Just before Halloween, in the latest disclosure of US surveillance state leaks from Edward Snowden, Barton Gellman and Ashkan Soltani writing for the Washington Post reveal that the US National Security Agency (NSA) has surreptitiously compromised the private communications links that globally connect Google and Yahoo data centers. By tapping these communications links, the NSA is capable of collecting information from hundreds of millions of user accounts.
Unless you encrypted your information before using any of the Google or Yahoo services, chances are more than likely that information has been intercepted and analyzed by the NSA.
According to a 9 January 2013 accounting leaked by Snowden, the NSA sends millions of records each day to its data warehouses in Fort Meade, MD where it is analyzed and processed. The NSA project, known as MUSCULAR, is a joint endeavor with the British Government Communications Headquarters (GCHQ) and includes the interception of the entire fiber optic data flows traveling between data centers. If PRISM was the front door of NSA/GCHQ electronic surveillance of users — using secret rubber-stamped Foreign Intelligence Surveillance Court (FISC) orders to compel US technology companies to provide user data — MUSCULAR is an illicit back door the NSA uses to surveil entire overseas data flows with no judicial oversight whatever.
Gellman and Soltani report that Executive Order 12333, “which defines the basic powers and responsibilities of the intelligence agencies,” is the sole oversight of US surveillance operations that are based offshore. And the amount of data intercepted is enormous. “For the data centers to operate effectively, they synchronize large volumes of information about account holders,” write Gellman and Soltani. “Yahoo’s internal network, for example, sometimes transmits entire email archives — years of messages and attachments — from one data center to another.”
The demarcation between foreign and domestic communications is no longer clear. “Thirty-five years ago, different countries had their own telecommunications infrastructure, so the division between foreign and domestic collection was clear,” US Senator Ron Wyden (D-Oregon), a member of the intelligence panel, told Gellman and Soltani. “Today there’s a global communications infrastructure, so there’s a greater risk of collecting on Americans when the NSA collects overseas.”
As Mark M. Jaycox writing for the Electronic Frontier Foundation notes, Executive Order 12333 places oversight of this surveillance activity squarely in the Executive branch of the US federal government. “And we all know how well that works,” writes Jaycox.
US Senator Dianne Feinstein (D-California), chair of the Senate Intelligence Committee — that’d be the committee tasked with overseeing the activities of the entire intelligence community, not just the NSA — ruled that surveillance under Executive Order 12333 “did not fall within the focus of the committee.”
As the Washington Post story was breaking, Keith B. Alexander, director of the NSA, was asked about it at a Bloomberg Government cybersecurity event. Gellman, Soltani, and Andrea Peterson writing for the Washington Post cite Alexander’s response:
“That’s never happened. […] This is not the NSA breaking into any databases. It would be illegal for us to do that. And so I don’t know what the report is, but I can tell you factually we do not have access to Google servers, Yahoo servers.”
The Washington Post writers clarify Alexander’s statement that, while technically accurate, is a breathtaking dissembling:
“The distinction is between ‘data at rest’ and ‘data on the fly.’ The NSA and GCHQ do not break into user accounts that are stored on Yahoo and Google computers. They intercept the information as it travels over fiber optic cables from one data center to another.
…
“We do not know exactly how the NSA and GCHQ intercept the data, other than it happens on British territory. But we do know they are intercepting it from inside the Yahoo and Google private clouds, because some of what NSA and GCHQ collect is found nowhere else.”
Back in June, long before the report by Gellman and Soltani was published, Google had urgently begun to encrypt the communications links between its data centers, which it believed to be secure. Craig Timberg writing for the Washington Post saw it as evidence of “significant backlash within an American technology industry that US government officials long courted as a potential partner in spying programs.”
In 2011, when the FISC discovered the NSA was using similar methods — on a much, much smaller scale — to intercept and analyze data streams from domestic cables, it found the program to be illegal under the Foreign Intelligence Surveillance Act (FISA) and Fourth Amendment to the US Constitution.
Previously, Gellman and Soltani writing for the Washington Post reported that the NSA was collecting hundreds of millions of personal email and instant messaging address books:
“During a single day last year, the NSA’s Special Source Operations branch collected 444,743 email address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year.”
Bobby Ray Inman is former deputy director of the Central Intelligence Agency (CIA), former director of the NSA, former director of Naval Intelligence, and former vice director of the Defense Intelligence Agency (DIA) and presumably knows a thing or three about US surveillance activities and policies. While generally supportive of the NSA’s broad surveillance activities, Inman told Spencer Ackerman writing for the Guardian last August that the NSA should stop lying about its surveillance programs — both foreign and domestic — and simply reveal what it’s doing.
All of Edward Snowden’s leaks are specific to the NSA. But the US has other intelligence agencies involved in surveillance activities. Most recently, Charlie Savage writing for the New York Times reports that the US Central Intelligence Agency (CIA) is paying AT&T more than US$10 million each year to provide it with access to its database of phone records. Savage reports the agreement is governed by a voluntary contract, not a subpoena. “The CIA supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said,” he writes.
The CIA is prohibited from conducting domestic surveillance. When a surveilled call originates or terminates in the US, the identity of the call participant in the US is not disclosed and several digits of the telephone number are masked. Savage notes that it’s a simple matter for the CIA to route around this perceived damage by referring the masked numbers and undisclosed identities to the US Federal Bureau of Investigation (FBI) “which can issue an administrative subpoena requiring AT&T to provide the uncensored data.” Savage’s unnamed sources tell him that the FBI “handles any domestic investigation, but sometimes shares with the CIA the information about the American participant in those calls.”
AT&T has a long history of cooperating and even actively participating in the US government’s surveillance activities. Savage notes that a still classified 8 January 2010 memo from the Justice Department’s Office of Legal Counsel allows the FBI to obtain call records “on a voluntary basis from providers, without any legal process or a qualifying emergency.”
Last September, in light of Snowden’s NSA surveillance revelations, the US Senate Judiciary Committee chair Patrick Leahy (D-Vermont) and nine other members asked the Inspector General of the Intelligence Community, I. Charles McCullough III, to investigate the NSA’s broad surveillance activities. According to Tony Romm writing for Politico, McCullough said “he lacks the resources to conduct a review of NSA’s surveillance authorities.”
“‘At present, we are not resourced to conduct the requested review within the requested timeframe,’ wrote McCullough, before adding he and other agency inspectors general are weighing now whether they can combine forces on a larger probe.”
If you find all of this overwhelming, Ewen MacAskill and Gabriel Dance have written “NSA Files: Decoded” for the Guardian, an excellent resource outlining the disclosure of US surveillance state leaks from Edward Snowden to date.