Coverage of the Snowden leaks may have become a bit routine since information began pouring into the public eye this spring, but the latest set of facts revealed by the Washington Post should make everyone sit up and take notice. The NSA has physically compromised the data cables that connect the various data centers of companies like Google and Yahoo in a bid to directly access the information the two companies pass between their own servers. According to the report, the connection is provided by DS-200B, an unnamed telecommunications hub outside the US, where secret access to the relevant cables has been obtained.
Up until recently, Google, Yahoo, and other major companies passed data from point to point in unencrypted text. The encryption standard, SSL, was “added and removed” at the point where the public accessed the information. Internally, data wasn’t encrypted. This wasn’t seen as a security flaw, given that the companies in question owned both the data centers and the cable used to link them; information wasn’t passing through the public Internet, but across the company’s own networks. Muscular (that’s the codename of this particular NSA program) is a joint operation with the British Government Communications Headquarters (GCHQ) that took advantage of the gap, slurping up the contents of the fiber optic links, and firing it back for further analysis.
The reason the Muscular program is so chilling is because the NSA already has the legal authority it needs to require the major web companies to comply with any demand it makes for information on targets, both foreign and domestic. Up until this past summer, every corporate attempt to challenge these requirements had failed. Every attempt to challenge the nature of the gag orders had failed. The major telcos have unilaterally gone along with the expanded requirements; court documents unsealed this fall revealed that not one phone company has ever attempted to block a surveillance order handed down from the FISC (Foreign Intelligence Surveillance Court) despite having the legal right to do so. In fact, according to the government, telephone companies are the only entities with the legal right to challenge such surveillance. And they haven’t.
It’s not an exaggeration, therefore, to say that prior to Snowden, the NSA had effectively won. It had deep access to international Internet records thanks to the so-called “Five Eyes” agreement between Australia, Canada, New Zealand, the UK, and the US. It had a non-adversarial court system designed to rubber-stamp requests, and it had defeated all corporate attempts to block access to said data. The only lasting effect of warrantless wiretapping was Congress passing a law to grant retroactive immunity to the companies involved.
And yet, even after all these wins, the NSA wasn’t satisfied. Prism wasn’t enough. Boundless Informant and XKeyscore weren’t enough. Deliberately distributing broken encryption standards wasn’t enough. And so the NSA tapped the communication lines directly, not to target specific individuals or groups known to be potential terrorist risks, but to siphon up the ocean in the hopes of catching minnows.
One of the ways the NSA has defended its actions to date is to fundamentally change the nature of the word “surveillance,” from the act of intercepting something to the act of analyzing what you intercepted. But within the Washington Post documents is the following request for a decrease in data capture: “Numerous S2 analysts have complained of its existence [the tap into Yahoo’s network], and the relatively small intelligence value it contains does not justify the sheer volume of collection at Muscular.”
You can’t have a complaint without a human analyst, and an analyst can’t complain about something they aren’t seeing.
The idea that this effort only targets non-citizens, meanwhile, is also incorrect. The NSA has acknowledged that it will gather data on people up to three “hops” away from a target, that it gathers information on US citizens “inadvertently,” and that its mission is to hoover up all information. If Google, Yahoo, and “other” Internet companies treated each server like a solitary local island, than the chances of intercepting US-based information on a server in Asia might be low, but that’s not how it works. The documents released alongside the story make note of the fact that Yahoo has been archiving huge amounts of email across the link, and doesn’t say that the traffic pertains to a particular geographical area or region. It’s not “US email,” or “Asian email,” — it’s just email.
The Internet is designed around the idea that information can be trusted. In some ways, that proved to be a mistake — DNS hijacking was a major problem until the adoption of DNSSEC — but the underlying idea has proven remarkably sound. The programs the NSA has built are destroying that trust, from the inside. The leaks around Muscular explain why the NSA documents concerning Prism referred to “back doors,” while corporate executives and engineers swore that such back doors absolutely did not exist. Before today, I would’ve said that you couldn’t trust an online company to keep your information safe, because the NSA could demand that information at any time. The reality is worse: You can’t trust a company to keep your data safe, because the NSA has built itself a giant data hose that sucks down information without oversight or agreement from Google, Yahoo, or any other major company.
The US and its allies have jointly built a system that increasingly makes the Great Firewall of China look like a child’s sandcastle. The impact of these policies is echoing in the real world. The revelation that the NSA had bugged the phone of German Prime Minister Angela Merkel was stunning, not because anyone thought we lacked the capability, but because apparently bugging the phone and personal records of one of our staunchest allies in the post-World War II era is considered in America’s best interests. Yes, all countries spy on each other, but not all countries spy on each other equally. If Merkel’s Germany isn’t a strong enough ally to deserve a modicum of privacy, who is? And how would we react to the idea that Germany, or England, or France had bugged the personal communications of a sitting US President in the same fashion?
Brazil is already pushing for a new system of Internet routing that effectively separates the country from relying on the US Internet. Russia has called for a new governance system that doesn’t rely on the US. Companies have reported damage to European business units in the wake of the NSA scandal. Multiple US providers of encrypted email services have shut down rather than be forced to reveal their users. In the case of Lavabit, the government has argued that forcing the company to reveal the private email encryption keys for some 400,000 customers was not an undue burden in its quest to seize Edward Snowden’s email account. The fact that 399,999 of the people in question had done nothing wrong and were not under any sort of surveillance order was beside the point.
This article by Joel Hruska originally appeared on ExtremeTech.com.
Copyright (C) 2013 LexisNexis, a division of Reed Elsevier Inc. All Rights Reserved.