Meet 'Muscular': NSA accused of tapping links between Yahoo, Google datacenters

UPDATED 2. New leaked Snowden documents accuse the U.S. spy agency of tapping into the links between Google and Yahoo datacenters worldwide, including Americans' data.
Written by Zack Whittaker, Contributor
Meet the National Security Agency's MUSCULAR program.
Image via The Washington Post

Documents leaked by former U.S. government contractor Edward Snowden accuse the U.S. National Security Agency (NSA) of breaking the links that connect Google and Yahoo datacenters around the world.

First reported by The Washington Post, citing documents received from the whistleblower and additional comment from "knowledgeable" officials, the NSA is able to acquire data from hundreds of millions of user account — many of them belonging to Americans.

In a "top secret" document dated January 9, 2013, the spy agency's acquisitions unit sends millions of records daily from Yahoo and Google datacenters back to its Fort Meade headquarters. In the preceding 30 days, the agency collected 181 million new records alone, including metadata — such as traffic records and details relating to customer data — as well as the contents of communications.

The project, codenamed "Muscular," works in conjunction with its British counterparts at GCHQ, to intercept the cables between the two named Internet giants' data centers around the world.

The program allegedly works by exploiting a weakness between Google and Yahoo's cloud systems — where customer data resides — meet the public Internet.

Both companies use private fiber optic cables that are owned by Tier 1 companies, but leased out to the Internet giants for speed, security, and reliability.

An NSA presentation slide, titled "Google Cloud Exploitation," shows a hand-drawn note intersecting the two noting that encryption is "added and removed here." 

The data is then "buffered" by the British intelligence agency counterpart, which was implicated in the NSA spying scandal earlier this year with its Tempora collection program, giving the NSA time to filter and select data it needs.

Google and Yahoo, according to the report, said they were "troubled" and "concerned" respectively, and reiterated that they were not aware of this and did not give U.S. government agencies access to their datacenters.

Many cloud providers engage in "georedundancy" efforts, which results in vast amounts of customer data sent to and from other datacenters to ensure that the data is always available, particularly in the event of an outage. 

In efforts to get "free access" to the traffic that flows between datacenters, the NSA had to "circumvent gold standard security measures," according to the Post. 

ZDNet first reported in 2011 the U.S government's ability to invoke the Patriot Act and Foreign Intelligence Surveillance Act (FISA) on a U.S.-headquarters company, which would legally force a wholly-owned EU-based subsidiary to hand over data held in an European datacenter, in breach of European data and privacy laws.

Microsoft, which was named in the initial report, admitted weeks later that the Patriot Act's reach could extend to EU-based companies, such as Microsoft U.K.

European law effectively prevents EU-based data from leaving the 28 member state bloc, unless companies adhere to Safe Harbor regulations.

A Yahoo spokesperson offered the following:

"We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency."

Meanwhile, Google's chief legal officer David Drummond said the company has "long been concerned about the possibility of this kind of snooping, "which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide."

He reiterated that the search giant does not provide any government access to its systems, adding:

"We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

Google in September, following the breakout of U.S. surveillance leaks, said it would begin encrypting its cloud storage by default. The search turned mobile and cloud giant also said it would speed up a plan that would see its data transferred between datacenters encrypted, in wake of the NSA spying scandal.

According to an earlier Post story, Google's vice president for security engineering Eric Grosse said: "We see these government agencies as among the most skilled players in this game," calling the security battle "an arms race."

Yahoo has not, however, publicly announced plans to encrypt its datacenter connections. 

Updated at 3:25 p.m. ET and 4:40 p.m. ET: with Yahoo and Google statements.

Editorial standards