Yves here. Even though the NSA is now attempting to say that Google and Yahoo were told to comply with the latest data-hoovering exercise exposed by Edward Snowden, Google angrily claims otherwise. Here’s the tit for tat per CNN, starting with the “nothing new here” claim from NSA director Keith Alexander:
“The servers and everything we do with those, those companies work with us. They are compelled to work with us. This isn’t something the court just said, ‘Would you please work with them and throw data over it.’ This is compelled. And this is specific requirements that come from a court order,” Alexander said at a cybersecurity conference in Washington.
“This is not NSA breaking into any databases. It would be illegal for us to do that. So, I don’t know what the report is. But I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order.”
Notice the emphasis on servers and database? That’s almost certainly not where the NSA got the data for this particular program, so the Alexander remarks are yet more NSA misdirection. This is the “one chart says it all” from the Washington Post, which broke the story:
This section presents more details about the architecture of Google’s international data centers, including this section on where the intercepts might have occurred. Notice that it’s not on the servers (as the story also makes clear), but on the data pipes:
And here’s the Google reaction:
Google has “long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links,” said David Drummond, Google’s chief legal officer.
“We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”
Now if Google has “long been concerned” but apparently was not able to circumvent it, what does this say about Google’s vaunted technological superiority? The Internet giant has made a name for itself for (among other things) the lengths to which it goes in recruiting to find “talent”. You can find hundreds of articles along the lines of this 2012 Forbes account:
In the hot war for talent being fought in Silicon Valley, no company has an arsenal quite like Google’s. Named Fortune’s Best Company to Work For in 2012, the search giant made a record 8,067 hires last year — boosting total headcount by a third. The thirteen-year-old firm’s recruiting has an almost mythical quality about it, particularly for the two million candidates applying to work there each year. In terms of elite American institutions, getting a job at Google ranks with being admitted to Stanford Graduate School of Business or becoming a Navy Seal. Behind the glitz there are a few Googley basics at work: data, money (lots of it), sophisticated programming, and an army of young, eager recruiters.
Having said that, the NSA breaking-and-entry operation may have resulted from Google being unable to secure lines leased from foreign telcos that were willing or compelled to assist the NSA, or from turncoats in Google (a well-placed double agent might have identified the security vulnerabilities).
Despite the wounded noises from the technology giant, this all looks like optics for the rubes. It’s hard to take protests from Silicon Valley seriously until we see some of the Internet oligarchs put their money and their names on the line. We don’t yet have tech billionaires playing the role of Mikhail Khodorkovsky: publicly advocating what by commonsense and world standards were pretty modest reforms, but nevertheless were a direct challenge to Putin. As a result, Khodorkovsky now languishes in a dank Moscow prison, a fate that even an obstreperous Internet magnate would be almost certain to escape.
No, the real barrier is that the initial NSA slides released by Edward Snowden calling top technology firms like Google and Yahoo “partners” were spot on. They are “partners” in the Ambrose Bierce usage: “When two parties have their hands so deeply plunged into each other’s pockets that they cannot separately plunder a third party.” As much as their involvement in the surveillance state might dent the telecom and Internet players’ reputations and international profits, it’s highly unlikely that they will find it in their business interest to tear up their deal with the devil.
By Wolf Richter, a San Francisco based executive, entrepreneur, start up specialist, and author, with extensive international work experience. Cross posted from Testosterone Pit.
Edward Snowden’s revelations have added a new dimension, deeper and more disturbing still, to the perfect, seamless, borderless surveillance society: under a program with the evocative moniker, MUSCULAR, the NSA and its British counterpart, the GCHQ, have secretly targeted American companies, managed to get around their security measures, broken into their “clouds,” and syphoned out user data on a large scale.
That would be illegal in the US.
But the cloud is a worldwide phenomenon. It’s a beacon of growth for American tech companies. Facebook, Amazon (its AWS hosts a number of big cloud-based websites, such as Netflix), Microsoft, IBM, Google, Yahoo… just about all tech companies, online retailers, social media companies, financial firms, app makers, every company with online products, they’re all making money in the cloud. Even Obamacare is in the cloud. You log into a website to access software and your own data – that’s the cloud. In terms of hardware, it’s data centers and fiber-optic links. Thousands of them. Everywhere.
The cloud is where the NSA goes to pick through everyone’s data. Under the PRISM program, revealed by Snowden some time ago, the NSA has enjoyed easy access to user accounts and their data. Companies cooperate. It’s permitted under the Foreign Intelligence Surveillance Act and overseen by the Foreign Intelligence Surveillance Court. We just didn’t know about it.
MUSCULAR is darker. It secretly targets American companies. Google and Yahoo have been named in top-secret documents that Snowden had pilfered and that landed at the Washington Post. To get around legality issues in the US, the NSA broke into Google’s and Yahoo’s overseas data centers. If you have anything in the cloud – and you do, whether you want to or not – it’s stored in numerous locations, including overseas.
In March last year, when David Petraeus was still CIA Director, before emails, ironically, about an extramarital affair unraveled his career, he spoke at the In-Q-Tel CEO Summit. He was accompanied by NSA specialists. He raved about how startups that had been funded by In-Q-Tel – the CIA’s venture capital branch – were “providing enormous support to us as we execute various critical intelligence missions.” He talked about “innovative technologies developed by the firms represented in this room.”
It was just a speech, and no one really paid attention. But he was disclosing the true nature of our perfect surveillance society, on the eve of the Snowden revelations.
“We have to rethink our notions of identity and secrecy. In the digital world, data is everywhere,” he said. “Data is created constantly, often unknowingly and without permission” – emphasis mine. “Every byte left behind reveals information about location, habits, and, by extrapolation, intent, and probable behavior.” The data “that can be collected is virtually limitless,” he said, which presented “enormous intelligence opportunities.” And in closing he thanked the executives and tech gurus for “helping to keep America’s Intelligence Community at the forefront of global innovation.”
So far, the Snowden revelations have shown exactly that: an intense, hand-in-glove cooperation between the Intelligence Community and American tech companies, from scrappy startups to corporate mastodons, at every level, whether adding backdoors to Windows operating systems or compromising the keys to encryption.
But the revelations about the MUSCULAR program show that, in parallel, the NSA also worked against these tech companies – Google and Yahoo so far, but more documents are likely to trickle out, as they have done in the past, like Chinese water torture, to reveal that other American companies got hit as well.
“According to a top secret accounting dated Jan. 9, 2013,” the NSA had in the preceding 30 days syphoned off from undisclosed interception points at Google’s and Yahoo’s clouds “181,280,466 new records” – metadata, text, audio, video, anything, from Americans and foreigners alike – and sent them back to its own data center at its Fort Meade headquarters.
The NSA and GCHQ aren’t even targeting anyone. They’re just grabbing massive data streams between data centers. A worldwide dragnet.
Google already warned in early September that it was furiously trying to encrypt the stream of data between its data centers to keep the NSA and other intelligence agencies out of them. “It’s an arms race,” explained Google VP for security engineering, Eric Grosse at the time. “We see these government agencies as among the most skilled players in this game.”
Even encryption won’t protect the data against the NSA’s all-out efforts to defeat encryption. But it will make it more difficult. As Christopher Soghoian, a computer security expert at the ACLU, put it: “If the NSA wants to get into your system, they are going to get in.” The only hope was the encryption would make, as he said, “dragnet surveillance impossible.”
The MUSCULAR revelations were met with total stonewalling from the government. A spokeswoman at Yahoo said: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.” Google was “troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.” The company has “long been concerned about the possibility of this kind of snooping.”
How was the NSA able to exploit cracks in the networks? The Washington Post has some titillating tidbits:
For the MUSCULAR project, the GCHQ directs all intake into a ‘buffer’ that can hold three to five days of traffic before recycling storage space. From the buffer, custom-built NSA tools unpack and decode the special data formats that the two companies use inside their clouds. Then the data are sent through a series of filters to ‘select’ information the NSA wants and ‘defeat’ what it does not.
We don’t know yet how many more companies were hit, or how many more of these programs are out there. We do know, however, given the revelations of the past six months, that just when we thought it couldn’t worse, it gets much worse.
Corporate America has hugely benefited from the cooperation with the NSA, whose relentlessly growing budget makes it the perfect customer. And they have benefitted from their cooperation with other intelligence and law enforcement agencies. But these revelations have thrown dark shadows on the entire cloud and have made foreign companies and governments leery of buying Big Data software, services, or hardware from American companies. And MUSCULAR, too, will worm its way perniciously into revenues and profits of our already revenue-challenged tech heroes.
Evidence is already piling up. Teradata, which sells analytics tools for Big Data, warned that revenues plunged 21% in Asia. Then IBM confessed: hardware sales in China had collapsed. Every word was colored by Snowden’s revelations about the NSA’s ties to American tech companies. Read…. NSA Revelations Kill IBM Hardware Sales in China