WASHINGTON — The National Security Agency and its British counterpart have apparently tapped the fiber-optic cables connecting Google’s and Yahoo’s overseas servers and are copying vast amounts of e-mail and other information, according to accounts of documents leaked by former agency contractor Edward J. Snowden.
In partnership with the British agency known as Government Communications Headquarters, the NSA has apparently taken advantage of the vast amounts of data stored in and traveling among global data centers, which run all modern online computing, according to a report Wednesday by The Washington Post. NSA collection activities abroad face fewer legal restrictions and less oversight than its actions in the United States.
Google and Yahoo said Wednesday that they were unaware of government accessing of their data links. Sarah Meron, a Yahoo spokeswoman, said that the company had not cooperated with any government agency for such interception, and David Drummond, Google’s chief legal officer, expressed outrage.
“We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links,” Drummond said in a statement. “We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
In a statement, the NSA did not directly address the claim that it had penetrated the companies’ overseas data links. But it emphasized that it was focused on “foreign” intelligence collection — not domestic — and pushed back against the notion that it was collecting abroad to “get around” legal limits imposed by domestic surveillance laws. It also said it was “not true” that it collects “vast quantities” of Americans’ data using that method.
Companies like Google that operate Internet services — including e-mail, online document and photo storage, and search queries — send huge amounts of data through fiber-optic lines between their data centers around the world. Those data centers are kept highly secure using heat-sensitive cameras and biometric authentication, and companies believed the data flowing among centers was secure. But Google said last month that it began the process of encrypting this internal traffic before reports of NSA spying leaked during the summer and accelerated the effort since then. Google security executives were suspicious that outside parties, like governments, could tap into the cables but did not have hard evidence that the spying was occurring, according to three people briefed on Google’s security efforts who spoke on condition of anonymity.
The NSA could physically install a device that clips on the cable and listens to electric signals or insert a splitter in the cable through which data would travel, said Nicholas McKeown, an expert in computer networking and a professor at Stanford. Or, he said, someone with remote login access to the cable’s switch or router could also redirect data flowing through the cables.
Level 3 is a company that provides these cables for Google, according to a person briefed on Google’s infrastructure who was not authorized to speak publicly.
In a statement, Level 3 said: “We comply with the laws in each country where we operate. In general, governments that seek assistance in law enforcement or security investigations prohibit disclosure of the assistance provided.”
In July, the company denied a German television report that it had cooperated with US intelligence agencies to spy on German citizens using its network.
The New York Times reported in September that for at least three years, the British agency had been working to gain access to traffic in and out of data centers operated by Google, Yahoo, Facebook, and Microsoft’s Hotmail. The program, described as having been developed in close collaboration with the NSA, was said to have achieved “new access opportunities” into Google’s systems by 2012, according to Government Communications Headquarters documents provided by Snowden. But it was not clear what that meant.
The Post said that under a system code-named MUSCULAR, the agency was storing data taken in from the interception in a rolling three- to five-day “buffer,” during which the two agencies decoded it and filtered out information they wanted to keep.
It also reported that the NSA was using about 100,000 “selectors” as its search term filters — more than twice as many, it said, as the agency has been using from its Prism program inside the United States. In that program, the agency collects e-mails, search queries, and other online activity of foreigners abroad from Google, Yahoo, and other companies through a court-approved process authorized by the FISA Amendments Act of 2008.
The British agency’s documents obtained from Snowden by The Guardian newspaper and shared with The Times reveal an intense focus over several years by British spies on the development of MUSCULAR and a closely related project code-named INCENSER. The documents suggest that both programs are to a large extent driven by NSA intelligence needs and are highly prized by the Americans.
In November 2010, the British wrote that “MUSCULAR/INCENSER has significantly enhanced the amount of benefit that the NSA derive from our special source accesses.” Those projects in some cases provide data that are unavailable from any other source, one document said, “highlighting the unique contribution we are now making to NSA, providing insights into some of their highest priority targets.”
In its article, the Post described a January document as saying that the NSA’s headquarters in Fort Meade, Md., was taking in more than 180 million records a month from the project. It also reported that briefing documents said collection from Yahoo and Google had produced important intelligence leads against hostile foreign governments.
The Post published an NSA slide labeled “Current efforts — Google” with a hand-drawn sketch showing that traffic flowed between Google’s data centers in “clear text,” because encryption was added only at the front-end server that interfaced with users’ computers and mobile devices. This notation included a smiley face.
The Post also published speaker notes from a presentation about MUSCULAR. It included a reference to a February proposal to stop collecting Yahoo e-mail account archives flowing through what it describes as a “lucrative” access point on what is apparently a fiber-optic cable linking Yahoo’s overseas servers and its servers on US soil.
As the Post published its story, the director of the NSA, General Keith B. Alexander, was being interviewed at a cybersecurity conference. He flatly denied a slightly garbled account of the Post story as “factually inaccurate,” but it was not clear that he understood the Post was reporting infiltration of data links between overseas servers.