How we know the NSA had access to internal Google and Yahoo cloud data
BY BARTON GELLMAN, ASHKAN SOLTANI, AND ANDREA PETERSON
The Washington Post reported last Wednesday that the National Security Agency has been tapping into the private links that connect Google and Yahoo data centers around the world. Today we offer additional background, with new evidence from the source documents and interviews with confidential sources, demonstrating that the NSA accessed data traveling between those centers.
The background also helps explain the response of U.S. officials following the publication of the story.
The U.S. government declined repeated requests to discuss the story beginning eight days before it was published. Since publication it has made four responses.
Immediately after the story posted online, a reporter asked NSA Director Keith B. Alexander about it at a cybersecurity event hosted by Bloomberg Government. Neither the reporter nor Alexander had read the story yet.
General, we’re getting some news that’s crossing right now being reported in The Washington Post that there are new Snowden allegations that say the NSA broke into Yahoo and Google’s databases worldwide, that they infiltrated these databases?
That’s never happened. […] This is not the NSA breaking into any databases. It would be illegal for us to do that. And so I don’t know what the report is, but I can tell you factually we do not have access to Google servers, Yahoo servers.
The story did not say the NSA breaks into “servers” or “databases.” It said the agency, working with its British counterpart, intercepts communications that run on private circuits between the fortress-like data centers that each company operates on multiple continents.
The distinction is between “data at rest” and “data on the fly.” The NSA and GCHQ do not break into user accounts that are stored on Yahoo and Google computers. They intercept the information as it travels over fiber optic cables from one data center to another.
Alexander also said:
We go through a court order. We issue that court order to them through the FBI. And it’s not millions. It’s thousands of those that are done, and it’s almost all against terrorism and other things like that. It has nothing to do with U.S. persons.
Here he appeared to be talking about PRISM, the previously reported program that makes use of authority granted by Congress in 2008 when it amended the Foreign Intelligence Surveillance Act. Under Section 702 of the amendments, the NSA was empowered to compel technology companies to turn over information about their users. A special court oversees the program, renewing it once a year.
Our Wednesday story reported that the NSA is not relying only on PRISM to get information from Yahoo and Google. It is also working with its British counterpart, the GCHQ, to break into the private “clouds,” or internal networks, of those companies.
We do not know exactly how the NSA and GCHQ intercept the data, other than it happens on British territory. But we do know they are intercepting it from inside the Yahoo and Google private clouds, because some of what NSA and GCHQ collect is found nowhere else.
The two companies do not entrust their data center communications to the “public internet,” which is comparable to an international highway system that anyone can use. Instead, they link their data centers with thousands of miles of privately owned or privately leased fiber optic cable – in effect, a system of private highways. When Google and Yahoo have to share a stretch of road with the public internet, they take other precautions to keep their traffic secure.
We showed some of the NSA’s briefing slides to private sector experts with detailed knowledge of the internal corporate networks of each company. In separate conversations, they agreed that the slides included samples of data structures and formats that never travel unencrypted on the public Internet.
Below is one example, which the NSA captured from Google.
NSA slide reproducing a transmission in a format that experts say is “only used on and between Google machines. See the full annotated documents here.
“This is not traffic you would encounter outside of Google’s internal network,” said one of the experts. The slide shows data in a format that is “only used on and between Google machines. And, also as far as I know, Google doesn’t publish their binary RPC protocol, which is what this resembles.”
An RPC is a “remote procedure call,” and this one is used when one Google data server has to confirm that it is talking to another. The author of the slide confirms that, describing the captured data as “internal server-to-server authentication.” Google’s proprietary authentication system is “Gaia,” which appears in the captured data stream. Another expert with inside knowledge confirmed that its characteristics are not public.
Another NSA slide provided by former contractor Edward Snowden showed that the NSA developed Google-specific “protocol handlers” so that it could parse the company’s proprietary formats and pull out the information it wanted to keep.
Note the section of this graph that reads “gaia // permission_whitelist.” See the full annotated documents here.
Another NSA document, similarly, describes NSA’s use of a “demultiplexer” tool to take apart data packages sent across Yahoo’s internal networks in that company’s proprietary “NArchive” format.
The project name for this collection is MUSCULAR, which corresponds to an alphanumeric string, DS-200B:
NSA suggests taps into private data links may be installed in the UK by the GCHQ. See the full annotated documents here.
DS-200B is one of many “sigads” used by the NSA to identify where it collects electronic communications. Sigad is short for “signals intelligence address” or “signals intelligence activity designator.”
This one is described as an “international access,” which means an overseas fiber optic cable or switch that routes Internet traffic. MUSCULAR is “located in the United Kingdom” and the GCHQ has primary responsibility for operating it. The NSA works cooperatively alongside its British partner, and the system used for processing that traffic, TURMOIL, belongs to the NSA. Other slides show how the traffic is routed from DS-200B to NSA databases at its Fort Meade, Md., headquarters.
Our Wednesday story noted that the NSA is governed by fewer rules and less oversight when it does its intelligence collection outside U.S. territory:
Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.
Outside U.S. territory, statutory restrictions on surveillance seldom apply and the FISC has no jurisdiction. Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies.
NSA spokeswoman Vanee Vines, in a statement late Wednesday, did not address the rules, or confirm that Yahoo and Google traffic is collected overseas. She denied untoward motives:
The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and [FISA Amendments Act] 702 is not true,” she said. “The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true.
Vines also said the NSA follows the attorney general’s guidelines for protecting the privacy of U.S. citizens. Our story said the same thing, and added that the guidelines are classified.
On Thursday, the top lawyers for the NSA and DNI returned to the questions of motivation and intent.
Speaking at an American Bar Association conference in Washington, NSA General Counsel Rajesh De said, “The implication, the insinuation, suggestion or the outright statement that an agency like NSA would use authority under Executive Order 12333 to evade, skirt or go around FISA is simply inaccurate.” He added, “The suggestion of that requires some backing up.”
“There is no scandal about the lawfulness of NSA’s activities under current law,” he said.
Robert S. Litt, the DNI’s general counsel, said at the same conference:
Everything that has been exposed [in the press] so far has been done within the law. We get court orders when we are required to, we minimize information about U.S. persons as we are required to, we collect intelligence for valid foreign intelligence purposes as we are required to.
Recent press articles on NSA’s collection operations conducted under Executive Order 12333 have misstated facts, mischaracterized NSA’s activities, and drawn erroneous inferences about those operations.
The statement did not specify the errors or false inferences. It defended NSA operations in general as compliant with “applicable laws, regulations, and policies,” and said “assertions to the contrary do a grave disservice to the nation, its allies and partners, and the men and women who make up the National Security Agency.”