WASHINGTON, D.C. — The National Security Agency has been secretly collecting internet data — almost certainly including American email traffic — as it transits to Google and Yahoo servers abroad, according to the latest disclosures from former NSA contractor Edward Snowden.
The documents, reported by The Washington Post, describe a project code-named “MUSCULAR,” a cooperative effort with the agency’s British counterpart, GCHQ. Even though NSA has been obtaining data directly from Google and Yahoo with court orders through the previously disclosed PRISM program, the new documents show it also has been taking it without permission abroad, outside the oversight of the Foreign Intelligence Surveillance Court.
The latest disclosure is likely to fuel calls in Congress and elsewhere to investigate and reign in NSA surveillance.
One internal “top secret” NSA document, labeled “Google Cloud Exploitation,” included a hand sketch illustrating how Google data moves around the world, complete with a smiley face. Two engineers with close ties to Google exploded in profanity when they saw the drawing, the Post reported.
Joshua Foust, a former defense intelligence official who has frequently defended NSA surveillance, said on Twitter that the latest disclosure raises questions about how the NSA could spy on American companies.
Google, Yahoo and other internet companies maintain data centers around the world through which user data flows, irrespective of the nationalities of the customers.
Asked about the Post story in a public appearance, the NSA’s director, Gen. Keith Alexander, said Wednesday he was unaware of it, according to Politico — adding the NSA is “not authorized” to access companies’ data centers and instead must “go through a court process” to obtain such content.
The leaked NSA documents, however, do not say NSA accessed data centers. They say NSA collected the data, including entire copies of Yahoo email accounts, as it was sent over fiber-optic lines between company data centers. Previously, not all such data transmissions were encrypted, or sent in code. In the wake of recent NSA disclosures, Google is moving to encrypt its traffic. Yahoo has not announced plans to do so.
In a statement, NSA spokeswoman Vanee Vines said, “The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is not true. NSA applies attorney general-approved processes to protect the privacy of U.S. persons — minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention and dissemination. NSA is a foreign intelligence agency. And we’re focused on discovering and developing intelligence about valid foreign intelligence targets only.”
But according to a top secret document dated Jan. 9, 2013, the Post reported, NSA sends millions of Google and Yahoo records each day to data warehouses at the agency’s Fort Meade, Md., headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back more than 181 million new records — including text, audio, video and “metadata,” or “to and from” records.
White House officials and the Office of the Director of National Intelligence, which oversees the NSA, declined to confirm, deny or explain why the agency infiltrates Google and Yahoo networks overseas, the Post reported.
In a statement to the Post, Google said it was “troubled by allegations of the government intercepting traffic between our data centers, and we are not aware of this activity.”
“We have long been concerned about the possibility of this kind of snooping, which is why we continue to extend encryption across more and more Google services and links,” the company said.
A Yahoo spokeswoman told the Post: “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”
Under the PRISM program, first disclosed in June, the NSA gathers large volumes of online communications by legally compelling U.S. internet companies, including Yahoo and Google, to turn over any data matching court-approved search terms. That program is authorized under Section 702 of the Foreign Intelligence Surveillance Act and overseen by the Foreign Intelligence Surveillance Court.
When NSA gathers foreign intelligence overseas, FISA regulations do not apply. The agency instead operates under an executive order, 12333, which defines the NSA’s powers. Congress has much less visibility over what NSA collects under 12333, lawmakers have said.