And of course, some of that metadata and content was generated by Americans. How can the NSA get away with that? In theory, because of geography. Some of Google’s and Yahoo’s data centers and the fiber-optic pipelines that connect them are located outside the United States, and the rules on foreign surveillance are less strict than Fourth Amendment/FISA limitations on domestic surveillance. Is it okay for the U.S. government to hack an American company as long as the hacking occurs outside the borders of the United States? Does that magically transform domestic surveillance into “foreign”?
According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.
The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants…
In an NSA presentation slide on “Google Cloud Exploitation,” … a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data resides. In hand-printed letters, the drawing notes that encryption is “added and removed here!” The artist adds a smiley face, a cheeky celebration of victory over Google security.
Two engineers with close ties to Google exploded in profanity when they saw the drawing. “I hope you publish this,” one of them said…
The Google and Yahoo operations call attention to an asymmetry in U.S. surveillance law: While Congress has lifted some restrictions on NSA domestic surveillance on the grounds that purely foreign communications sometimes pass over U.S. switches and cables, it has not added restrictions overseas, where American communications or data stores now cross over foreign switches.
One of the briefing documents on MUSCULAR swiped by Snowden asserts that it’s “produced important intelligence leads against hostile foreign governments.” Interestingly, rather than make that argument, NSA chief Keith Alexander flatly denied that the NSA is engaged in any pipeline-tapping when asked for comment on the new WaPo story this afternoon. (He’s denied Snowden’s allegations before, though, notes NBC, only to have them proved true later.) If all of this sounds vaguely familiar, there’s a reason. The NSA also tapped fiber-optic data pipelines located inside the U.S. a few years ago and got a rare rebuke from the FISA Court for it. I mentioned it in this post. Siphoning off data “upstream” here at home ended up pushing too many communications by American citizens into the NSA’s net, which the Court declared was a violation of the Fourth Amendment. WaPo notes in its new story on MUSCULAR that it’s “not clear” how much data is collected from American clients of Google/Yahoo by the NSA, and there is, apparently, some attempt to minimize the amount via search filters. But given the sheer volume of what’s being sucked up, that can only do so much.
What’s novel about this new scoop is that it’s less about the NSA potentially violating the privacy of individual Americans than it is about the feds engaging in cyberespionage against American companies — and not just any companies, but companies that have been cooperative in sharing user data with the NSA under programs like PRISM. It confirms the impression of an agency whose appetite for information is so voracious that it’ll happily cannibalize its partners just to get a little extra, even if they’re U.S. entities. If they’re reduced to arguing that it’s technically legal because they “only” hacked the parts of Google’s and Yahoo’s systems that are located in Europe, not the ones located here, that’ll hurt them even more, I think. That distinction seems far too formalistic to rebut the basic objection that Uncle Sam shouldn’t be in the practice of quietly stealing mountains of intellectual property from American businesses.
The irony is, per the last paragraph of the excerpt above, this might further tie the NSA’s hands abroad, where nearly everyone agrees they should have a freer hand to operate because it’s easier to target foreigners exclusively there. They’re already back on their heels because of the uproar over them tapping Merkel’s phone; now, if there’s a new uproar over this, Congress may feel pressured to impose new restrictions on how the agency operates internationally to limit its ability to target U.S. citizens or corporations overseas. What a backfire, if it happens. Exit question: Why did they feel the need to tap Google’s and Yahoo’s data centers if they were already being handed information by the companies under PRISM? WaPo tries to explain but I’m not seeing it.