Meet 'Muscular': NSA accused of tapping links between Yahoo, Google datacenters

Meet 'Muscular': NSA accused of tapping links between Yahoo, Google datacenters

Summary: UPDATED 2. New leaked Snowden documents accuse the U.S. spy agency of tapping into the links between Google and Yahoo datacenters worldwide, including Americans' data.

TOPICS: Security
Meet the National Security Agency's MUSCULAR program. (Image via The Washington Post)

Documents leaked by former U.S. government contractor Edward Snowden accuse the U.S. National Security Agency (NSA) of breaking the links that connect Google and Yahoo datacenters around the world.

First reported by The Washington Post, citing documents received from the whistleblower and additional comment from "knowledgeable" officials, the NSA is able to acquire data from hundreds of millions of user account — many of them belonging to Americans.

In a "top secret" document dated January 9, 2013, the spy agency's acquisitions unit sends millions of records daily from Yahoo and Google datacenters back to its Fort Meade headquarters. In the preceding 30 days, the agency collected 181 million new records alone, including metadata — such as traffic records and details relating to customer data — as well as the contents of communications.

The project, codenamed "Muscular," works in conjunction with its British counterparts at GCHQ, to intercept the cables between the two named Internet giants' data centers around the world.

The program allegedly works by exploiting a weakness between Google and Yahoo's cloud systems — where customer data resides — meet the public Internet.

Both companies use private fiber optic cables that are owned by Tier 1 companies, but leased out to the Internet giants for speed, security, and reliability.

An NSA presentation slide, titled "Google Cloud Exploitation," shows a hand-drawn note intersecting the two noting that encryption is "added and removed here." 

The data is then "buffered" by the British intelligence agency counterpart, which was implicated in the NSA spying scandal earlier this year with its Tempora collection program, giving the NSA time to filter and select data it needs.

Google and Yahoo, according to the report, said they were "troubled" and "concerned" respectively, and reiterated that they were not aware of this and did not give U.S. government agencies access to their datacenters.

Many cloud providers engage in "georedundancy" efforts, which results in vast amounts of customer data sent to and from other datacenters to ensure that the data is always available, particularly in the event of an outage. 

In efforts to get "free access" to the traffic that flows between datacenters, the NSA had to "circumvent gold standard security measures," according to the Post. 

ZDNet first reported in 2011 the U.S government's ability to invoke the Patriot Act and Foreign Intelligence Surveillance Act (FISA) on a U.S.-headquarters company, which would legally force a wholly-owned EU-based subsidiary to hand over data held in an European datacenter, in breach of European data and privacy laws.

Microsoft, which was named in the initial report, admitted weeks later that the Patriot Act's reach could extend to EU-based companies, such as Microsoft U.K.

European law effectively prevents EU-based data from leaving the 28 member state bloc, unless companies adhere to Safe Harbor regulations.

A Yahoo spokesperson offered the following:

"We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."

Meanwhile, Google's chief legal officer David Drummond said the company has "long been concerned about the possibility of this kind of snooping, "which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide."

He reiterated that the search giant does not provide any government access to its systems, adding:

"We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

Google in September, following the breakout of U.S. surveillance leaks, said it would begin encrypting its cloud storage by default. The search turned mobile and cloud giant also said it would speed up a plan that would see its data transferred between datacenters encrypted, in wake of the NSA spying scandal.

According to an earlier Post story, Google's vice president for security engineering Eric Grosse said: "We see these government agencies as among the most skilled players in this game," calling the security battle "an arms race."

Yahoo has not, however, publicly announced plans to encrypt its datacenter connections. 

Updated at 3:25 p.m. ET and 4:40 p.m. ET: with Yahoo and Google statements.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Best practice... to use SSL on *all* links, including those inside your own firewall, surely?

    The possibility of an intercept inside your own network is always a real and present danger. So running everything in the clear inside your data centre has to be a very poor decision from a security perspective.
    • SSL is still clear text as far as the NSA is concerned.

      Have to use something new. When encryption gets good enough that the NSA cant break it quickly enough to keep up with the volume then they'll be forced to pass a law requiring giving them access.
      Johnny Vegas
      • Depends

        SSL 1 and 2 were cracked years ago, but 3 is still hard to crack, although BEAST can crack it (it is susceptible to Cypher Block Chaining). Likewise the successor TLS 1.0 is also vulnerable to CBC attacks like BEAST), but 1.1 and 1.2 are still (supposedly) secure.

        The problem is that servers and browsers are slow to update. Firefox only introduced support for TLS 1.1 in August this year! 1.2 is still not supported. The server side is the same, many sites are slow to update. Try forcing your browser to use TLS 1.1 or later and see how many well known sites fail!

        Safari (as of September) didn't support TLS 1.1 or 1.2 as far as I can tell.

        That said, Google used to fail, but they have updated recently.
  • On NBC last night, a reporter used the term "rogue agency" to describe the

    NSA. I agree. The NSA may help keep the terrorists at bay (and my unwavering support and thanks to them on that account) but clearly, for some NSA officials and perhaps higher in the US and British Governments, the temptation of absolute power has fulfilled it's promise of absolute corruption.

    When the NSA top official can lie to Congress AND GET AWAY with it with nary a slap on the wrist, than it's time for heads to roll ... on both sides of the Atlantic.
  • Americans and non Americans

    In these discussions, you often see people expressing outrage or dismay that private information channels of Americans is being breached. What I don't like is the notion that non-Americans are somehow fair game. There are some US citizens who engage in terrorism, and most non-Americans are not. Privacy is not the only concern, security is important too. But whatever moral arguments apply to limit snooping of US citizens applies to World citizens too.
    • Non-Americans have constitutional rights in US too

      Do you remember that the US Constitution (like many Constitutions or fundamental laws in many democracies) does protect the international treaties ratified by US ?
      And that this extends as well to all legal residents in US independantly of their nationality ? And that this legal protection extends to all US citizens everywhere in the world (for which US is mandated to make all diplomatic efforts needed to have these international treaties applied to at least in all countries that have ratified the same treaties ?
      Don't listen just the lies or desires of politicians or militaries, US has accepted to play fair game internationnally because this also protects US interests and US citizens.

    This whole spying thing is going to mutate into a giant catastrophe that will provide the temptations for otherwise good people to lean over the edge for a few dollars more.

    We see snooping like peeping tom. And the privitization or farming out of any such practice to a lower wage grabber ambitious ceo will ineviteably lead to the passing of information regarding customers and contracts and bids from inside sources.

    This is the death of fair and balanced.