The National Security Agency, in conjunction with England's NSA counterpart Government Communications Headquarters, has been secretly intercepting Google and Yahoo data transmissions around the world, according to a new analysis of the Snowden documents. The documents show how the two spy agencies can cooperate to send copies of customer records en masse to the NSA's data centers at Fort Meade. Intercepted records include email addresses, personal identities, and even the contents of private messages flowing between and among Americans and all other nationalities. The interceptions are within the bounds of current US law because they occur at points outside US soil.
The analysis was conducted by the Washington Post in consultation with Google and Yahoo employees. It lays out four plausible scenarios by which the agencies capture the private data of millions of customers. In the case of Google, the most likely scenario is that the agencies have tapped into fibers and cables connecting the company's privately owned or leased data centers in Chile, Ireland, Finland, Belgium, Taiwan, Hong Kong, Singapore and others. This takes advantage of Executive Order 12333, which gives the NSA the legal right to conduct digital surveillance overseas. It is much broader in scope than PRISM, the spy initiative which under the Foreign Intelligence Surveillance Act gives the NSA the latitude to collect data inside the US but must be filtered by no more than a few tens of thousands of keywords.
MUSCULAR, as the newly revealed operation is code-named, targets Google and Yahoo mainly because they are efficient sources of mass data interception. The two companies generally rely on privately owned or exclusively leased fibers and cables for the sake of security. In addition to tapping those conduits, other likely methods through which the NSA intercepts customer data include having England's GCHQ legally force third-party fiber and cable operators acting on behalf of their client companies to deliver records to the NSA; infiltrating shared Internet exchange centers; and infiltrating shared data centers.
In response to the revelations over the past year or so that the NSA's spy efforts are astronomically much broader in scope than previously understood, Google has been fast working to encrypt all of its international data center links. The company was not pleased to hear of MUSCULAR: When the WaPo reporter showed two employees a hand-drawn diagram of a possible interception point at Google's front-end servers, they "exploded in profanity." To add insult to the injury of learning they'd been bested by the government, the drawing included a smug little smiley face. "I hope you publish this," one employee fumed.
The news reveals an ever broadening scope by the NSA to spy on all people, and data isn't getting more secure overall. Yahoo did not say it was working to encrypt its own data center links. Google's American data centers are still subject to legally forced customer data surrender, and zombie bill CISPA is still trying to cement and institutionalize data sharing partnerships between large telecommunications companies and government agencies.
SOURCE: Washington Post