The NSA has secretly tapped into the private fiber-optic networks that connect Google's and Yahoo's worldwide data centers, allowing the spy agency to suck up "at will" metadata and content belonging to users of the companies' services, according to The Washington Post.
Under a program called MUSCULAR -- a joint project with British NSA counterpart the GCHQ -- the NSA takes advantage of overseas taps to intercept data flowing within Google's and Yahoo's geographically distributed data "clouds," where multiple copies of user data are stored unencrypted, the Post reports. The article cites documents leaked by former NSA contractor Edward Snowden, as well as unnamed "knowledgeable officials."
Such data might include, for example, information in Gmail accounts or in Google Drive files.
The hundreds of millions of user accounts that are thus accessible to the NSA include many belonging to Americans, but the offshore taps allow the agency to presume the users are foreign and to sidestep the restrictions placed on domestic surveillance by the Foreign Intelligence Surveillance Act, the Post reports.
Through another program, revealed earlier this year and referred to in reports as PRISM, the NSA can -- given approval by the FISA court, and under Section 702 of the act -- compel tech companies to hand over certain user data.
In a statement to the Post, Google said it was "troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.
Google added, in an e-mail to CNET, "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
Yahoo told the Post: "We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."
And the paper said, "White House officials and the Office of the Director of National Intelligence, which oversees the NSA, declined to confirm, deny or explain why the agency infiltrates Google and Yahoo networks overseas."
Blog Politico reports that NSA Director Keith Alexander was asked about the Post report while speaking at a cybersecurity summit. Queried on whether the NSA tapped the data centers, Alexander replied, "Not to my knowledge," Politico said. (Note: Wired's Kim Zetter later tweeted that the question Alexander answered was, Did NSA get into Google databases?)
(And another note: In an update note below, we've added the relevant section of a transcript of Alexander's remarks at the cybersecurity summit.)
Update, 11:35 a.m. PT: The NSA provided the following statement:
NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post's assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true. The assertion that we collect vast quantities of U.S. persons' data from this type of collection is also not true. NSA applies Attorney General-approved processes to protect the privacy of U.S. persons -- minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination. NSA is a foreign intelligence agency. And we're focused on discovering and developing intelligence about valid foreign intelligence targets only.
Update, 11:47 a.m. PT: Adds mention of PRISM.
Update, 12:58 p.m. PT: Adds mention of Zetter's tweet regarding question put to Alexander.
Update, 1:41 p.m. PT: Here's the relevant portion of a transcript of agency director Keith Alexander's comments, during a cybersecurity summit, regarding the Post report. The complete transcript can be found here.
[Bloomberg Television's Trish] REGAN: General, we're getting some news that's crossing right now being reported in The Washington Post that there are new Snowden allegations that say the NSA broke into Yahoo and Google's databases worldwide, that they infiltrated these databases. This is just crossing as I speak. Can you confirm or deny that?
ALEXANDER: Not to my knowledge. That's never happened. In fact, there was this allegation last June that NSA was tapping into the servers of Yahoo or Google or our industry reps. That is factually incorrect. The servers and everything that we do with those, those companies work with us. They are compelled to work with us. This isn't something the courts just said, would you please work with them and just show (ph) data over it? It is compelled.
And these are specific requirements that come from a court order. This is not NSA breaking into any databases. It would be illegal for us to do that. And so I don't know what the report is, but I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order. We issue that court order to them through the FBI. And it's not millions. It's thousands of those that are done, and it's almost all against terrorism and other things like that. It has nothing to do with US persons.
If we want to get the content of a US person's e-mail or phone number -- now here's a key. Most of the incidents that we have are finding out that a person in a foreign government is a dual US person. That's a violation for us, or if it's a terrorist but it's also a US person, that's a violation for us. We have to expunge all that communication and go get a court order and work through the attorney general.
So I don't know all these allegations, but here's the hard part. So let me ask you this. So when you get something like that that people throw out that's spurious, how do you fix that? Any insights?
REGAN: How do you?
ALEXANDER: No, I asked you. You're the (inaudible).
REGAN: You're the expert. You're the expert. So are you saying in this particular -- and again, we don't have all the details, but Edward Snowden saying that the NSA has infiltrated Yahoo and Google databases. Would one assume then that if in fact the NSA was looking at data that these companies had, they did so via a court order?
ALEXANDER: That's correct. And so the question is I don't know what his allegation is. NSA does collect information on terrorists and on our national intelligence priorities, but we are not authorized to go into a US company's servers and take data. We'd have to go through a court process for doing that.
Update, 1:44 p.m. PT: Adds comment from Google on need for reform.