Updated October 7, 2016 with additional clarification and analysis of Yahoo’s denial

Dear ProtonMail Community,

Two weeks ago, we published a security advisory regarding the mass hacking of Yahoo . Unfortunately, due to recent events , we are issuing a second advisory regarding all US email providers.

What happened?

This week, it was revealed that as a result of a secret US government directive, Yahoo was forced to implement special surveillance software to scan all Yahoo Mail accounts at the request of the NSA and FBI. Sometime in early 2015, Yahoo secretly modified their spam and malware filters to scan all incoming email messages for the phrases in the court order and then siphoned those messages off to US intelligence. This is significant for several reasons:

This is the first known incident where a US intelligence directive has indiscriminately targeted all accounts as opposed to just the accounts of suspects. Effectively, all 500 million+ Yahoo Mail users were presumed to be guilty.

Instead of searching stored messages, this directive forced Yahoo to scan incoming messages in real-time.

Because ALL incoming email messages were targeted, this program spied on every person who emailed a Yahoo Mail account, violating the privacy of users around the world who may not even have been using a US email service.

What does this mean for US tech companies?

This is a terrible precedent and ushers in a new era of global mass surveillance. It means that US tech companies that serve billions of users around the world can now be forced to act as extensions of the US surveillance apparatus. The problem extends well beyond Yahoo. As was reported earlier, Yahoo did not fight the secret directive because Yahoo CEO Marissa Mayer and the Yahoo legal team did not believe that they could successfully resist the directive.

We believe that Yahoo’s assessment is correct. If it was possible to fight the directive, Yahoo certainly would have done so since they previously fought against secret FISA court orders in 2008 . It does not make sense that US surveillance agencies would serve Yahoo Mail with such an order but ignore Gmail, the world’s largest email provider, or Outlook. There is no doubt that the secret surveillance software is also present in Gmail and Outlook, or at least there is nothing preventing Gmail and Outlook from being forced to comply with a similar directive in the future. From a legal perspective, there is nothing that makes Yahoo particularly vulnerable, or Google particularly invulnerable.

Google and Microsoft have come out to deny they participated in US government mandated mass surveillance, but under a National Security Letter (NSL) gag order, Google and Microsoft would have no choice but to deny the allegations or risk breaking US law (our analysis of Yahoo’s denial is at the bottom of this post). Again ,there is no conceivable reason US intelligence would target Yahoo but ignore Gmail, so we must consider this to be the most probable scenario, particularly since gag orders have become the norm rather than the exception.

In effect, the US government has now officially co-opted US tech companies to perform mass surveillance on all users, regardless of whether they are under US jurisdiction or not. Given the huge amount of data that Google has , this is a truly scary proposition.

How does this impact ProtonMail?

ProtonMail’s secure email service is based in Switzerland and all our servers are located in Switzerland, so all user data is maintained under the protection of Swiss privacy laws. ProtonMail cannot be compelled to perform mass surveillance on our users, nor be compelled to act on behalf of US intelligence. ProtonMail also utilizes end-to-end encryption which means we do not have the capability to read user emails in the first place, so we couldn’t hand over user email data even if we wanted to.

However, since email is an open system, any unencrypted email that goes out of ProtonMail, to Yahoo Mail for example, could potentially have been swept up by these mass surveillance programs and sent to US government agencies. This is why if you want to avoid having your communications scanned and saved by US government agencies, it is important to invite friends, family, and colleagues to use non-US email accounts such as ProtonMail or other email services offered by European companies.

What can the rest of the world do about this?

Unfortunately, the tech sector today is entirely dominated by US companies. Just like Google has a monopoly on search, the US government has a near monopoly on mass surveillance. Even without US government pressure, most US tech companies also have perverse economic incentives to slowly chip away at digital privacy.

This week, we have again seen how easily the massive amounts of private data retained by US tech companies can be abused by US intelligence for their own purposes. Without alternatives to the US tech giants, the rest of the world has no choice but to consent to this. This is an unprecedented challenge, but it also presents an unprecedented opportunity, particularly for Europe.

Now is the time for Europe to invest in its own tech sector, unbeholden to outside interests. This is the only way the European community can continue to safeguard the European ideals of privacy, liberty, and freedom online. It is time for European governments and citizens to act before it is too late.

The only chance for privacy to prevail against these attacks is for the global community to support a new generation of web services which protect privacy by default. These services, such as ProtonMail’s encrypted email service, must operate with a business model where users can donate or pay for services, instead of giving up data and privacy. The security community also has an obligation to make these new service just as easy to use as the ones they replace.

Services such as secure email, search, and cloud storage are now vital to our lives. Their importance means that for the good of all citizens, we need to develop private alternatives that are aligned with users, and free from corporate greed and government overreach. Crowdfunded services like ProtonMail are rising to the challenge, but we need more support from the global community to successfully take on better funded US tech giants. Privacy matters, and your support is essential to ensure the Internet of the future is one that protects our rights.

Best Regards,

The ProtonMail Team

You can get a free secure email account from ProtonMail here .

You can support our mission by upgrading to a paid plan or donating so that we can grow beyond email.

Analysis of Yahoo Denial:

Yahoo, like every other US tech company, has issued a denial, basically denying Reuter’s account of the mass surveillance. Here is Yahoo’s denial, word for word:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

It is curious that Yahoo’s response to this incident is only 29 words, but upon closer examination, it is a very carefully crafted 29 words. First, Yahoo calls the reports misleading. This is a curious choice of words because it does not claim that the report is false. Finally, Yahoo states that, “The mail scanning described in the article does not exist on our systems.” While this could be a true statement, it does NOT deny that the scanning could have been present on Yahoo’s systems in the past.

The same day as the Yahoo denial, the New York Times obtained independent verification of the Reuter’s story from two US government officials. This allowed the New York Times to confirm the following facts:

Yahoo is in fact under a gag order and from a legal standpoint, they cannot confirm the mass surveillance (in other words, they must deny the story or avoid making any statements that would be seen as a confirmation).

The Yahoo mass data collection did in fact take place, but the collection is no longer occurring at present time. Thus, we now understand the disingenuous wording of the last sentence in Yahoo’s statement.

Yahoo’s denial (or non-denial, as the case may be), followed immediately by confirmation by the NYT demonstrates the new reality that denials by US tech companies cannot really be taken at face value anymore. It is not that US tech companies are intentionally trying to mislead their customers, but many times, they have no choice due to the gag orders that now inevitably accompany any government requests. If statements from US tech companies turn out to be suspect (as in the Yahoo example), the likelihood of the public ever knowing the truth becomes highly unlikely, and this brings us to a dangerous place.