New Snowden Leak: NSA Tapped Google, Yahoo Data Centers

What's This?

By Lorenzo Franceschi-Bicchierai2013-10-30 20:14:34 UTC

The NSA has been secretly collecting data directly from Google and Yahoo's data centers by tapping into the links connecting the giant servers around the world, according to newly published documents leaked by Edward Snowden.

The spy agency, with the aid of its UK counterpart, the GCHQ, operates a program codenamed MUSCULAR that can reportedly collect content and metadata directly from the privately owned fiber-optic cables that connect the companies' data centers, as first reported by The Washington Post on Wednesday.

See also: Email Providers Build Service to Protect Your Inbox From the NSA

MUSCULAR appears to work separately from PRISM, the top secret program that allows the NSA the GCHQ to access data from nine tech giants through court orders. With MUSCULAR, the NSA and the GCHQ have figured out a way to enter a back door into the private network of Google and Yahoo's data centers.

The NSA appears to be exploiting a weak link in the companies' infrastructure, where the front-end servers, which receive data from Google and Yahoo users, connect with the companies' "private clouds" of data centers. (A graphic by The Washington Post lays out this infrastructure.)

Google had previously announced it would encrypt data moved among its data centers. Yahoo doesn't employ this kind of encryption.

The two companies released statements to The Post in which they denied giving NSA access to their servers.

The scale of the program isn't currently clear, but a document dated Jan. 9, 2013, cited in The Washington Post article, says that the NSA had collected 181,280,466 records in the preceding 30 days. And another document describes the access as "full take," "bulk access" and "high volume."

The story broke while the NSA Chief Gen. Keith Alexander was at a cybersecurity conference in Washington, D.C. Asked about the latest scoop, Alexander denied the report.

"This is not NSA breaking into any databases. It would be illegal for us to do that. And so I don’t know what the report is, but I can tell you factually we do not have access to Google servers, Yahoo servers," he told Bloomberg Television.

His denial, however, seems to be carefully crafted to avoid addressing the actual allegations made in The Post's article. In response to Alexander's denial, Askhan Soltani, an independent privacy and security researcher who wrote the story along with Baron Gellmann, tweeted: "Clarification: 'tapping private links' isn't the same as 'hacking private servers.' You can deny one while still doing the other."

Have something to add to this story? Share it in the comments.

Image: Jim Watson/AFP/Getty Images

Topics: data centers, NSA, privacy, surveillance, U.S., US & World, World, Yahoo