Yahoo May Have Exposed Rogers Customer Emails to US Spies
When emails go to the US, they're open to eavesdropping.
On Friday, Motherboard reported that beleaguered US company Yahoo allowed someone—possibly a US intelligence agency such as the NSA or FBI—to install a backdoor on its servers, likely for scanning purposes, that afforded unfettered access to Yahoo's systems, including users' personal emails.
"This backdoor was installed in a way that endangered all of Yahoo users," a source familiar with the incident told Motherboard.
This should concern Canadians, because Rogers, one of the largest telecom companies in the country, totally outsources its email systems to Yahoo. Emails sent from Rogers accounts are sent to Yahoo's US servers for storage and processing, and Yahoo scans Rogers emails for spam, malware, and child pornography.
This isn't the first time that Rogers' ties to Yahoo have compromised Canadians: The Toronto Star previously reported that Rogers customer data was included in the massive hack in September.
Moreover, several experts consulted by Motherboard said that by dint of Rogers emails transiting and being stored on Yahoo's US servers, they would likely have been subject to any sort of system-wide email dragnet installed by US intelligence.
Neither the NSA, nor its Canadian counterpart, the Communications Security Establishment (CSE), are legally allowed to spy on the content of domestic Canadians' digital communications, with the exception that the CSE monitors emails sent to the government.
Neither Yahoo nor Rogers would comment directly on these allegations.
"I'd imagine that, yes, the program would have applied to Rogers customer emails, unless Yahoo elected to specifically exclude them"
When asked if customer emails are routed through the US, Rogers spokesperson Andrew Garas stated that "when you register for a Yahoo account, your registration information and other data will be transmitted to the United States and/or other countries for processing and storage by Yahoo." This, the spokesperson continued, includes email.
To see what kind of data Yahoo could pull from a message, I asked a Rogers-subscribing friend to send me a test email. The routing information contained in the email confirmed that the email was sent through a Yahoo-owned server in New York.
The routing information was analyzed by American Civil Liberties Union staff technologist Daniel Gillmor and Citizen Lab researcher Bill Marczak, who both agreed that a system-wide email scanning system in the US could have captured the content of the Rogers email, despite it being sent and received within Canada.
"Any program that scans all the mail that Yahoo has access to would have scanned this email," Gillmor wrote me in a message.
"If Yahoo chose to segment their scanning by limiting it only to mails that have '@yahoo.com' email addresses [and omitted those sent from @rogers.com], of course, then they would have chosen to exclude this email from the scan," Gillmor continued. "It's not clear to me whether any such constraint was in place, though."
"I'd imagine that, yes, the program would have applied to Rogers customer emails, unless Yahoo elected to specifically exclude them," wrote Marczak in an email.
Yahoo declined to comment on whether the alleged system filtered out emails from Rogers customers.
Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner, confirmed that Rogers consulted the office in the wake of the Yahoo hack. But as far as the possibility that Rogers customer emails had been siphoned into a surveillance dragnet goes, "Given we don't have detailed information about the matter, we are not in a position to comment," Cohen wrote.
When asked if Rogers was aware of the allegations against Yahoo or if the company is concerned that a backdoor could have affected its customers, spokesperson Garas referred me to Yahoo's statement and wrote that "as such, we believe this matter is closed."
Rogers would not comment when asked if it had any plans to change email providers in response to the Yahoo story.