The NSA, Google, and Yahoo: more than you thought

Via Kevin Drum, here is a new report:

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

….The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies. The agency is built for high-tech spying, with a wide range of digital tools, but it has not been known to use them routinely against U.S. companies.

Kevin adds:

This is apparently all done overseas in order to evade rules that govern domestic data collection. According to the story, “Two engineers with close ties to Google exploded in profanity when they saw the drawing.”

The full WaPo story is here.  The program hacks into internal networks and collects documents before they are encrypted.  At least on the surface, it appears Google and Yahoo were unaware of this snooping.

Update: Here are 65 things we have learned about the NSA.

Comments

So, if this collection is done overseas, where's the problem? How many "purely domestic" (i.e. US to US) emails flow though overseas links?

A lot. First, probably off site backups may be foreign sites. I'd hope they are transmitting fully encrypted data only but maybe not.

Also, for faster access / redundancy your emails may be cached at multiple international locations possibly to be served to you from nearest up server whenever you travel? (very simplistically)

Another idea: What if NSA conducts ops in a foreign nation where Google has presence, hacks into Google there physically and then once into Google Turkey's (say) Intranet now wiggle in to google USA and then pull whatever it wants via its foreign location tap. Only for small datasets though; if you pulled Terabytes the network traffic will be obvious.

Legally, does physical location of the eavesdropper matter or the location of the data you are pulling? I don't know.

Computer trespass laws are based on the jurisdiction where the computer physically resides. If you hack a PC in New Hampshire from Vermont, you would be charged in New Hampshire. It gets a little complicated when dealing with wiretapping laws. A call between two states for example, that is recorded by one party could be a crime in one state, but not the other. In the case of the NSA, the law applies to the agency and its agents so their foreign operations are covered anyway.

It's pretty clear that no laws apply to the NSA or its agents

...or the ATF, or the IRS...

...or your local Sheriff's office...

According to the story, this is legal under US law (as is the PRISM program). So it seems that the real problem is legislation giving the NSA far too much latitude to operate.

I'd argue the "problem" is no persons/companies will trust U.S. corporations with cloud storage... or anything provided by US tech. Really gonna hurt our industry long term.

I think you overstate the impact. 90% of the people are clueless. Most of the ones who are aware don't care much.

Really, most people are not that sensitive to being spied and are hugely more responsive to cost. Cloud storage winners will mostly (sadly) be decided based on freebies, ease of use, coolness and advertising.

"I think you overstate the impact."

I'd downstate the importance of individual personal users--what counts are the CIOs who select cloud services for their large company's IT needs.

Maybe %90 of the people are clueless, but the %10 that arent include all the security gurus who are coding the next generation of security software. I already know how they view this, they see it as a technical problem to be solved.

Ironically, end-to-end encryption already exists for email & some other protocols. For a little effort & inconvenience a lot more secure communication is already possible without any new developments needed.

The question again is, will users want to use it? I sure don't use it though I know how to.

Nope. The question is how can technical improvement and user awareness meet in the middle.

People lock the doors to their houses in spite of the inconvenience, and the fact that on most days they will not get burgled even if they left it unlocked. But that inconvenience is minor, and it is easy to understand the idea "This is my key, I need protect it".

Crypto software will never make security automatic -- but it's not unreasonable to think we can improve things until it works as well as ordinary door locks.

@Adrian:

My point is, for most people the chance / downside / risk / damage of NSA reading their email is orders of magnitude lower than of leaving your house door unlocked.

For e-mail in general, I agree. I already write every e-mail under the assumption that it might become public.

There's a more insidious "big data" cost, though. Once you understand that surveillance is looking for patterns of association, and can easily pull together communications, travel, and payments data to do that, you become conscious of your profile, and think twice before doing anything that might set off bells.

Not really. Here in Germany German email providers have even started advertising (big campaign, including prime time TV ads) with the fact that none of their date is stored in the US and have released a list of "trusted email providers" which does not include any American ones.

Well...where else are you going to get your cloud storage and computing, since only US firms (Microsoft, Google, Amazon, VMWare) have invested serious resources into providing these kinds of services.

More immediately, would anyone from Google like some "help" from NSA in securing their internal network?

Facebook's European servers are based in Sweden, where the law is that they have to hand over way more information than NSA is accused of taking. That law has always been public, but no one in Europe cares. Of course, in practice Sweden can't handle all the data and doesn't ask for as much as NSA.

So let me get this straight. All findings indicate that data located in the US is less likely to be compromised by the NSA than is data outside of the US. Yet these findings are supposed to hurt the prospects of American cloud storage companies.

Are underwear gnomes behind this?

Does anyone care? I feel like we could discover that the NSA is peering in our bedroom windows every night and all we'd get is another Washington Post article and 12 hours of "outrage."

I think a lot of the non-reaction stems from 1) everybody was already assuming the US government was doing this, and 2) all foreign governments are doing this, too. So a lot of the outrage seems feigned. How surprised could you really have been?

China is probably not being so nice about it, and simply hasn't had a real leak about their program.

The Chinese have use for such modesty. The censors and surveillance are blatant.

I assume you meant "no" use. Otherwise I'm not sure I understand.

What do you know about Chinese surveillance of American internet habits? I assume they have all my email and browser history. It would be shocking if they had less than the NSA which has _some_ curbs on its behavior. But I haven't seen any hard leak to that effect.

It's probably best to assume Germany has the same and France has the same and England has the same. This is just too obvious and too inexpensive to not be at least attempted by most big states. It's like asking "do they have fighter planes?" Of course they do. They have all the tools necessary to be a modern power.

+1

I think at some level most people are glad the custodial state is looking at their e-mail. As humans we tend to fear that which I closer to us than that which is far away. The panopticon is out of site and therefore out of mind. That jerk down the street with the "Impeach Obama" signs in his yard is a constant reminder that your fellow citizens are dangerous.

I think the tipping point might be the day if and when these agencies started using the data for pursing more garden variety crimes.

Very few people are terrorists; a lot more evade taxes, drive drunk, commit insurance fraud etc.

I think this is right. Where I live, people HATE red light cameras, but they don't care about the NSA.

Like they do in Europe? Some of the things they do over their to fight tax evasion are pretty invasive if you ask me. But from this outsiders perspective, very few people over there seem to mind. At any rate, I find it laughable that a French companies biggest fear would be that the US government would invade their privacy given all the things everyone knows the French government does.

Don't get me wrong. I don't like this any more then I like the creation of the atomic bomb. But fundamentally, this is a technical problem. Even if by some chance we could change the political culture of Washington (and the nation at large for that matter) that would not stop the Chinese, Russians, or whoever from doing the same thing. History makes me believe that if governments can do this sort of the thing (technically speaking) they will regardless of its legal status.

Plenty of people in the crypto and computer security community are quite upset. Similarly, there was a reasonably large rally about this in DC.

My guess is that there's not that much focused, widely-reported outrage because both big parties are in on this stuff. Most political reporters and almost everyone who ever gets quoted or interviewed by political reporters have an explicit political affiliation, either Democratic or Republican. When both parties agree that everyone, foreign and domestic, must be spied on always and everywhere and that mere technical violation of the law by the spy agencies is no reason to expect them to change anything, where's the power center that's going to push back on it? Who is going to get a lot of media time to discuss it, when 90+% of the common talking heads are on board because their team is on board and that's all they care about?

Sure, don't you? The programs don't work (at least for their stated purpose), and if they did work they'd be very creepy. There is evidence that the NSA has passed information to the DEA and IRS, and I'd expect that as with all government programs, the scope of these operations will only increase unless people speak up.

I guess if most people are uninterested and decide not to contact their reps nothing will change. It is sad that with every expansion of these surveillance programs we are proving unequivocally the effectiveness of both terrorism and lobbying by fear mongering federal contractors.

And just in case some politician even thinks about doing something about it here is a question for him:

9/11. Would you accept responsibility for a similar event if you shut down the spying?

Strawman argument: first you have to prove that this procedures are actually capable of preventing a similar event.

Obama is going to be so mad when he hears about this. That never gets old.

It's posts like this that make me wonder what happened to Andrew'.

Seriously, this joint is about 40% lamer when he's not around.

And where's prior_approval? Both hyperposters gone at the same time?
Got to be NSA related

Perhaps they were NSA plants all along.

I was in Istanbul - spent some time on a Turkish destroyer, watched a Russian fleet tanker sail by, checked out the YM Miranda (which did do some Internet related damage, actually) - it was a nice vacation.

The NSA had nothing to do with it, obviously. Besides, my family background is tilted more to the CIA than NSA anyways (mainly because one relative on my mother's side also worked for the CIA - nobody on my dad's side ever worked for the NSA).

This article is one that definitely hit home for me. I am totally opposed to the "snooping" that the government conducts on it's own citizens. Furthermore, using the internet to invade people's privacy is simply unacceptable. Regardless of whether or not the search engine corporations knew that this type of "snooping" was going on or not; the issue is that internet security is not even seen as a threat to these corporations. That is beyond my imagination. It is common knowledge that there are no legitimate laws for the internet. If you are in another country, regardless what crime it is that you are using the internet for; it is highly unlikely to be punished for internet crimes. As we become more technologically advanced, let's not hinder ourselves by blatant disregard for an enormous threat.

"regardless what crime it is that you are using the internet for; it is highly unlikely to be punished for internet crimes. "

Doubt that. Thousands of cumulative prison-years are being served for stuff like downloading child porn or hacking into servers.

The issue in getting people upset about this issue is that the harm is diffuse, not specific. So far we cannot identify anyone who was specifically harmed by the spying. Even Merkel is unable to say exactly what the consequences were. In a way the leak by Snowdon could be beneficial for the NSA in that instead of people learning about this as a result of a scandal (say a politician being blackmailed) it has come out in this way, not related to any one person.

It's also a slippery slope issue. If we don't stop NSA now they'll expand and in due course we'll see summons at the door for peccadilloes confessed via email.

"Don't be evil...don't be evil...heh heh heh...don't be evil" Google just wishes it had the power of the NSA.

At some point over the past five or six months or more, a story emerged from Russia that one of their security agencies, mistrustful of its convenient but unsecure electronic communications system, reverted to using typewriters and typing pools for all internal correspondence.

Here's a market force waiting to be unleashed: why does it just sit there drooling?

the NSA should fund itself by offering information recovery systems for a low fee. So if a hard drive crashes losing your family pictures, we should be able to just ask the NSA to give us their copies.

And for an extra 50%, the recovered pictures *won't* include those pictures you took of your mistress back when you were on that "work trip" to Cancun a couple years back. The money will roll in.

You know, I remember when MR had some of the best comments on the web. Now, we're throwing around half-baked theories that compare NSA spying to...the IRS? I don't think a single one of these commentators have offered a sound warrant for their opinion.

Comments for this post are closed