Fiber-optic cable taps, not clandestine agreements with big cloud data users like Google and Yahoo, may have given the NSA its treasure-trove access to internet traffic, insiders suspect, with the government agency potentially targeting interconnects rather than data centers themselves. While data centers are heavily secured, the fiber-optic cable links between them are traditionally unencrypted, sources familiar with Google and Yahoo infrastructure told the NYTimes, fingering Level 3 Communications as the most likely target for NSA attention.
Level 3 provides the fiber-optic links that both Google and Yahoo use, though it’s not the only company responsible for such infrastructure. Verizon Communications, the BT Group, and the Vodafone Group are all similarly involved, but Level 3 is perhaps the largest player in the US market, with networking hardware in 200 US data centers alone.
Gag orders and other routes to forced anonymity mean that hosting companies and networking providers are unwilling or unable to comment on how the NSA monitors data. However, one possibility, the latest sources suggest, is that the federal agency simply monitors what data passes between the centers used, rather than collecting it at the centers themselves.
Neither Google nor Yahoo have detailed their suspicions, though both have been vocal in their protestations that they do not actively hand over data to the NSA. However, they’re still subject to so-called FISA requests for disclosure, though each company has petitioned the US government for the freedom to reveal exactly how many such requests are submitted each year.
Google and Microsoft have even joined forces to sue the US government for greater freedom to disclose such statistics.
Leaks provided by whistleblower Edward Snowden suggested that Google and Yahoo had been targeted in a join operation by the NSA and its UK counterpart, GCHQ, with the US agency taking advantage of greater legal flexibility around gathering internet data about US citizens when done outside of the country itself. GCHQ, so the leaks suggested, bundled up packages of data collected internationally, and then shared them with the NSA as part of anti-terrorism efforts.
Still unclear is whether providers like Level 3 are willing or unwilling participants. The company would not comment specifically on the allegations, instead giving a more general statement to the effect that it is bound by the disclosure laws of the countries it operates within.
“It is our policy and our practice to comply with laws in every country where we operate,” a Level 3 spokesperson said, “and to provide government agencies access to customer data only when we are compelled to do so by the laws in the country where the data is located.”
Similar obligation has been admitted by Verizon Communications, with CEO Lowell McAdam pointing out that “at the end of the day, if the Justice Department shows up at your door, you have to comply.”
Since the initial revelations about PRISM, both Google and Yahoo have announced plans to encrypt all data passed between their respective data centers. “It’s an arms race” Eric Grosse, vice president for security engineering at Google, suggested, confirming that the search giant had accelerated existing encryption plans in the aftermath of the exposure.