Yahoo built a system to scan user emails at the behest of U.S. intelligence agencies, according to a Reuters report on Tuesday. The company reportedly built the spy tool last year after Yahoo CEO Marissa Mayer and other executives decided that fighting a government order to search the messages was futile, the report said, citing unnamed sources.
Initially, the company offered a cagey response to Reuters’ claims that failed to say whether it did in fact create the software: “Yahoo is a law-abiding company, and complies with the laws of the United States.”
Privacy advocates immediately denounced Yahoo’s alleged complicity in what they described as overreaching electronic surveillance. “Use @Yahoo?” Edward Snowden, the National Security Agency contractor turned leaker who helped expose a number of the U.S. government’s Internet data collection programs, wrote on Twitter. “They secretly scanned everything you ever wrote, far beyond what the law requires. Close your account today.”
Get Data Sheet, Fortune’s technology newsletter.
Rival tech and social media companies quickly distanced themselves from any potentially Yahoo-like privacy violations. Google
, and Facebook
all, to varying degrees, denied having implemented similar programs.
This morning Yahoo fired back, too. “The article is misleading. We narrowly interpret every government request for user data to minimize disclosure,” Jacob Silber, a spokesman at the crisis communications firm Joele Frank, wrote to Fortune on behalf of Yahoo. “The mail scanning described in the article does not exist on our systems.”
Yahoo critics scrutinized the language in the statement and noted that Yahoo did not call the Reuters report “false,” nor did it preclude the possibility that such a mail scanning tool had existed on the company’s network at some point, however recently, in the past.
Amid the backlash, some security experts began to question aspects of the original report, pointing out ambiguities in key details. Robert Graham, CEO of Errata Security, for instance, pointed to a number of uncertainties in a blog post. The most poignant of them involved asking what the Reuters report meant by saying that Yahoo’s email scanning software searched for a “set of characters,” and under what government authority it complied.
Declan McCullagh, a former journalist, theorized on Twitter that the character sets being targeted may be “indicators of compromise,” the technical term for evidence of a computer network intrusion. In this scenario, the bits of code may indicate email malware or booby-trapped email attachments. In fact, it’s possible that an agency such as the Department of Homeland Security told Yahoo what to look for, he said, along the lines of the Cybersecurity and Information Sharing Act, which passed into law at the end of last year.
Matt Tait, an alum of the British spy service GCHQ, further speculated on Twitter that the report may represent a quiet expansion of PRISM, a clandestine data collection program authorized by Section 702 of the Foreign Intelligence Surveillance Act. Specifically, Tait proposed that the intelligence community had subpoenaed Yahoo to hand over communications that mention certain targeted email addresses, rather than simply messages sent “to” or “from” certain addresses. This technique, which involves “about” selectors in the technical lingo, is already commonly used in the case of “upstream” data collection, which involves tapping the wires of telecom and Internet service providers.
For more on government surveillance, watch:
“The bit I’m struggling with here, is if this is an extension of PRISM to ‘about’ collection, it’s bold, unchallenged, and very precarious,” Tait added. “Either way, I think it’s a critical test for to be very open on whether they consider ‘about’ collection to be a part of PRISM,” he said, referring to the Office of the Director of National Intelligence.
In response to a list of detailed questions about these points, Suzanne Philion, a Yahoo spokesperson, wrote to Fortune, “We can’t comment further.” A similar note to the Office of the Director of National Intelligence went unanswered.
In the absence of more information, it’s impossible to know what Yahoo is or has been up to. Since the Reuters report relies for the most part on anonymous sources and inferences, it’s hard to reach conclusions about how Yahoo’s actions—whatever they might be—should be viewed (though, at first blush, they do seem worrisome).
There are a lot of uncertainties. If you don’t want to wait for an explanation, sure, go ahead and delete your Yahoo Mail account, as so many of the outraged privacy advocates are encouraging. At least the noise may pressure the government into revealing more information about its surveillance practices.