NSA broke into Yahoo & Google data centers to spy on Americans

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world.

A secret accounting dated Jan. 9, 2013, indicates that NSA sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency's Fort Meade, Md., headquarters. In the last 30 days, field collectors had processed and sent back more than 180 million new records — ranging from "metadata," which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported Wednesday on its website.

New details about the NSA's access to Yahoo and Google data centers around the world come at a time when Congress is reconsidering the government's collection practices and authority, and as European governments are responding angrily to revelations that the NSA collected data on millions of communications in their countries. Details about the government's programs have been trickling out since Snowden shared documents with the Post and Guardian newspaper in June.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, the Government Communications Headquarters. From undisclosed interception points, the NSA and the GCHQ are copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants.

The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.

In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data reside. In hand-printed letters, the drawing notes that encryption is “added and removed here!” The artist adds a smiley face, a cheeky celebration of victory over Google security.

Two engineers with close ties to Google exploded in profanity when they saw the drawing. “I hope you publish this,” one of them said.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.

PRISM, uses a court order to compel Yahoo, Google and other Internet companies to provide certain data. It allows the NSA to reach into the companies' data streams and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.
 
In an interview with Bloomberg News Wednesday, NSA Director Gen. Keith Alexander was asked if the NSA has infiltrated Yahoo and Google databases, as detailed in the Post story.

"Not to my knowledge," said Alexander. "We are not authorized to go into a U.S. company's servers and take data. We'd have to go through a court process for doing that."

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it is obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers, and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA,” the Foreign Intelligence Surveillance Act.

To obtain free access to data- center traffic, the NSA had to circumvent gold-standard security measures. Google “goes to great lengths to protect the data and intellectual property in these centers,” according to one of the company’s blog posts, with tightly audited access controls, heat-sensitive cameras, round-the-clock guards and biometric verification of identities.

Eric Grosse, vice president for security engineering, said the company is rushing to encrypt the links between its data centers. “It’s an arms race,” he said then. “We see these government agencies as among the most skilled players in this game.”
http://apps.washingtonpost.com/g/page/world/how-the-nsas-muscular-program-collects-too-much-data-from-yahoo-and-google/543/
http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html
http://www.huffingtonpost.com/2013/10/30/nsa-yahoo-google_n_4178227.html

NSA records show they believe they can spy on everyone's location:

James Clapper has declassified another batch of documents on the NSA activities. We'll probably write about a few of them, but let's start with one that's getting a lot of initial attention: the document that discusses the "test" of collecting location info from the telcos based on where your mobile phone was. The short version? Do you know where you were on April 26, 2010? Because the NSA probably does. It had already been revealed that the NSA had run "a test" of obtaining location info from the telcos. This document, which is a memo from the NSA to the Senate Intelligence Committee is just explaining some of the details, with this being the key one:

In regards to the mobility testing effort, NSA consulted with DOJ before implementing this testing effort. Based upon our description of the proposed mobility data (cell site location information) testing plans, DOJ advised in February 2010 that obtaining the data for the described testing purposes was permissable based upon the current language of the Court's BR FISA order requiring the production of 'all call detail records.' It is our understanding that DOJ also orally advised the FISC, via its staff, that we had obtained a limited set of test data sampling of cellular mobility data (cell site location information) pursuant to the Court-authorized program and that we were exploring the possibility of acquiring such mobility under the BR FISA program in the near future based upon the authority currently granted by the Court.

The key takeaway here: the NSA believes that the current FISA approval of dragnet collection of metadata on every phone call includes permission to track location data as well, even though it doesn't currently do so. The "BR FISA order" means "business records" which is what Section 215 of the PATRIOT Act is sometimes called. The fact that the NSA didn't seem to think it was necessary to check with the FISA Court before running this test, just to make sure it was actually allowed is rather telling. 
http://www.techdirt.com/articles/20131028/16041225043/latest-declassified-nsa-records-show-nsa-believes-it-can-spy-everyones-location-based-existing-approvals.shtml