The National Security Agency has secretly tapped into the fiber optic networks that connect Google and Yahoo’s global data centers, reports the Washington Post. According to documents leaked by form NSA contractor Edward Snowden and unnamed “knowledgable officials,” this network interception allows the NSA to collect, “at will,” the communications and files of hundreds of millions of users, which likely includes many American citizens.
Wait – isn’t this old news, you ask? Nope. You’re thinking of PRISM, the program through which the NSA compelled a number of U.S.-based technology companies, including Google and Yahoo, to hand over users’ private data through the use of secret court orders issued by the Foreign Intelligence Surveillance Court. What we’re dealing with here is a whole different monkey – a program called MUSCULAR, which is allegedly a joint operation between the NSA and the U.K.’s intelligence agency, GCHQ.
Here’s how the whole thing works: Google and Yahoo both have data centers all over the world. These networks are used for internal communications and operations, but they are also connected to the larger Internet, and used to store and process data related to public accounts, like your Gmail emails or Flickr photos, for example. Multiple copies of your user data are often stored in these data centers, unencrypted, and passed back and forth between these so-called data “clouds.”
What the NSA has done through MUSCULAR is tap into links between these data centers that are located in foreign counties. According to the Post, the NSA claims to have the authority to assume that any data transferred in a foreign country is fair game for surveillance, thanks to an old executive order called 12333. The Post reports that, over a 30 day period, the NSA collected and processed 181,280,466 new records. Some of these records were metadata – the To, From, and Subject fields in an email, for instance – while other records included content, like emails, photos, files, and videos.
It is not known how much, if any, Americans’ private data is collected by the NSA through MUSCULAR. In a statement to the press, an NSA spokesperson said it is “not true” that “we collect vast quantities of U.S. persons’ data from this type of collection.” The NSA also says that it does not use Executive Order 12333 to circumvent legal restrictions on the agency.
According to Washington Post reporter Brian Fung, and Bloomberg reporter Trish Regan, NSA Director General Keith Alexander has refuted the Post’s report.
Neither Google nor Yahoo appear to have known about MUSCULAR. Google told the Post that it is “troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.”
“We have long been concerned about the possibility of this kind of snooping,” a Google spokesperson said, “which is why we continue to extend encryption across more and more Google services and links.”
Yahoo said in a response to the report: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”
The documents describing MUSCULAR include a hand-drawn diagram – adorned with a smiley face! – sketching out where and how the NSA intercepts Google’s data center communications. When the Post contacted two Google engineers about MUSCULAR, they reported “exploded in profanity” when they were shown the drawing.