What if China or India was behind Yahoo spying order?

Lack of response from the US government about its Yahoo e-mail surveillance order is troubling and will have serious implications on cybersecurity for the rest of the world, including Asian nations.
Written by Eileen Yu, Senior Contributing Editor

It has been nearly a month since news broke that Yahoo may have scanned the email content of its users under instructions from the US government, but little details have emerged since and few from the international community seem bothered by the revelation.

The silence is troubling since it has serious implications on cybersecurity for the rest of the world, including the Asian region.

Reuters last month reported that Yahoo was forced to build a software that searched all of its users' email as well as attachments for specific characters and phrases. It reportedly did so under the order of US intelligence agencies, likely, the US National Security Agency (NSA) or Federal Bureau of Investigation (FBI).

Several industry lobbyists including privacy group Electronic Frontier Foundation (EFF), last week sent a letter to the director of US National Intelligence Office, James Clapper, asking that he released information about the email scanning, including details about how the US government justified the move and whether it had conducted similar searches.

"Such a massive scan of the email of millions of people, particularly if it involves the scanning of email content, could violate FISA (Foreign Intelligence Surveillance Act), the Fourth Amendment, and international human rights law, and has grave implications for privacy," stated the letter, which also was signed by Amnesty International, OpenTheGovernment.org, and TechFreedom, amongst others.

"It's crucial Clapper follow through on his pledge for transparency and release information about how the US government justified the email scanning under FISA," the EFF said on its website.

On its part, Yahoo described the Reuters article as "misleading" and denied the scanning tool was in it systems. "Yahoo is a law abiding company and complies with the laws of the United States," it said. The internet vendor refused to comment further, but later urged Clapper to declassify the surveillance order, pledging to explain itself if the US government officer agreed to its request to make the information public.

According to TechCrunch, the email scanning tool provided access to all incoming mail and might have also included access to outgoing mail. Citing a source, the report said the software was implemented poorly and could have been exploited by external hackers.

Just weeks before the scanning scandal, Yahoo revealed it suffered a data breach in 2014 that could have affected at least 500 million user accounts and led to stolen personal details, including login IDs, recovery email address, phone numbers, and dates of birth.

Did the poorly implemented email scanning tool open up a loophole that led to the 2014 data breach? According to the Reuters report, the software was uncovered by Yahoo's security team in May 2015, supposedly weeks after it was implemented, so the timelines might not match up.

However, could Yahoo have acceded to other similar directives from the US government? If it did, could any of these then have resulted in the data breach that put 500 million users, including those outside of the US, at risk?

And why haven't any international businesses or governments spoken up about the issue? Surely, if the tables were turned, and the order had come from the government of China or India or even France or the UK, any response from the US would be less than muted? The US certainly would demand details, answers, and an end to the spying.

And any one of those countries would have just as valid reasons, in the name of terrorism and national security interests, to justify forcing a company to scan its communications systems. That is, of course, assuming the US government will justify its action based on those reasons as it usually does.

Why Asian governments need to care more

The lack of response from the US government about the issue is troubling and further underscores why no one country--certainly not the US--should have control of the internet.

More importantly, though, for the rest of us including Asia, this is an issue we need to care more about because a breach anywhere in the world can potentially affect our country's cybersecurity wellbeing, too.

Stressing the country's role in cybersecurity, Singapore's Minister for Communications and Information Yaacob Ibrahim said at a conference last week that cyberattacks were "unrestrained by geographical boundaries". "Singapore is an open and highly-connected business hub for trade, finance, and logistics. The effects of a cyberattack on Singapore could potentially impact the wider regional and global economy," Yaacob said.

Likewise, a serious breach in the systems of an international service provider like Yahoo could create loopholes and extend the hackers' reach into Singapore's cyberspace.

Regional and global collaboration are increasingly important in the fight against terrorism and cybersecurity threats. No matter how influential or powerful one country may think it is, the best defense is when you have others fighting alongside and helping to put together a cohesive attack strategy. Go at it alone and you'll only end up putting your global counterparts at risk, as demonstrated in the case of Yahoo.

The Singapore government itself recognises the challenge of balancing the need to ensure national security and protect user privacy. Cyber Security Agency Chief David Koh said there was no absolute right answer and local jurisdictions would need to be considered, especially when cyber activities were likely to be cross-border.

To combat increasing cyber threats, Singapore has stressed the need for collaboration and wants to play a role, for instance, in galvanising cybersecurity efforts across Asean. This is a positive and necessary step towards a more robust cybersecurity regime, one where all parties involved know what everyone else is doing and understand how to work within each other's jurisdiction.

Such partnerships and unity within the Asian region will be especially critical, since the next US president may be one who thinks it's perfectly okay to invite Russian hackers to target his opponents.

Editorial standards