This week’s revelation that Yahoo scanned incoming emails for a so-called digital signature associated with a terrorist group raises an important unanswered question: Can tech companies be forced to build new surveillance tools for the government?
In Yahoo’s case, a federal judge’s answer was yes.
Yahoo’s 2015 bulk email scanning came to light in an article Reuters published Tuesday. In a Wednesday follow-up, The New York Times added important details, including that Yahoo had been scanning customer emails in response to an order from the Foreign Intelligence Surveillance Court, and that it had provided the FBI with “a copy of any messages it found that contained the digital signature.”
Any court order requiring Yahoo to bulk-scan billions of incoming email messages is almost certainly unconstitutional. It’s like the FBI securing a judge’s permission to listen in on millions of Americans’ phone calls in an attempt to nab a mobster, or local police obtaining a search warrant to break down every resident’s front door to find a stolen TV. (Remember, the fact that Yahoo received a court order doesn’t mean that the court order itself adhered to constitutional principles. Even judges make mistakes.)
Many facts surrounding Yahoo’s email scanning remain mysterious: No FISA court order outlining all the details has yet surfaced, which isn’t surprising considering that they’re supposed to remain secret. But based on what we know so far, the directive to Yahoo closely resembles a general warrant, which the Fourth Amendment—intended to halt a practice employed by British authorities of obtaining open-ended warrants authorizing the search of many houses or businesses without probable cause—was explicitly enacted to prohibit.
The Justice Department appears to have successfully forced an Internet company to write a “custom software program to search all of its customers’ incoming emails,” according to Reuters. A FISA order to scan hundreds of millions of Yahoo email accounts for links to a terrorist group would undoubtedly lack the Fourth Amendment-mandated probable cause.
Patrick Toomey, an attorney with the American Civil Liberties Union, called the order “unprecedented and unconstitutional.” Andrew Crocker and Mark Rumold from the Electronic Frontier Foundation wrote in a blog post that the Yahoo order “represents a new—and dangerous—expansion of the government’s mass surveillance techniques.”
One obstacle any lawsuit over Yahoo’s bulk email scanning faces is the difficulty in proving that the surveillance happened, at least to a court’s satisfaction. That difficulty is what led to the U.S. Supreme Court’s dismissal of a 2013 lawsuit brought by the ACLU that challenged the legality of bulk FISA surveillance. Expect the same outcome here, unless an actual court order or other official documents emerge. (Leakers inside Yahoo, take note!)
But based on what we know so far, the directive to Yahoo closely resembles a general warrant, which the Fourth Amendment—intended to halt a practice employed by British authorities of obtaining open-ended warrants authorizing the search of many houses or businesses without probable cause—was explicitly enacted to prohibit.
Writing new surveillance code is effectively what the FBI tried—and ultimately failed—to force Apple to do earlier this year. After it obtained a work phone, an iPhone 5C, used by one of the shooters in a mass attack last year in San Bernardino, Calif., it attempted to compel Apple to write code for a new version of iOS with a government backdoor.
Apple fought this demand. It argued, as I wrote for The Parallax at the time, that a 1789 law called the All Writs Act was never intended to authorize the government to force companies to write new surveillance code. Apple noted that it already had handed over all stored data that it “possessed relating to the attackers’ accounts,” and said it was unwilling to write new surveillance code that inevitably would be misused.
“No court has ever authorized what the government now seeks, no law supports such unlimited and sweeping use of the judicial process, and the Constitution forbids it,” Apple’s lawyers wrote in a brief. (Because the FISA court’s order affected millions of people, that argument would have been even more powerful, had Yahoo raised it.)
In late March, the FBI abandoned its legal pursuit of Apple. It notified the court that it had found another way to access the data on the iPhone, leaving the question of how far police agencies can go in forcing companies to write new code unanswered.
If a government agency truly requires that legal authority, and the surveillance methods it seeks would comply with the Fourth Amendment, it should simply ask Congress to enact a new law.
A few years ago, the Justice Department started to do just that. It drafted legislation that would have amended the existing Communications Assistance for Law Enforcement Act (CALEA) and compelled Yahoo, Apple, and other companies to build in surveillance backdoors for government agencies.
It had at least a few enthusiastic backers in Congress. “We have been waiting patiently for the administration to put forth a proposal with necessary fixes,” Chuck Grassley, an Iowa Republican, said at a 2012 Senate hearing.
But technology companies such as Google, Microsoft, Twitter, and Yahoo successfully lobbied the White House to pull the plug on the legislation. The proposal to amend CALEA was never submitted to Congress.
Questions surrounding compulsory backdoors will grow increasingly important. As encryption becomes commonplace—Yahoo finally turned on HTTPS by default for Yahoo Mail in 2014—we should expect U.S. police and intelligence agencies to encounter mostly encrypted communications when conducting targeted Internet wiretaps and untargeted backbone taps, such as dragnet Internet surveillance done in concert with AT&T and other telecommunications providers. The obvious next step will be for these agencies to demand the right to perform bulk scans of emails, chats, direct messages, location data, and more.
It’s a shame that Yahoo chose not to fight the court order. Like Apple, it could have argued that it violated the Fourth Amendment and the All Writs Act. But for reasons still undisclosed, it chose not to do so.
And the question of whether Internet companies can be forced to build surveillance tools for government agencies will be left for a more privacy-sensitive legal team to raise next time.