Holding Off on that Yahoo Email Story

I've gotten a few questions the last couple of days about why Lawfare has had nothing to say about that big story Reuters ran the other day on Yahoo, the intelligence community, and the scanning of all those email accounts.

I can't speak for other writers on this site, but here's why I haven't written about it: the stories in question contain too little information to usefully comment, and too much of the information is contradictory. I thus don't think I can say anything useful at this stage, other than to point out how much we don't know and to point out that nearly all of the other commentary is either the rankest of speculation or has already proven to be wrong. The better part of valor right now is to shut up and wait.

So as a reader service, I'm going to shut up and wait to draw any conclusions. But first, I'm going to list three things I'm waiting for, things we don't yet know that should be pivotal to figuring out how to evaluate what the government and Yahoo actually did here.

First, neither the original Reuters story nor the New York Times story that followed—and contradicted—it yesterday had access to any of the underlying documents. The Reuters story is sourced to "people familiar with the matter." The Times story is sourced to "several people familiar with the matter," "Two government officials who spoke on the condition of anonymity," and "a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity."

There's nothing wrong with writing news stories based on anonymous sourcing when it's necessary to do so. There is something very wrong with doing a complex legal and factual analysis without access to either the facts or the legal thinking that went into the surveillance in the government, at the court, and at Yahoo. Sometimes, of course, we don't have access to the core materials because the government keeps things classified, so we are left to read tea leaves. We are never, however, forced to act like those tea leaves are sufficient to draw conclusions. A lot of people are doing that this week.

Second, the reporting here is actually very thin and do not, in fact, have enough tea leaves to draw even tentative conclusions. Without access to documents detailing what sort of order the government sought from the FISA court or what the court actually ordered Yahoo to do, both stories can give only the vaguest outline of the actual collection that took place.

Here's Reuters:

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

. . .

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Here's the Times:

Yahoo customized an existing scanning system for all incoming email traffic, which also looks for malware, according to one of the officials and to a third person familiar with Yahoo’s response, who also spoke on the condition of anonymity.

With some modifications, the system stored and made available to the Federal Bureau of Investigation a copy of any messages it found that contained the digital signature. The collection is no longer taking place, those two people said.

. . .

Investigators had learned that agents of the foreign terrorist organization were communicating using Yahoo’s email service and with a method that involved a “highly unique” identifier or signature, but the investigators did not know which specific email accounts those agents were using, the officials said.

I don't fault any of the reporters for this. They only have access to the information to which they have access. But the dramatic rush on the part of lots of commentators to have opinions about the matter is irresponsible. There simply isn't enough information here to have an opinion about the propriety or legality of the activity in question. Nor is there enough information here to wax indignant that Yahoo did not fight the order. Reuters reports that Yahoo chieftain Marissa "Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter." The many self-described privacy advocates who are outraged that Yahoo didn't stand and fight are insisting, with virtually no information, that they know better how some law (they are not sure which law) would interact with some facts (they are not sure which facts) than did Mayer and her lawyers, who had access to both the law and the facts and to the actual court order to which they had to respond.

Third, the reports are not consistent with one another about the legal authority for the surveillance either—and the Reuters stories are not even internally consistent with themselves on the subject. In its initial report, Reuters did not specify under what authority the government had issued its demand, calling it only "a broad demand for real-time Web collection" and saying that "The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company's legal team." For the record, "classified edict" is not a term of art.

The Times, however, yesterday clarified that the order was not broad, but narrow, coming from the FISA Court under what is called the "traditional" FISA authority:

Two government officials who spoke on the condition of anonymity said the Justice Department obtained an individualized order from a judge of the Foreign Intelligence Surveillance Court last year.

. . .

The two government officials familiar with the matter said the digital signature Yahoo was ordered to look for last year was individually approved in an order issued by a judge, who was persuaded that there was probable cause to believe that it was uniquely used by a foreign power.

. . .

According to the government officials, Yahoo was served with an individualized court order to look only for code uniquely used by the foreign terrorist organization. Two sources, including one of the officials, portrayed it as adapting the scanning systems that it already had in place to comply with that order rather than building a brand-new capability. The other official did not comment on the technology. The officials did not name the terrorist organization.

But then Reuters doubled down, and published another story insisting that the legal authority for the action was FISA 702: "Yahoo's request came under the Foreign Intelligence Surveillance Act, the sources said. The two sources said the request was issued under a provision of the law known as Section 702, which will expire on Dec. 31, 2017, unless lawmakers act to renew it." Except that elsewhere in the same story, the Reuters reporters described a process that sounds nothing at all like 702 but something like traditional FISA: "The collection in question was specifically authorized by a warrant issued by the secret Foreign Intelligence Surveillance Court, said the two government sources, who requested anonymity to speak freely."

So in other words, we don't have the documents; we don't have the facts; and we don't even know what law we're talking about.

All we really know is that there was some kind of order, under some provision of FISA, that prompted Yahoo to scan all emails for a known signature and segregate the fruits of that scanning for FBI inspection. I can imagine situations and fact patterns in which that would bother me a lot. I can also imagine situations and fact patterns in which it would strike me as a perfectly reasonable thing. Right now, I have very little sense of what really happened here. So I'm going to wait to have an opinion until I actually know something.

So should everyone else.