WTF, NSA? Tech giants vent spy fury
Google and Yahoo!, two of the world's biggest technology companies, reacted angrily to a report this week that the United States's National Security Agency has secretly intercepted the main communication links that carry their users' data around the world.
Citing documents obtained from former NSA contractor Edward Snowden and interviews with officials, the Washington Post claimed the agency could collect information "at will" from among hundreds of millions of user accounts.
The documents suggest that the NSA, in partnership with its British counterpart, the Government Communications Headquarters (GCHQ), is copying large amounts of data as it flows across fibre-optic cables that carry information between the worldwide data centres of the Silicon Valley giants. The intelligence activities of the NSA outside the US are subject to fewer legal constraints than its domestic actions.
The story is likely to put further strain on the already difficult relations between the technology firms and Washington. The internet giants are furious about the damage done to their reputation in the wake of Snowden's revelations.
Google's chief legal officer, David Drummond, said the company was "outraged" by the latest revelations.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links," he said.
"We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fibre networks, and it underscores the need for urgent reform."
Yahoo! said: "We have strict controls in place to protect the security of our data centres, and we have not given access to our data centres to the NSA or to any other government agency."
According to a top-secret document cited by the Post and dated January 9 2013, millions of records a day are sent from Yahoo! and Google internal networks to NSA data warehouses at the agency's headquarters in Fort Meade, Maryland. The types of information sent range from "metadata", indicating who sent or received emails, the subject line and where and when, to content such as text, audio and video.
The Post's documents state that in the preceding 30 days field collectors had processed and sent on 181280466 new records.
Internet firms go to great lengths to protect their data. But the NSA documents published by the Post appear to boast about their ability to circumvent those protections. In one presentation slide, on "Google Cloud Exploitation", published by the Post, an artist has added a smiley face, in apparent celebration of the NSA's victory over Google security systems.
The newspaper said that the interception took place on the cables that connect the internet giants' data centres. The New York Times reported that one of the companies that provides such cables for Google was Level 3. It said in a statement: "We comply with the laws in each country where we operate. In general, governments that seek assistance in law enforcement or security investigations prohibit disclosure of the assistance provided."
In its report the Post suggested the intercept project was codenamed Muscular, but the Guardian understands from other documents provided by Snowden that the term instead refers to the system that enables the initial processing of information gathered from NSA or GCHQ cable taps.
The data outputted from Muscular is then forwarded to NSA or GCHQ databases, or systems such as the XKeyscore search tool.
The Post said that by collecting the data overseas the NSA is able to circumvent the legal restrictions that prevent it from accessing the communications of people who live in the United States, and that it falls instead under an executive order, signed by the president, that authorises foreign intelligence operations.
In response, the NSA specifically denied that it used the presidential order to circumvent the restrictions on domestic spying, though the agency said nothing about the rest of the story.
Its statement said, in full: "NSA has multiple authorities that it uses to accomplish its mission, which is centred on defending the nation. The Washington Post's assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true. "The assertion that we collect vast quantities of US persons' data from this type of collection is also not true. NSA applies attorney general-approved processes to protect the privacy of US persons – minimising the likelihood of their information in our targeting, collection, processing, exploitation, retention and dissemination.
"NSA is a foreign intelligence agency. And we're focused on discovering and developing intelligence about valid foreign intelligence targets only."
A GCHQ spokesperson said: "We are aware of the story but we don't have any comment."
The NSA statement was much more narrowly drawn than the initial response by the agency's director, General Keith Alexander, who issued an immediate denial as the Post story broke this week.
The latest disclosures may shed new light on a reference in a GCHQ document, first reported in September by the Guardian, the New York Times and ProPublica. As part of its efforts with the NSA to defeat internet encryption, GCHQ, the 2012 document said, was working on developing ways into the major webmail providers, including Google and Yahoo! It added that "work has predominantly been focused this quarter on Google due to new access opportunities being developed".
Other documents provided to the Guardian by Snowden suggest that GCHQ's work on Muscular, and a related tool called Incensor, is regarded as particularly valuable by the NSA, providing intelligence that is not available from other sources.
"Muscular/Incensor has significantly enhanced the amount of benefit that the NSA derives from our special source access," one 2010 GCHQ document notes. It adds that this highlights "the unique contribution we are now making to NSA, providing insights into some of their highest priority targets".
Relations between the tech companies and the government are already strained over the Snowden revelations. In September Facebook co-founder Mark Zuckerberg said the government has done a "bad job" of balancing people's privacy. "Frankly, I think the government blew it," he said.
Google will be able to confront surveillance questions before a legislative panel this month. Two senators who are backing a Bill to compel the government to provide more transparency about bulk surveillance said the internet giant will attend a Senate hearing on November 13. – © Guardian News & Media 2013