The NSA has been secretly collecting data directly from Google's and Yahoo's data centers by tapping into the links connecting the giant servers around the world, according to newly published documents leaked by Edward Snowden.
The spy agency, with the aid of its UK counterpart, the GCHQ, operates a program codenamed MUSCULAR that can reportedly collect content and metadata directly from the privately owned fiber-optic cables that connect the companies' data centers, as first reported by The Washington Post on Wednesday.
MUSCULAR appears to work separately from PRISM, the top-secret program that allows the NSA and the GCHQ to access data from nine tech giants through court orders. With MUSCULAR, the NSA and the GCHQ seem to have figured out a way to enter a back door into the private network of Google and Yahoo's data centers.
The NSA seems to be exploiting a weak link in the companies' infrastructure, where the front-end servers, which receive data from Google and Yahoo users, connect with the companies' "private clouds" of data centers. (A graphic by The Washington Post lays out this infrastructure.)
Google had previously announced it would encrypt data moved among its data centers. Yahoo doesn't employ this kind of encryption.
The two companies released statements to The Post in which they denied giving NSA access to their servers.
The scale of the program isn't currently clear, but a leaked document dated Jan. 9, 2013, cited in The Washington Post article, says that the NSA had collected 181,280,466 records in the preceding 30 days. And another document describes the access as "full take," "bulk access" and "high volume."
The story broke while the NSA Chief Gen. Keith Alexander was at a cybersecurity conference in Washington, D.C. Asked about the latest scoop, Alexander denied the report.
"This is not NSA breaking into any databases. It would be illegal for us to do that. And so I don’t know what the report is, but I can tell you factually we do not have access to Google servers, Yahoo servers," he told Bloomberg Television.
His denial, however, appears to some to be carefully crafted to avoid addressing the actual allegations made in The Post's article. In response to Alexander's denial, Askhan Soltani, an independent privacy and security researcher who wrote the story along with Baron Gellmann, tweeted: "Clarification: 'tapping private links' isn't the same as 'hacking private servers.' You can deny one while still doing the other."
UPDATE, Wednesday, Oct. 30, 7:04 p.m. ET: The Washington Post published a carefully-worded statement the NSA has since made in response to this report. It reads:
“NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true. The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true. NSA applies Attorney General-approved processes to protect the privacy of U.S. persons — minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination. NSA is a foreign intelligence agency. And we’re focused on discovering and developing intelligence about valid foreign intelligence targets only.”
Have something to add to this story? Share it in the comments.
Image: Jim Watson/AFP/Getty Images