Tag Archives: Technology

Hong Kong securities brokers hit by cyber attacks, may face more: regulator

lock icon to represent cyber security

HONG KONG (Reuters) – Hong Kong’s securities regulator said brokers in the city had suffered cyber attacks and warned of possible further incidents across the industry.

Regulators in Hong Kong have been stepping up efforts over the past year to combat the growing menace of cyber attacks on companies. A survey in November showed the average number of such attacks detected by firms in mainland China and Hong Kong grew a whopping 969 percent between 2014 and 2016. [nL4N1DU35T]

In a circular to licensed firms late on Thursday, the Securities and Futures Commission (SFC) said it had been informed by the Hong Kong police that brokers had encountered so-called “distributed denial of service” (DDoS) attacks targeting their websites and received blackmails from criminals.

“The DDoS attacks have caused service disruption to the brokers for a short period. It is possible that similar cyber security incidents would be observed across the securities industry,” the SFC said in the notice.

Distributed denial of service (DDoS) attacks, among the most common on the Internet, involve cyber criminals using hijacked and virus-infected computers to target websites with data requests, until they are overwhelmed and unable to function.

The SFC urged firms in the financial center to implement protective measures, including reviews of the IT systems and DDoS mitigation plans.

(Reporting by Michelle Price; Editing by Himani Sarkar)

French central bank chief urges insurers to step up cyber risk coverage

man representing cyber attack

PARIS (Reuters) – France’s central bank governor called on French insurers to enhance cyber risk coverage for their clients, as hack attacks and data privacy laws in Europe spur rising demand.

“With the help of reinsurers, insurers should be able to meet demands of cyber risk coverage, a concern that affects all businesses,” Francois Villeroy de Galhau said during a conference in Paris.

Though growing fast, the European cyber insurance market remains dwarfed by that in the United States, but is likely to expand in the coming years as new EU regulations come into force requiring firms to disclose when they have been the victim of an attack.

Around 28 percent of companies in Europe have been subject to a cyber attack over the past 12 months, but only 13 percent of companies have purchased cyber insurance, Marsh & McLennan Co’s (MMC.N) Marsh broker unit said in a survey, published in October 2016.

The value of global cyber insurance premiums outstanding is estimated by Marsh & McLennan Co’s (MMC.N) Marsh broker unit to be around $3.5 billion with 3 billion coming from the United States, and around $300 million coming from Europe.

“Insurance companies should learn from their own experience … in order to create a more mature market in France and Europe for insurance against cyber risks,” Villeroy added.

(Reporting by Maya Nikolaeva and Myriam Rivet; Editing by Leigh Thomas)

Saudi Arabia warns on cyber defense as Shamoon resurfaces

man on keyboard graphic

KHOBAR, Saudi Arabia (Reuters) – Saudi Arabia on Monday warned organizations in the kingdom to be on the alert for the Shamoon virus, which cripples computers by wiping their disks, as the labor ministry said it had been attacked and a chemicals firm reported a network disruption.

An alert from the telecoms authority seen by Reuters advised all parties to be vigilant for attacks from the Shamoon 2 variant of the virus that in 2012 crippled tens thousands of computers at oil giant Saudi Aramco.

Shamoon disrupts computers by overwriting the master book record, making it impossible for them to start up. Former U.S. Defense Secretary Leon Panetta said the 2012 Shamoon attack on Saudi Aramco was probably the most destructive cyber attack on a private business.

In the 2012 hacks, images of a burning U.S. flag were used to overwrite the drives of victims including Saudi Aramco and RasGas Co Ltd. In the recent attacks, an image of the body of 3-year-old drowned Syrian refugee Alan Kurdi was used in recent attacks, according to U.S. security researchers.

The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.

State-controlled Al Ekhbariya TV said on Twitter, using the hash tag #Shamoon, that several Saudi organizations had been targeted in recent cyber attacks.

The state news agency, meanwhile, said the labor ministry had been hit by a cyber attack, but that it did not impact its data.

Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and U.S. company Dow Chemical, said it had experienced a network disruption on Monday morning and was working to resolve the issue.

The company made the disclosure on its official Twitter account after the warning by Al Ekhbariya TV, which cited the telecoms authority.

It did not say whether the disruption was due to a cyber attack but said as a precautionary measure it had stopped all services related to the network.

Other companies in Jubail, the hub of the Saudi petrochemicals industry, also experienced network disruptions, according to sources who were not authorized to publicly discuss the matter.

Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.

(Reporting by Reem Shamseddine. Additional reporting by Jim Finkle.; Writing By Maha El Dahan; Editing by Mark Potter and Andrew Hay)

Airbus CEO sees ‘flying car’ prototype ready by end of year

Chief executive discusses flying cars

MUNICH (Reuters) – Airbus Group plans to test a prototype for a self-piloted flying car as a way of avoiding gridlock on city roads by the end of the year, the aerospace group’s chief executive said on Monday.

Airbus last year formed a division called Urban Air Mobility that is exploring concepts such as a vehicle to transport individuals or a helicopter-style vehicle that can carry multiple riders. The aim would be for people to book the vehicle using an app, similar to car-sharing schemes.

“One hundred years ago, urban transport went underground, now we have the technological wherewithal to go above ground,” Airbus CEO Tom Enders told the DLD digital tech conference in Munich, adding he hoped the Airbus could fly a demonstration vehicle for single-person transport by the end of the year.

“We are in an experimentation phase, we take this development very seriously,” he said, adding that Airbus recognized such technologies would have to be clean to avoid further polluting congested cities.

He said using the skies could also reduce costs for city infrastructure planners. “With flying, you don’t need to pour billions into concrete bridges and roads,” he said.

Enders said Airbus, as the world’s largest maker of commercial helicopters, wanted to invest to make the most of new technologies such as autonomous driving and artificial intelligence, to usher in what amounts to an era of flying cars.

“If we ignore these developments, we will be pushed out of important segments of the business,” he said.

A spokesman for Airbus declined to say how much the company was investing in urban mobility.

(Reporting by Eric Auchard; Writing by Victoria Bryan; Editing by Ruth Pitchford)

Artificial leaf copies nature to manufacture medicine

Artificial leaf to produce medicine

By Ben Hirschler

(Reuters) – Dutch scientists have developed an artificial leaf that can act as a mini-factory for producing drugs, an advance that could allow medicines to be produced anywhere there is sunlight.

The work taps into the ability of plants to use sunlight to feed themselves through photosynthesis, something industrial chemists have struggled to replicate because sunshine usually generates too little energy to fuel chemical reactions.

The leaf-inspired micro factory mimics nature’s efficiency at harvesting solar radiation by using new materials called luminescent solar concentrators with very thin channels through which liquid is pumped, exposing molecules to sunlight.

“Theoretically, you could use this device to make drug compounds with solar energy anywhere you want,” said lead researcher Timothy Noel at Eindhoven University of Technology.

By doing away with the need for a power grid, it may be possible one day to make malaria drugs in the jungle or even medicines on Mars in some future space colony, he believes.

The device, made from silicone rubber, can operate even when there is diffuse light, which means it will work under cloudy skies. However, there is still a way to go to scale up the process to make it commercially viable.

Noel and his colleagues, who published their research in the science journal Angewandte Chemie on Wednesday, are now trying to improve energy efficiency further and increase output.

Because the artificial leaf relies on micro-channels to bring chemicals into direct contact with sunlight, each unit needs to be small – but they could be easily linked together to increase production.

“You can make a whole tree with many, many different leaves placed in parallel,” Noel told Reuters. “These are very cheap things to make, so there is a lot of potential.”

He thinks the process could start to become broadly available to chemical engineers within five to 10 years.

It is not the first time that scientists have drawn inspiration from plants when considering novel ways to manufacture pharmaceuticals.

In 2012, the U.S. Food and Drug Administration approved a drug called Elelyso from Pfizer and Protalix Biotherapeutics for Gaucher disease, a rare genetic condition, made with genetically modified carrot cells.

Other researchers are also cultivating crops that have been specially bred to produce useful medicines and vaccines in their leaves.

Yahoo under scrutiny after latest hack, Verizon seeks new deal terms

Yahoo logo on smartphone

By Greg Roumeliotis and Jessica Toonkel

NEW YORK (Reuters) – Yahoo Inc <YHOO.O> came under renewed scrutiny by federal investigators and lawmakers on Thursday after disclosing the largest known data breach in history, prompting Verizon Communications Inc <VZ.N> to demand better terms for its planned purchase of Yahoo’s internet business.

Shares of the Sunnyvale, California-based internet pioneer fell more than 6 percent after it announced the breach of data belonging to more than 1 billion users late on Wednesday, following another large hack reported in September.

Verizon, which agreed to buy Yahoo’s core internet business in July for $4.8 billion, is now trying to persuade Yahoo to amend the terms of the acquisition agreement to reflect the economic damage from the two hacks, according to people familiar with the matter.

The U.S. No. 1 wireless carrier still expects to go through with the deal, but is looking for “major concessions” in light of the most recent breach, according to another person familiar with the situation.

Asked about the status of the deal, a Yahoo spokesperson said: “We are confident in Yahoo’s value and we continue to work towards integration with Verizon.”

Verizon had already said in October it was reviewing the deal after September’s breach disclosure. Late on Wednesday, it said it would “review the impact of this new development before reaching any final conclusions” about whether to proceed.

The company declined to comment beyond that statement on Thursday.

Verizon has threatened to go to court to get out of the deal if it is not repriced, citing a material adverse effect, said the people familiar with the matter, who asked not to be identified because the negotiations are confidential.

No court in Delaware, where Yahoo is incorporated, has ever found that a material adverse effect has occurred that would allow companies to terminate a merger agreement.

Nevertheless, the threat of a court case on the issue has been successfully used by companies to renegotiate deals, and experts said that some concessions from Yahoo are likely, given the magnitude of the cyber security breaches.

Renegotiating the deal’s price tag would be the simplest but also least likely scenario because the impact of the data breaches will not be apparent for some time, according to Erik Gordon, a professor at the University of Michigan’s Ross School of Business.

A more likely concession would be for Yahoo to agree to compensate Verizon after the close of the deal, based on the liabilities that occur. The two companies may also agree to extend the close of the deal to allow for more time for information to come in on the impact of the breaches, Gordon suggested.

Verizon shares rose 0.4 percent to close at $51.81, in line with the S&P 500 Index <.SPX>. Yahoo closed down 6.1 percent at $38.41.

BIGGEST BREACH

Yahoo said late on Wednesday that it had uncovered a 2013 cyber attack that compromised data of more than 1 billion user accounts, the largest known breach on record.

It said the data stolen may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The company added that some of its partners were affected. One such partner, Europe’s Sky Plc <SKYB.L>, said Yahoo provides email services to its 2.1 million Sky.com email account holders, but it was unclear how many of those accounts were affected.

The announcement followed Yahoo’s disclosure in September of a separate breach that affected over 500 million accounts, which the company said it believed was launched by different hackers.

The White House said on Thursday the U.S. Federal Bureau of Investigation was probing the breach. Several lawsuits seeking class-action status on behalf of Yahoo shareholders have been filed, or are in the works.

Meanwhile, Democratic Senator Mark Warner of Virginia said he was looking into Yahoo’s cyber security practices.

“This most-recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defenses have been so weak as to have compromised over a billion users,” he said in a statement.

Warner, who will become the top Democrat on the Senate Intelligence Committee next year, described the hacks as “deeply troubling.”

New York Attorney General Eric Schneiderman urged anyone with a Yahoo account to change their passwords and security questions and said he is examining the breach’s circumstances and the company’s disclosures to law enforcement.

Germany’s cyber security authority, the Federal Office for Information Security (BSI), advised German consumers to consider switching to safer alternatives for email, and criticized Yahoo for failing to adopt modern encryption techniques to protect users’ personal data.

“Considering the repeated cases of data theft, users should look more closely at which services they want to use in the future and security should play a part in that decision,” BSI President Arne Schoenbohm said in a statement.

The latest breach drew widespread criticism from security experts, several advising consumers to close their Yahoo accounts.

“Yahoo has fallen down on security in so many ways I have to recommend that if you have an active Yahoo email account, either direct with Yahoo of via a partner like AT&T, get rid of it,” Stu Sjouwerman, chief executive of cyber security firm KnowBe4 Inc, said in a broadly distributed email.

A Yahoo spokesperson, in response to criticism of the company’s security measures, said on Thursday: “We’re committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and to keep our users and platforms secure.”

(Reporting by Greg Roumeliotis and Jessica Toonkel in New York and Dustin Volz in Washington; Additional reporting by Liana Baker, Anna Driver, Eric Auchard and Michael Erman; Writing by Jim Finkle and Jonathan Weber; Editing by Bill Trott and Bill Rigby)

U.S. proposes requiring vehicles to ‘talk’ to each other to avoid crashes

By David Shepardson

WASHINGTON (Reuters) – The U.S. Transportation Department on Tuesday proposed requiring all new cars and trucks to be able to “talk” to one another using short-range wireless technology to potentially avoid tens of thousands of crashes annually.

Regulators, which first announced plans to pursue requiring the technology in early 2014, are proposing to give automakers at least four years to comply from the time it is finalized and would require automakers to ensure all vehicles “speak the same language through a standard technology.”

The administration of President-elect Donald Trump will decide whether to finalize the proposal, which does not apply to larger vehicles like buses and tractor trailers.

The U.S. National Highway Traffic Safety Administration (NHTSA) estimates that talking vehicles could eliminate or reduce the severity of up to 80 percent of crashes where alcohol is not a factor, especially crashes at intersections or while changing lanes.

Last year, there were 6.3 million U.S. vehicle crashes. In October, NHTSA said U.S. traffic deaths jumped 10.4 percent in the first six months of 2016. The jump follows a spike in 2015, when road deaths rose 7.2 percent to 35,092, the highest full-year increase since 1966.

Talking cars and trucks would use dedicated short range communications to transmit data up to 300 meters, such as location, direction and speed, to nearby vehicles. That data would be updated and broadcast up to 10 times per second to nearby vehicles, which can identify risks and provide warnings to drivers to avoid imminent crashes.

“From a safety perspective, this is a no brainer,” said U.S. Transportation Secretary Anthony Foxx.

NHTSA Administrator Mark Rosekind said vehicles would protect privacy by only exchanging safety information and would ensure hackers can’t intercept signals.

The rule would not require vehicles currently on U.S. roads to be retrofitted with the technology. Foxx said owners couldn’t turn off the technology but could turn off warnings.

The Alliance of Automobile Manufacturers, a trade group representing General Motors Co, Toyota Motor Corp, Volkswagen AG  and other major automakers, noted the system is already being tested. The group said it would study the proposal. Automakers are pushing to ensure that a portion of the spectrum reserved for connected vehicles is not used by other companies for other wireless device use. The U.S. Federal Communication Commission has begun testing potential sharing options.

Separately, the Federal Highway Administration plans to issue guidance for vehicle-to-infrastructure communications, which will help planners allow vehicles to “talk” to roadway infrastructure such as traffic lights.

(Reporting by David Shepardson; Editing by David Gregorio)

Exclusive: Top U.S. spy agency has not embraced CIA assessment on Russia hacking – sources

Padlock with the word hack, a representation of cyber attacks

By Mark Hosenball and Jonathan Landay

WASHINGTON (Reuters) – The overseers of the U.S. intelligence community have not embraced a CIA assessment that Russian cyber attacks were aimed at helping Republican President-elect Donald Trump win the 2016 election, three American officials said on Monday.

While the Office of the Director of National Intelligence (ODNI) does not dispute the CIA’s analysis of Russian hacking operations, it has not endorsed their assessment because of a lack of conclusive evidence that Moscow intended to boost Trump over Democratic opponent Hillary Clinton, said the officials, who declined to be named.

The position of the ODNI, which oversees the 17 agency-strong U.S. intelligence community, could give Trump fresh ammunition to dispute the CIA assessment, which he rejected as “ridiculous” in weekend remarks, and press his assertion that no evidence implicates Russia in the cyber attacks.

Trump’s rejection of the CIA’s judgment marks the latest in a string of disputes over Russia’s international conduct that have erupted between the president-elect and the intelligence community he will soon command.

An ODNI spokesman declined to comment on the issue.

“ODNI is not arguing that the agency (CIA) is wrong, only that they can’t prove intent,” said one of the three U.S. officials. “Of course they can’t, absent agents in on the decision-making in Moscow.”

The Federal Bureau of Investigation, whose evidentiary standards require it to make cases that can stand up in court, declined to accept the CIA’s analysis – a deductive assessment of the available intelligence – for the same reason, the three officials said.

The ODNI, headed by James Clapper, was established after the Sept. 11, 2001, attacks on the recommendation of the commission that investigated the attacks. The commission, which identified major intelligence failures, recommended the office’s creation to improve coordination among U.S. intelligence agencies.

In October, the U.S. government formally accused Russia of a campaign of cyber attacks against American political organizations ahead of the Nov. 8 presidential election. Democratic President Barack Obama has said he warned Russian President Vladimir Putin about consequences for the attacks.

Reports of the assessment by the CIA, which has not publicly disclosed its findings, have prompted congressional leaders to call for an investigation.

Obama last week ordered intelligence agencies to review the cyber attacks and foreign intervention in the presidential election and to deliver a report before he turns power over to Trump on Jan. 20.

The CIA assessed after the election that the attacks on political organizations were aimed at swaying the vote for Trump because the targeting of Republican organizations diminished toward the end of the summer and focused on Democratic groups, a senior U.S. official told Reuters on Friday.

Moreover, only materials filched from Democratic groups – such as emails stolen from John Podesta, the Clinton campaign chairman – were made public via WikiLeaks, the anti-secrecy organization, and other outlets, U.S. officials said.

“THIN REED”

The CIA conclusion was a “judgment based on the fact that Russian entities hacked both Democrats and Republicans and only the Democratic information was leaked,” one of the three officials said on Monday.

“(It was) a thin reed upon which to base an analytical judgment,” the official added.

Republican Senator John McCain said on Monday there was “no information” that Russian hacking of American political organizations was aimed at swaying the outcome of the election.

“It’s obvious that the Russians hacked into our campaigns,” McCain said. “But there is no information that they were intending to affect the outcome of our election and that’s why we need a congressional investigation,” he told Reuters.

McCain questioned an assertion made on Sunday by Republican National Committee Chairman Reince Priebus, tapped by Trump to be his White House chief of staff, that there were no hacks of computers belonging to Republican organizations.

“Actually, because Mr. Priebus said that doesn’t mean it’s true,” said McCain. “We need a thorough investigation of it, whether both (Democratic and Republican organizations) were hacked into, what the Russian intentions were. We cannot draw a conclusion yet. That’s why we need a thorough investigation.”

In an angry letter sent to ODNI chief Clapper on Monday, House Intelligence Committee Chairman Devin Nunes said he was “dismayed” that the top U.S. intelligence official had not informed the panel of the CIA’s analysis and the difference between its judgment and the FBI’s assessment.

Noting that Clapper in November testified that intelligence agencies lacked strong evidence linking Russian cyber attacks to the WikiLeaks disclosures, Nunes asked that Clapper, together with CIA and FBI counterparts, brief the panel by Friday on the latest intelligence assessment of Russian hacking during the election campaign.

(Editing by Yara Bayoumy and Jonathan Oatis)

FBI to gain expanded hacking powers as Senate effort to block fails

Password on Computer Screen

By Dustin Volz

WASHINGTON (Reuters) – A last-ditch effort in the Senate to block or delay rule changes that would expand the U.S. government’s hacking powers failed Wednesday, despite concerns the changes would jeopardize the privacy rights of innocent Americans and risk possible abuse by the incoming administration of President-elect Donald Trump.

Democratic Senator Ron Wyden attempted three times to delay the changes, which will take effect on Thursday and allow U.S. judges will be able to issue search warrants that give the FBI the authority to remotely access computers in any jurisdiction, potentially even overseas. His efforts were blocked by Senator John Cornyn of Texas, the Senate’s second-ranking Republican.

The changes will allow judges to issue warrants in cases when a suspect uses anonymizing technology to conceal the location of his or her computer or for an investigation into a network of hacked or infected computers, such as a botnet.

Magistrate judges can currently only order searches within the jurisdiction of their court, which is typically limited to a few counties.

In a speech from the Senate floor, Wyden said that the changes to Rule 41 of the federal rules of criminal procedure amounted to “one of the biggest mistakes in surveillance policy in years.”

The government will have “unprecedented authority to hack into Americans’ personal phones, computers and other devices,” Wyden said.

He added that such authority, which was approved by the Supreme Court in a private vote earlier this year, but was not subject to congressional approval, was especially troubling in the hands of an administration of President-elect Trump, a Republican who has “openly said he wants the power to hack his political opponents the same way Russia does.”

Democratic Senator Chris Coons of Delaware and Republican Senator Steve Daines of Montana also delivered speeches voicing opposition to the rule changes.

The U.S. Justice Department has pushed for the changes to the federal rules of criminal procedure for years, arguing they are procedural in nature and the criminal code needed to be modernized for the digital age.

In an effort to address concerns, U.S. Assistant Attorney General Leslie Caldwell wrote a blog post this week arguing that the benefits given to authorities from the rule changes outweighed any potential for “unintended harm.”

“The possibility of such harm must be balanced against the very real and ongoing harms perpetrated by criminals – such as hackers, who continue to harm the security and invade the privacy of Americans through an ongoing botnet, or pedophiles who openly and brazenly discuss their plans to sexually assault children,” Caldwell wrote.

A handful of judges in recent months had dismissed evidence brought as part of a sweeping FBI child pornography sting, saying the search warrants used to hack suspects’ computers exceeded their jurisdiction.

The new rules are expected to make such searches generally valid.

Blocking the changes would have required legislation to pass both houses of Congress, then be signed into law by the president.

(Reporting by Dustin Volz, editing by G Crosse)

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence – sources

Yahoo billboard

By Joseph Menn

SAN FRANCISCO (Reuters) – Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Through a Facebook spokesman, Stamos declined a request for an interview.

The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company’s legal team, according to the three people familiar with the matter.

U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time Web collection or one that required the creation of a new computer program.

“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.

“It would be really difficult for a provider to do that,” he added.

Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Alphabet Inc’s Google and Microsoft Corp, two major U.S. email service providers, separately said on Tuesday that they had not conducted such email searches.

“We’ve never received such a request, but if we did, our response would be simple: ‘No way’,” a spokesman for Google said in a statement.

A Microsoft spokesperson said in a statement, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” The company declined to comment on whether it had received such a request.

CHALLENGING THE NSA

Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.

Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led U.S. authorities to modestly scale back some of the programs, in part to protect privacy rights.

Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal.

Some FISA experts said Yahoo could have tried to fight last year’s demand on at least two grounds: the breadth of the directive and the necessity of writing a special program to search all customers’ emails in transit.

Apple Inc made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

Some FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies’ mail.

As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.

Former NSA General Counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”

SECRET SIPHONING PROGRAM

Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.

Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.

Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. (http://bit.ly/2dL003k)

In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon Communications Inc for $4.8 billion.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)