The National Security Agency is tapping into the global data centers maintained by Yahoo and Google, according to new documents revealed today detailing a global intelligence gathering operation that bypasses U.S. oversight authority to gain unfettered access to secure Internet communications.
The Washington Post reported Wednesday that the NSA, working with its British counterpart the Government Communications Headquarters (GCHQ), has the ability to access data hundreds of millions of accounts, including communication encrypted by Google. In a top secret accounting obtained by the Post dated Jan. 9, 2013, during a 30-day period, the field collectors had processed more than 181 million new records ranging from the sender and receiver of emails to text, audio and video files.
The surveillance project is called Muscular, according to the Post, and includes undisclosed interception points where the data flows between the Yahoo and Google data centers. Those data centers are located on four continents. The Post cited from documents it said it obtained from NSA contractor Edward Snowden and interviews with "knowledgeable officials."
NSA surveillance activities surfaced following reports by The Washington Post and the Guardian newspaper about the agency's Prism data collection program. The program has put pressure on U.S. technology firms to increase transparency about the data they are required to disclose as a result of government requests under the program. Other leaked documents detailed a widely implemented encryption algorithm that potentially gave the NSA backdoor access capabilities. Another leak brought to light a collaborative effort between Microsoft and the government to potentially enable backdoor access into software to view customer data.
A Yahoo spokesperson issued a statement to CRN about the latest disclosure, denying knowledge of the Muscular project. "We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency," the spokesperson said in an email.
In a Google statement released to CRN, David Drummond, Google's chief legal officer, said the company has deployed encryption because it has long been concerned about the possibility of this kind of snooping. "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” Drummond said in an email. "We do not provide any government, including the U.S. government, with access to our systems."
Security experts told CRN they fear the apparent extent of the NSA's broad surveillance activities could have a negative impact on U.S. technology providers. The Muscular project is different than the Prism program because the agencies are using taps outside U.S. territory where the Foreign Intelligence Surveillance Court has no jurisdiction. In the U.S., the NSA gains access to user accounts through the FISC.
"Google and Yahoo will take a hit in the court of public opinion, despite their insistence that the data collection occurred without their knowledge," said Michael Sutton, vice president of research at cloud security vendor Zscaler. "The scope of the Muscular project and the fact that it blatantly leverages loopholes in the legal system is particularly concerning."
NEXT: How Will The Fallout Affect Cloud Providers?