo.

"I am not satisfied, because to my taste, the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick, and full exchange of information," EU Justice Commissioner Vera Jourova told Reuters.

The EU's investigation into the matter came about as part of monitoring the EU-US Privacy Shield, which came into effect in July last year and required the US to agree not to engage in mass surveillance practices.

The Privacy Shield allows businesses to move Europeans' personal data -- including for credit card transactions, hotel bookings, and browsing habits for targeted advertising -- over to the US.

Yahoo, which announced this week that it would be renaming to Altaba and forming a new board of directors as it becomes an investment company following the $4.8 billion sale of its operating business to Verizon, is not signed up to the EU-US Privacy Shield. In addition, the email scanning took place before the Shield existed.

Despite these facts, the EU is viewing the issue as a test case of whether the US will commit to the Shield, Reuters said, with Jourova adding that she expects a more detailed explanation on why Yahoo was asked to scan customer emails.

Jourova acknowledged that the US "cannot be fully concrete" on national security issues, however.

The first annual review of the Privacy Shield will take place mid-year under incoming US President Donald Trump.

"I would expect that Trump's administration would understand what is good and what is bad for business. This [Privacy Shield] is good for business," Jourova said.

"We need to see that we can still trust."

Back in October, reports emerged from Reuters that Yahoo had been forced to build a tool in 2015 for scanning all customers' emails for specific information provided by either the FBI or the NSA, and to store for remote retrieval any emails containing that information. The court order was made by America's Foreign Intelligence Surveillance Court.

It is unknown what the information being sought was, or whether any other companies were subject to a similar order.

Yahoo's internal security team found out about the program weeks later, and assumed that there had been a cyber attack, with a programming flaw that could have allowed hackers to access the emails being stored under the secret court order. Yahoo's chief intelligence security officer subsequently resigned from the company.

Yahoo last year admitted that it had faced data breaches in September 2014 and August 2013, when 500 million accounts and 1 billion accounts, respectively, were stolen by hackers.

The EU's dissatisfaction with the US' explanation for forcing Yahoo to scan emails follows Reuters' reports on Tuesday that the EU has proposed a new law that would see email and online messaging services such as Gmail, Hotmail, iMessage, Facebook Messenger, and WhatsApp face more stringent rules on tracking users.

The EU has suggested that these services be required to first obtain their customers' explicit consent before scanning their emails -- which they would also have to assure would remain confidential -- and placing cookies on their browsers, before being permitted to track users for the purposes of targeted advertising.

Companies that do not accede to the new rules, which still must be approved by the European Parliament and its member states, would face fines of around 4 percent of their global revenue, Reuters said.

With AAP

Editorial standards