Surely there was evidence somewhere? If Stamos wasn't briefed as to the situation and a security engineer found the rootkit on their own how could they be bound by the terms of an NSL / gag order?
Whether Mayer went around him willingly or by legal requirement is basically unanswerable, except to note that the email team chose to do the same. There's not much to say when we can't tell collusion from compulsion.
The question of accidental discovery, by contrast, is a fascinating one. A gag order couldn't possibly compel someone who made the discovery on their own (for the simple reason that they wouldn't know about it to be compelled). So circumventing the security team, instead of simply including them in the NSL, raises an interesting discussion about the nature of the NSL and why the matter was kept from Stamos' team.
If the company was gagged, I don't see how it would matter whether company employees knew about it in advance or found it by accident. Either way, the company is still gagged.
Also, while your comment makes common sense, national security restrictions don't have to make sense to be legal. For example there is information that is "born classified," meaning that even if it is independently developed, totally separate from the defense apparatus, it's still considered classified!
If so, one wonders if he would take a similar principled stance a second time at Facebook. Much harder to jump ship for greener pastures while already riding the biggest rocketship in town.
Knowing Yahoo's mail architecture very intimately, your analogy here isn't very accurate unless you get very abstract with your usage of the words "database" and "queries".
I wonder if she knew the security team would find it if they weren't consulted, making not telling them the legal way to tell them.
