WASHINGTON – The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, the Washington Post reported Wednesday, citing documents obtained from former NSA contractor Edward Snowden.
A secret accounting dated Jan. 9, 2013, indicates that the NSA sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade, Md., headquarters. In the last 30 days, field collectors had processed and sent back more than 180 million new records – ranging from “metadata,” which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported Wednesday on its website.
The latest revelations were met with outrage from Google, and triggered legal questions, including whether the NSA may be violating federal wiretap laws.
“Although there’s a diminished standard of legal protection for interception that occurs overseas, the fact that it was directed apparently to Google’s cloud and Yahoo’s cloud, and that there was no legal order as best we can tell to permit the interception, there is a good argument to make that the NSA has engaged in unlawful surveillance,” said Marc Rotenberg, executive director of Electronic Privacy Information Center. The reference to “clouds” refers to sites where the companies collect data.
The new details about the NSA’s access to Yahoo and Google data centers around the world come at a time when Congress is reconsidering the government’s collection practices and authority, and as European governments are responding angrily to revelations that the NSA collected data on millions of communications in their countries. Details about the government’s programs have been trickling out since Snowden shared documents with the Post and Guardian newspaper in June.
The NSA’s principal tool to exploit the Google and Yahoo data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. The Post said NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.
The NSA has a separate data-gathering program, called PRISM, which uses a court order to compel Yahoo, Google and other Internet companies to provide certain data. It allows the NSA to reach into the companies’ data streams and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.
In an interview with Bloomberg News on Wednesday, NSA Director Gen. Keith Alexander was asked if the NSA has infiltrated Yahoo and Google databases, as detailed in the Post story.
“Not to my knowledge,” said Alexander. “We are not authorized to go into a U.S. company’s servers and take data. We’d have to go through a court process for doing that.”
It was not clear, however, whether Alexander had any immediate knowledge of the latest disclosure in the Post report. Instead, he appeared to speak more about the PRISM program and its legal parameters.
In a separate statement, NSA spokeswoman Vanee Vines said NSA has “multiple authorities” to accomplish its mission, and she said “the assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true.” At no point did the NSA deny the existence of the MUSCULAR program.
The GCHQ had no comment on the matter.
The Post said the NSA was breaking into data centers worldwide. The NSA has far looser restrictions on what it can collect outside the United States on foreigners and would not need a court order to collected foreigners’ communications.
Cybersecurity expert James Lewis said it is likely that the Google and Yahoo data was part of a larger collection of communications swept up by the NSA program from the fiber-optic pipeline. He said that while the collection was probably legal, because it was done overseas, the question is what the NSA did with the data linked to U.S. citizens.
To meet legal requirements, the NSA has to distinguish between foreign and U.S. persons, and must get additional authorization in order to view information linked to Americans, said Lewis, who is with the Center for Strategic and International Studies. He said it’s not clear from the reports what the NSA did with the U.S. data, and so it’s difficult to say whether the agency violated the law.
David Drummond, Google’s chief legal officer said the company has “long been concerned about the possibility of this kind of snooping.”
“We do not provide any government, including the U.S. government, with access to our systems,” said Drummond. “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
Google, which is known for its data security, noted that it has been trying to extend encryption across more and more Google services and links.
Yahoo spokeswoman Sarah Meron said there are strict controls in place to protect the security of the company’s data centers. “We have not given access to our data centers to the NSA or to any other government agency,” she said, adding that it is too early to speculate on whether legal action would be taken.
The MUSCULAR project documents state that this collection from Yahoo and Google has led to key intelligence leads, the Post said.