Google, the NSA, and the need for locking down datacenter traffic

Google, the NSA, and the need for locking down datacenter traffic

Summary: With the NSA seemingly listening in to Google's datacenter traffic, Google, Yahoo, and other companies' need for datacenter-to-datacenter encryption has never been greater.


UPDATED, the evening of Oct. 30 with Google's Response. Not that this is going to come as any real surprise to anyone who's been following the Snowden NSA revelations but it appears that the NSA's newly revealed MUSCULAR project has been listening in to Google and Yahoo's datacenter-to-datacenter communications.

NSA Google Cloud Exploitation
It may look like a post-it note, but this leaked NSA slide had Google engineers swearing. (Credit: The Washington Post)

The NSA has denied that they're doing this. Politico reported that a NSA representative said, "The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true.

But, what is the NSA doing, if anything, anyway? Good question. The NSA PowerPoint post-it note of a slide on Google Cloud Exploitation simply shows a sketch where the Public Internet meets the internal Google Cloud at a Google Front-End (GFE) server. This is not exactly a detailed technical document. 

Here's are some of the ways this could work. First, you should know that Google, Yahoo, and other major multinational Internet traffic companies store multiple copies of data across datacenters. That way when you do a search, read a Facebook post, what-have you, when your Web request goes to the closest possible datacenter it will get the fastest possible results.

Six ways to protect yourself from the NSA and other eavesdroppers

To make that happen, and to ensure that you have the freshest information, the big boys use either their own or privately leased fiber-optic connections. These use networking technologies such as OC-768 and 100Gigabit Ethernet for data transmission rates of up to 100 Gigabits per second to hook up datacenters.

This traffic, over these network connections, is not being encrypted at this time. The companies seem to have thought that since encryption does take up some time, and the traffic goes over a private connection, this was safe enough. They were wrong.

After the news about NSA snooping first broke over the summer, Google decided it was time to start encrypting its datacenter-to-datacenter communications. Google also started automatically encrypting Google Cloud Storage data with 128-bit Advanced Encryption Standard (AES-128) before it's written to disk. Yahoo, for its part, is finally turning Secure-Socket Layer (SSL) on as its default Yahoo Mail setting for improved end-user security.

Will these methods solve the major Internet players' privacy problem? Probably not.

For starters, it's not at all clear from The Washington Post report how the NSA is listening in. Is the NSA is squatting in international telecommunications centers snooping on clear-text traffic between datacenters, or is the NSA actually breaking SSL, Advanced Encryption Standard (AES), and Transport Layer Security (TLS) traffic as it moves from Google's datacenters to the Internet? We don't know. For that matter, the Post story also implies that the GFE servers themselves may have been compromised.

If SSL and its related security protocols have indeed been compromised there are ways they could be toughened. One such possible fix is Perfect Forward Secrecy (PFS).

With PFS encrypted Web connections, when a secure connection is made between a browser and a server, a temporary secure session key is generated using Diffie-Hellman (DHE) or Elliptic Curve cryptography (ECDHE). As you continue to interact with a site new secure keys are generated.

The good news is that this makes it much harder to break such secure connections. Instead of having to break one key, a would-be snooper must break multiple ones. The bad news is that both algorithms can slow down connections and they're not universally supported by Web servers and browsers.

Of course, it's a cryptography truism that it's easier to get around cryptography than it to break it. So if the NSA, or one of its partners such as the UK's Government Communications Headquarters (GCHQ) could tap into Google's and Yahoo's private networks, that would be their method of choice.

David Drummond, Google's Chief Legal Officer, said, "We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

ZDNet has asked Yahoo for their take on the matter, but Yahoo hasn't responded yet. When they do, we'll update this story.

For now, we just don't know, which, if not all three, methods the NSA used and what the companies will be doing in reaction to this. What we do know, and we should have known all along, is that privacy really doesn't exist on today's Internet.

The moral of the story, for anyone, who runs datacenters in more than one country, is that it's well past time to start using as secure connections as you can find for your datacenter-to-datacenter communications. Simply having a "private" line doesn't mean that you're not actually on a party line with the NSA.

Related Stories:

Topics: Security, Google, Networking, Privacy, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Almost all goes to Google

    Installed Network Connections app from Google Play today. Almost 90% of the data from my phone goes to Google. I have had some crappy apps that made connections to China, but removed them. However, my device is making connections to Google servers non-stop. Are they getting something more than sync?
    • Got Windows ?

      It does the same.
      Alan Smithie
      • I wouldn't say exactly the same

        Microsoft is trying to sell Surfaces. Google's whole point of releasing android for free but keeping the google apps and service closed source is to collect info on people to feed their targeted advertising network. Microsoft may have ambitions to know everything about you, all you email, contacts, where you've gone, what you've searched for, all websites you have visited, etc., but google has been proven to be voracious specifically sucking up people's info, from driving around collecting wifi signals to actually hacking into people's non-google computers to track their every internet move if they turned tracking cookies off.
        They've also stated numerous times they want to collect all this info to get to the point of telling you what you want before you even know, and have fought and lobbied against EU privacy laws that demand people be advised just what exactly google is collecting and what they do with it. Their various EULAs add up to, pretty much, they can collect anything they want, especially if you use android device and services.
        Securing this type of info is important, but with fascist laws like the patriot act, if they collect it, it's not secure. It can be demanded, and they can be told to lie to their customers with a gag order, and it seems more and more like they're playing ball with the system anyway. Is google really not smart enough to know if their data is being siphoned, rather than a "we've suspected something like this for a while..."????????
  • The difference between foreign and domestic spying.

    Spying on foreign telecom: Find an unguarded connection in the street, surreptitiously wire a tap, set up a listening and forwarding point.

    Spying within US or on a US company: walk in the front door, lay down a secret federal order signed by a judge, wheel in whatever equipment you want. Anybody makes a fuss, haul them off to Guantanamo for a few "friendly" but wet chat sessions.
    terry flores
  • No surprise here.

    Google is a data-sucker extraordinaire. ALL their devices and apps suck data into their cloud. That makes one mighty juicy data source for those NSA spooks.
  • NSA Denials

    "The NSA has denied that they're doing this."

    Alexander, Clapper, Obama and company read Mark Twain and didn't realize he was joking: "Truth is the most valuable thing we have. Let us economize it."

    They have been caught lying so many times that even if they were telling the truth no reasonable person would believe them.
  • Circle of life

    Let me see, Google spies on us, NSA spies on Google, UN spies on NSA..... I bet Google is selling the NSA the data, they will take it anyway and Google may as well make some money off this.

    Soon there will be no cash, no need for the IRS, they will have access to your bank accounts and they will just take your taxes directly from your account. They will know every dime you earn and spend.
  • So this is what we have come to...

    working to create systems to protect ourselves from our own government. What a pitiable mess of lily-livered men. Our forebears would have slapped us upside the head, and demanded that we stand on our hind legs!
    Tony Burzio
  • Americans have problems with colors...

    They no longer know the difference between "yellow" and "yaaaaler".
    Tony Burzio
  • Google, the NSA, and the need for locking down datacenter traffic

    Google is mad because the NSA is doing their spying a lot better. Plus they are piggybacking off of Google's data so all the hard work is done for them.
  • If one is to question the denial, one must also question the accusation

    Interestingly enough, the Washington Post doesn't provide any proof that the snooping is being done as they claim. The Post doesn't provide any evidence at all, just accusations.

    After seeing the trash and inaccurate data reported by most newspapers in the United States, one must question the accuser as well as the accused. Is the article sensationalized to sell papers (of course Steven would never sensationalize anything, right?) or does the post have real proof to backup their supposed accusations.

    I always find it interesting in the United States where one is supposed to be innocent until proven guilty that when a party without the best reputation (the Post) for accuracy accuses another party without the best reputation for honesty (the NSA) everyone immediately accepts the information from the inaccurate party as truth and skewers the other.

    Seems more like the pot calling the kettle something or other. Provide the evidence, or don't make the accusations.
    • If one is to question the denial, one must also question the accusation

      Your argument might hold water except for the fact that Google confirms it in a round about way. They are furious, they are spending millions to harden their datacenter, etc.
      • Yeah, plus

        Edward Snowden pretty much gave up his life and career here to expose what we all pretty much knew but couldn't prove without the zombies calling people conspiracy nuts for realizing the obvious.
        Now that it comes out that NSA's been feeding unconstitutionally collected info to law enforcement, which perjures and makes up cases and how they got what info, making our legal system more of a joke, and how NSA's been busted so many times with lies until they just admit all they're doing is trying to find the "least dishonest way" to lie to us, we have to assume there are many there that don't have an honest bone in their body at this point, and will make up whatever they want.
        At this point I would believe a child's drawing that Snowden says came from them over a 3 page binder they have drawn up, yeah. That's what fricken unconstitutional liars they are.
        Also, google's responses have been really lame, how all the big companies toed an obvious "company" line, "the nsa doesn't have direct access to our servers", and how when this comes out, "we kinda suspected". They didn't "know" for simple plausible deniability is all this says. And they don't address the fact that even if this "convenience" wasn't available they would just demand it under gag order anyway. How is this different from them tapping everything else? It's wrong. There really was a reason we had a constitutional right to privacy. You can't just label a person a criminal ahead of time taking away their rights, including privacy with no due process or you get corruption like this that can't stop itself.
  • Liars and thieves

    Not long ago it was revealed Google, etc. also gave access to the NSA and they were thinking about coming out with their dirty list but eventually didn't so what's with Google pretending that didn't happen and suddenly acting like victims of cyber-theft with their crappy security.
    • I thought it was already established...

      that google was giving NSA backdoor access back a couple years ago when we found out China was hacking US gmail using a backdoor set up for law enforcement...