Several months ago an NSA employee drew a diagram of how the spy agency could secretly hack into Google's data centers scattered around the world. It was hand-drawn on what appears to be a large Post-it note and showed how the NSA could circumvent Google's security and freely harvest millions of records, ranging from metadata about who sent or received emails to text, audio, and video content.
At the bottom of the diagram, a dotted line with an arrow points to the place where the public Internet connects with Google's cloud. An exclamation point and a smiley face are drawn next to the line, apparently an expression of pride in the scheme and the NSA's ability to surreptitiously hack Google's inner sanctum.
Now that the drawing and presentation about a secret data gathering program, codenamed MUSCULAR, have been outed by The Washington Post based on documents obtained by Edward Snowden. Google isn't smiling. Nor is Yahoo, which was also targeted by the NSA, or any other company that wants to instill confidence among its users that it will protect their privacy.
The NSA has denied that it is doing anything illegal. Gen. Keith Alexander, the director of the NSA, said the US government doesn't have access to Google or Yahoo servers.
"These are specific requirements that come from a court order, this is not NSA breaking into any databases," he said. "It would be illegal for us to do that."
In an email statement, an NSA spokeswoman further denied the substance of The Washington Post report:
NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post's assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true. The assertion that we collect vast quantities of U.S. persons' data from this type of collection is also not true. NSA applies Attorney General-approved processes to protect the privacy of U.S. persons - minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination. NSA is a foreign intelligence agency. And we're focused on discovering and developing intelligence about valid foreign intelligence targets only.
Unlike the PRISM project, which requires authorization under Section 702 of the Foreign Intelligence Surveillance Act and is overseen by the Foreign Intelligence Surveillance Court, the MUSCULAR program allegedly worked under the radar. According to The Washington Post report:
Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to "full take," "bulk access" and "high volume" operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.
David Drummond, Google's chief legal officer, expressed "outrage" over the revelations Wednesday.
"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide," Drummond said in a statement. "We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
Yahoo didn't directly address the data harvesting of the MUSCULAR program. "We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency," a spokesperson said.
Google is feeling the international impact of the NSA's spying activities in Brazil, which is home to some of the company's most active users. Due to disclosures that the NSA spying on world leaders, Brazilian lawmakers are proposing that Google and other online service providers maintain local-user information only in data centers within the country, rather than distributed and replicated within a company's global infrastructure. Google maintains that such a restriction would hamper the company's efforts to expand in the region.
Google is in the midst of encrypting data that flows among its data centers, but as the MUSCULAR program indicates, the NSA has a lot of technical firepower. "It's an arms race," Eric Grosse, vice president for security engineering at Google, said last month. "We see these government agencies as among the most skilled players in this game."
Google, Yahoo, and their brethren may be more motivated than ever to wipe the smile off the NSA's face.