The National Security Agency collaborates with British intelligence to tap directly into the private data clouds of Google and Yahoo which store the information of both U.S. citizens and those abroad.
According to the Washington Post, leaked documents obtained from former intelligence contractor Edward Snowden reveal that unbeknownst to the two American tech companies, the NSA has backdoor access to their servers.
The NSA’s infiltration of a company’s cloud exploits the structure of their massive server networks: Information from the “public Internet” as the NSA calls it, is sent from browsers and devices to front end servers. Those servers then send the information to a network of private servers owned by the company and presumably accessible only to them. Those servers are linked together to form a private data storage cloud. Inside this cloud, user information is readily passed between servers.
The surveillance program, known as MUSCULAR, exploits these links between front end and private servers. Once data is collected, it is apparently scanned, and relevant information is kept while the rest of the data is discarded. The slides use words like “full take” to describe the amount of data collected, which ranges from metadata to text to photos to videos.
Though the Post does not detail exactly how this exploitation works, an agency slide published by the paper depicts a hand-drawn schematic of Google’s public and private servers with an arrow point to the public server and stating, “[Encryption] added and removed here :-)”
After seeing the slide, an engineer with close ties to Google apparently told the paper, “I hope you publish this.”
In response to the allegations of backdoor spying by the agency, both Google and Yahoo said they had not given any government agency permission to access their servers.
Back in June, both the Washington Post and the Guardian reported that through a program known as PRISM, the NSA had used secret court orders to compel Google, Facebook, Yahoo, Microsoft and other Silicon Valley tech giants to turn over user data. In that case, the companies were aware of the spying but forced by gag orders not to disclose it. In the case of MUSCULAR, the companies appear to be caught entirely off guard.
As the Post points out, it is unclear how American information the agency collects or shares with its partner in the venture, the British intelligence agency U.K. Government Communications Headquarters. However, one slide apparently indicated that in a one month period the agency processed more than 180 million new pieces of information.
Because the data servers exploited by MUSCULAR are kept overseas, the Post notes that the NSA is likely to be technically within the law in tapping them.
Photo by arthur-caranta/Flickr