Documents supplied by former NSA contractor Edward Snowden and reported by The Washington Post last Wednesday showed how the NSA and GCHQ work together to intercept private links that connect Google and Yahoo global data centers. On Monday, The Post added new background and details of a program known as “MUSCULAR” to its previous report to paint a more succinct picture of how the spy agencies access these supposedly protected data links.
For instance, The Post begins by pointing out the reaction to the previous story from NSA Director Keith Alexander, who said prior to reading the report that “I can tell you factually we do not have access to Google servers, Yahoo servers.” The Post points out that the previous story did not mention access to servers, but that the NSA intercepts information as it passes between private data centers through private fiber-optic cables.
Upon first comment on the report, Alexander also said, “We go through a court order. We issue that court order to them through the FBI,” a likely referral to the PRISM program. PRISM, first revealed in June, is known by Google and Yahoo – among other companies – and allows the NSA to compel them to turn over customer information legally through authorization of the Foreign Intelligence Surveillance Court (FISC).
But, again, this is not what The Post reported last week. GCHQ is responsible for gaining access to these internal information streams within British territory, thus allowing the NSA to avoid bothering with FISC authorization and other domestic guidelines.
In Monday’s follow-up, The Post likened the internet to an “international highway system that anyone can use,” and the companies’ data center links as a system of privately-owned highway, or thousands of miles of fiber-optic cable only used by those companies.
Security experts queried by The Post pointed to information found in the Snowden documents that show the NSA and GCHQ acquired unencrypted data that companies like Google and Yahoo would never allow out into the public internet, thus suggesting internal “cloud” access.
“This is not traffic you would encounter outside of Google’s internal network,” said one of the experts, who added that one slide in the document trove exhibited a data format “only used on and between Google machines. And, also as far as I know, Google doesn’t publish their binary RPC (remote procedure call) protocol, which is what this resembles.”
RPC is used when a data server must confirm that it is sharing with another. The author of the slide showing this information confirmed that the captured data was “internal server-to-server authentication,” The Post reported, which should not be seen outside of network systems, according to experts.
The NSA also developed Google-specific “protocol handlers” to weed out proprietary information it did and did not want to keep.
Bulk collection in the MUSCULAR program that is run by GCHQ and fed to the NSA is illegal in the United States. Thus, GCHQ heads the operation.
“Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to ‘full take,’ ‘bulk access’ and ‘high volume’ operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner,” The Post reported last week.
Since the initial report, the NSA insisted it does not use executive authority vested in intelligence agencies to avoid the FISC to collect data.
“The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and [FISA Amendments Act] 702 is not true,” an NSA spokesperson said last week. “The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true.”