Login

NSA secretly taps into Google, Yahoo networks to collect information, say leaked documents

via www.washingtonpost.com

The NSA intercepts millions of pieces of Google and Yahoo user information each day by tapping into the links between servers, The Washington Post reports. According to documents leaked by Edward Snowden, the agency secretly exploits the data links in Google and Yahoo's global networks through a project called MUSCULAR, allegedly operated jointly with the GCHQ (which was accused earlier this year of snagging data from fiber optic cables). A January 9th document says that in the preceding 30 days, collectors had processed over 181 million pieces of information, including both metadata and the actual contents of communications.

Google is "troubled" by the allegations

The government can already request information from phone or data through the FISA Amendments Act, but this data collection would ostensibly take place without Google and Yahoo even being aware of it. Google told the Post that it had not known about the collection and was "troubled by allegations of the government intercepting traffic between our data centers." Sources close to Google reportedly "exploded in profanity" when shown the drawing above, saying "I hope you publish this." At the time of the initial revelations about PRISM's internet-monitoring capabilities, one slide suggested direct data collection from servers.

The collection alleged by the Post is made possible by the fact that data is sent through servers around the world, connected by dedicated fiber optic cables that may not be encrypted. Google revealed in September that it was working to encrypt information moving between data centers, however Yahoo hasn't announced a similar intention. The NSA may prefer this method in that it would facilitate data collection without the knowledge of the companies it's collecting it from.

"We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform," David Drummond, Google's chief legal officer, tells The Verge in a statement. Drummond also says that Google does not provide any government with access to its servers. In a statement, a Yahoo spokesperson tells us the same thing: "We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."

The data is reportedly being collected primarily from Google and Yahoo's cloud servers, which are generally hosting redundancies of existing information. Because the information isn't brand new, the Post reports that one NSA slide describes the collection as being akin to taking "a retrospective look at target activity." The NSA's collection seemingly occurs as encryption is removed while the data enters Google's servers, as the agency illustrates with a smiley face in the slide above.

The NSA's head says the leak isn't accurate

NSA head Keith Alexander said that the new allegations weren't accurate while speaking in an interview immediately following the leaks. "Not to my knowledge, that's never happened," Alexander says, according to Washington Post reporter Brian Fung. Bloomberg TV anchor Trish Regan quotes him as saying explicitly that the allegations are "not true."

Alexander also said that the leaks at large aren't revealing anything that isn't justifiable. "None of this shows that [the] NSA is doing something illegal, or that it has not been asked to do," he said during the interview. "It's legal, it's necessary, and it's authorized in every case." The Post notes that data collection occurring overseas isn't constrained by the same rules that govern domestic surveillance, potentially allowing the NSA to collect information on Americans as well.

Though Alexander says that the NSA's practices are legal, the Post reports that a similar style of data collection to what's used in MUSCULAR was previously found to be illegal when performed inside of a US territory. The ruling reportedly comes from the Foreign Intelligence Surveillance Court in 2011, which found that such data collection was illegal under the Foreign Intelligence Surveillance Act and that it didn't meet the requirements of the Fourth Amendment. With this new collection occurring around the world, however, it's possible that the NSA isn't bound to the ruling.

Update: The leaked slides have surfaced, which show the program in further detail. According to the slides, the NSA was pulling roughly 15 GB per day from the Yahoo network, but considered the data of poor quality. Internal analysts had also objected to the program, saying the small intelligence value "does not justify the sheer volume of collection."

Update 2: Speaking to Politico, NSA director Keith Alexander has taken issue with the Washington Post article, saying that to his knowledge, the NSA does not directly access Google's data centers and, "the assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true." The statements stop short of a full denial, not addressing whether the NSA gained unauthorized access to internal networks at Google or Yahoo outside of company data centers.

Update 3: In a statement, Google's chief legal officer, David Drummond, tells us that it's been addressing these issues by extending encryption across its network. The full statement is available below, while an excerpt of it has been added into the article above.

We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.

Jacob Kastrenakes contributed to this report. This article has been updated to include statements from Yahoo and Google.

The Verge
X
Log In Sign Up

forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

Spinner

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.