SAN FRANCISCO — The recent revelation that the National Security Agency was able to eavesdrop on the communications of Google and Yahoo users without breaking into either companies’ data centers sounded like something pulled from a Robert Ludlum spy thriller.
How on earth, the companies asked, did the NSA get their data without them knowing about it?
The most likely answer is a modern spin on a century-old eavesdropping tradition.
People knowledgeable about Google and Yahoo’s infrastructure say they believe that government spies bypassed the big Internet companies and hit them at a weak spot — the fiber-optic cables that connect data centers around the world that are owned by such companies as Verizon Communications, the BT Group, the Vodafone Group and Level 3 Communications. In particular, fingers have been pointed at Level 3, the world’s largest so-called Internet backbone provider, whose cables are used by Google and Yahoo.
The Internet companies’ data centers are locked down with full-time security and state-of-the-art surveillance, including heat sensors and iris scanners. But between the data centers — on Level 3’s fiber-optic cables that connected those massive computer farms — information was unencrypted and an easier target for government intercept efforts, according to three people with knowledge of Google’s and Yahoo’s systems who spoke on the condition of anonymity.
It is impossible to say for certain how the NSA managed to get Google and Yahoo’s data without the companies’ knowledge. But both companies, in response to concerns over those vulnerabilities, recently said they were now encrypting data that runs on the cables between their data centers. Microsoft is considering a similar move.
“Everyone was so focused on the NSA secretly getting access to the front door that there was an assumption they weren’t going behind the companies’ backs and tapping data through the back door, too,” said Kevin Werbach, an associate professor at the Wharton School.
Data transmission lines have a long history of being tapped.
As far back as the days of the telegraph, spy agencies have located their operations in proximity to communications companies. Before the advent of the Internet, the NSA and its predecessors for decades operated listening posts next to the long-distance lines of phone companies to monitor international voice traffic.
In the 1990s, the emergence of the Internet both complicated the task of the intelligence agencies and presented powerful new spying opportunities based on the ability to process vast amounts of computer data.
Level 3 did not directly respond to an inquiry about whether it had given the NSA access to Google and Yahoo’s data. In a statement, Level 3 said: “It is our policy and our practice to comply with laws in every country where we operate, and to provide government agencies access to customer data only when we are compelled to do so by the laws in the country where the data is located.”
Security experts say that regardless of whether Level 3’s participation is voluntary or not, recent NSA disclosures make clear that even when Google and Yahoo do not hand over data, the NSA and its intelligence partners can simply gather their data downstream.