NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge

from the muscular dept

Early on with the Snowden documents there had been significant disagreement over the kind of "access" the NSA had to systems at the various big tech companies -- all of which denied the kind of "direct access" that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others' servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they're not subtle with their code names, are they?).
The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
There's even this wacky hand-drawn diagram:
There's some evidence that Google figured this out earlier. You may remember that there were reports back in September that Google had been scrambling to encrypt the information flowing between data centers, which is exactly where the NSA hit them. It looks like someone at Google figured out what the NSA was likely doing soon after the original Snowden news broke. Not surprisingly, people at these companies are not happy about this news. When the reporters spoke to "two engineers with close ties to Google," they note that the engineers "exploded in profanity" and urged the reporters to publish that drawing above to expose the NSA.

Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:
According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.
It also appears that the way that the NSA is claiming this is "legal" is by only breaking into the Yahoo and Google datacenters that are outside the US, where there's significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 -- which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program -- which explains the "not under this program" language they often use around questions on 215 and 702 data collections.

The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA's Keith Alexander) about "cybersecurity" attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.

Filed Under: data centers, encryption, executive order 12333, hacking, nsa, nsa surveillance, violations
Companies: google, yahoo

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Khaim (profile), 30 Oct 2013 @ 2:56pm

    Re: Other services

    This kind of network attack only really affects major players like Google. Sites like Slashdot or Dailykos or Harvard are either single-homed (all in one datacenter), or communicate through known insecure lines.

    The reason this attack was so effective against Google is that Google owns the fiber connecting its major datacenters. So Google assumed those links were inherently secure, and didn't encrypt the traffic. Clearly this was wrong. To Google's credit, they started encrypting these links earlier this year.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.