NSA uses front and back doors to gain access

And the Edward Snowden hits keep coming.

Barton Gellman, one of the outlets for the NSA documents provided by Edward Snowden, has another big story that expands yet again the range of spying done by the NSA on American companies and Americans, even to the extent of storing actual content and not just metadata.

We already knew that the NSA has some ‘front door’ access to some data through arrangements with some internet companies, but it now looks like they broke in through the back door of Google and Yahoo to get even more information.

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.

The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.

The NSA is taking advantage of the fact that the cloud servers are often overseas and restrictions on such snooping are looser overseas.

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner. [My italics-MS]

Tapping the Google and Yahoo clouds allows the NSA to intercept communications in real time and to take “a retrospective look at target activity,” according to one internal NSA document.
In order to obtain free access to data center traffic, the NSA had to circumvent gold standard security measures.

In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data resides. In hand-printed letters, the drawing notes that encryption is “added and removed here!” The artist adds a smiley face, a cheeky celebration of victory over Google security.

Google and Yahoo have both expressed outrage at what was done.

In a statement, Google’s chief legal officer, David Drummond, said the company was “outraged” by the latest revelations.

“We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,” he said.

“We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”

Yahoo said: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”

The angry responses from Google and Yahoo suggest that their denial of knowledge that the NSA was doing this may be genuine.

I see a big future for cryptographers as people seek ever more secure ways of protecting their date from the government.


  1. Reginald Selkirk says

    Google and Yahoo have both expressed outrage at what was done.

    Sure they did. Meanwhile, they have resumed their rather insistent advice that I link a cell phone number to my e-mail accounts; a practice they started a while ago but laid off of when the Snowden escapade first hit the fan.

  2. trucreep says

    It looks like the company involved with these data centers, Level 3, may have been how the NSA got access.

  3. lorn says

    The general rule is that if it can be hacked and monitored it has been hacked and is being actively monitored. And everything is recorded and filed away for future reference. This record will be there forever. Nothing is ever lost or deleted. Storage is cheap.

    Analysis may, or may not, occur at any time after the communications are recorded. I’m pretty sure all files are scanned for key words.

    The bad news is that listening in is just a matter of inserting your name or number into the database and accessing the recorded events.

    The good news is that very few events are listened to in real-time and odds are nobody will ever listen to them. Like memoirs of unimportant people that sit unread, collecting dust, and slowly moldering away. Cosmic rays, solar flares, random glitches and accidental deletions will degrade, eventually destroy, the files but this may take a billion years or more. Digital files are pretty robust if done right.

    The other good news is that in another hundred years a lot of this stuff will be available for historians. If you live long enough you may be able to hear the inner workings of W’s white house, complete with Cheney chewing off the wallpaper and screaming at the shadows in his mind in the background.

    Consider the detailed history of modern Russia or China. Historians have always wanted to have fly-on-the-wall access from multiple angles simultaneously to get an accurate time-line and something resembling an objective history. You are getting a lot closer to that ideal if you have universal access to all electronic communication. Something to look forward to.

  4. Curt Cameron says

    I see a big future for cryptographers as people seek ever more secure ways of protecting their date from the government.

    We already know how to protect our data securely: use modern encryption techniques and don’t give your keys away to anyone.

    That’s what I’ve heard from the case about Lavabit – I heard it was recently written about in the New Yorker. The government demanded that Ladar Levison, the owner, hand over the encryption keys to them and not tell anyone about it. He chose to close down Lavabit instead of comply, but you have to imagine that the government has done the same with publically-held companies who don’t have that option.

    So back to your statement, no encryption scheme ever devised will protect your data if you give the keys to “the man.”

Leave a Reply

Your email address will not be published. Required fields are marked *