The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, The Washington Post reported Wednesday, citing documents obtained from former NSA contractor Edward Snowden.
A secret accounting dated Jan. 9, 2013, indicates that NSA sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency's Fort Meade, Md., headquarters. In the last 30 days, field collectors had processed and sent back more than 180 million new records — ranging from "metadata," which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported Wednesday on its website.
The latest revelations were met with outrage from Google, and triggered legal questions, including whether the NSA may be violating federal wiretap laws.
"Although there's a diminished standard of legal protection for interception that occurs overseas, the fact that it was directed apparently to Google's cloud and Yahoo's cloud, and that there was no legal order as best we can tell to permit the interception, there is a good argument to make that the NSA has engaged in unlawful surveillance," said Marc Rotenberg, executive director of Electronic Privacy Information Center. The reference to 'clouds' refers to sites where the companies collect data.
The new details about the NSA's access to Yahoo and Google data centers around the world come at a time when Congress is reconsidering the government's collection practices and authority, and as European governments are responding angrily to revelations that the NSA collected data on millions of communications in their countries. Details about the government's programs have been trickling out since Snowden shared documents with the Post and Guardian newspaper in June.
The NSA's principal tool to exploit the Google and Yahoo data links is a project called MUSCULAR, operated jointly with the agency's British counterpart, GCHQ. The Post said NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.
The NSA has a separate data-gathering program, called PRISM, which uses a court order to compel Yahoo, Google and other Internet companies to provide certain data. It allows the NSA to reach into the companies' data streams and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.
In an interview with Bloomberg News Wednesday, NSA Director Gen. Keith Alexander was asked if the NSA has infiltrated Yahoo and Google databases, as detailed in the Post story.
"Not to my knowledge," said Alexander. "We are not authorized to go into a U.S. company's servers and take data. We'd have to go through a court process for doing that."
It was not clear, however, whether Alexander had any immediate knowledge of the latest disclosure in the Post report. Instead, he appeared to speak more about the PRISM program and its legal parameters.
In a separate statement, NSA spokeswoman Vanee Vines said NSA has "multiple authorities" to accomplish its mission, and she said "the assertion that we collect vast quantities of U.S. persons' data from this type of collection is also not true." At no point did the NSA deny the existence of the MUSCULAR program.
The GCHQ had no comment on the matter.
The Post said the NSA was breaking into data centers worldwide. The NSA has far looser restrictions on what it can collect outside the United States on foreigners and would not need a court order to collected foreigners' communications.
Cybersecurity expert James Lewis said it is likely that the Google and Yahoo data was part of a larger collection of communications swept up by the NSA program from the fiber-optic pipeline. He said that while the collection was probably legal, because it was done overseas, the question is what the NSA did with the data linked to U.S. citizens.
To meet legal requirements, the NSA has to distinguish between foreign and U.S. persons, and must get additional authorization in order to view information linked to Americans, said Lewis, who is with the Center for Strategic and International Studies. He said it's not clear from the reports what the NSA did with the U.S. data, and so it's difficult to say whether the agency violated the law.
David Drummond, Google's chief legal officer said the company has "long been concerned about the possibility of this kind of snooping."
"We do not provide any government, including the U.S. government, with access to our systems," said Drummond. "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
Google, which is known for its data security, noted that it has been trying to extend encryption across more and more Google services and links.
Yahoo spokeswoman Sarah Meron said there are strict controls in place to protect the security of the company's data centers. "We have not given access to our data centers to the NSA or to any other government agency," she said, adding that it is too early to speculate on whether legal action would be taken.
The MUSCULAR project documents state that this collection from Yahoo and Google has led to key intelligence leads, the Post said.
Congress members and international leaders have become increasingly angry about the NSA's data collection, as more information about the programs leak out. A delegation from the European Union Parliament came to Washington this week to conduct intense talks about reported U.S. spying on allied leaders, including the collection of phone records. And a German delegation met with U.S. officials over allegations that the NSA was monitoring Chancellor Angela Merkel's cellphone.
Alexander told lawmakers that the U.S. did not collect European records, and instead the U.S. was given data by NATO partners as part of a program to protect military interests.
Congress members, however, are working on plans that would put limits data collection. And Sen. Dianne Feinstein, chairwoman of the Senate Intelligence Committee, has called for a "total review of all intelligence programs"
More broadly, Alexander on Wednesday defended the overall NSA effort to monitor communications. And he said that as Congress considers proposals to scale back the data collection or provide more transparency to some of the programs, it's his job to lay out the resulting terrorism risks.
"I'm concerned that we give information out that impacts our ability to stop terrorist attacks. That's what most of these programs are aimed to do," Alexander said. "I believe if you look at this and you go back through everything, none of this shows that NSA is doing something illegal or that it's not been asked to do."
Pointing to thousands of terror attacks around the world, he said the U.S. has been spared much of that violence because of such programs.
"It's because you have great people in the military and the intelligence community doing everything they can with law enforcement to protect this country," he said. "But they need tools to do it. If we take away the tools, we increase the risk."
美國《華盛頓郵報》10月30日援引愛德華•斯諾登文件稱,美國國家安全局(NSA)曾入侵雅虎和谷歌遍布全球的數(shù)據(jù)中心的主要連接通道。
***曝光
日期為2013年1月9日的機密報告顯示,NSA每天從雅虎和谷歌的內(nèi)部網(wǎng)絡(luò)截取數(shù)百萬條信息,并將這些信息發(fā)送回馬里蘭州米德堡的NSA總部的數(shù)據(jù)庫中。在此之前的30天里,數(shù)據(jù)收集人員曾處理并發(fā)回1.8億多條新記錄,這些數(shù)據(jù)包括電子郵件的發(fā)件人、收件人、時間等“元數(shù)據(jù)”,還有文本、視頻、音頻等內(nèi)容信息。
NSA和英國政府通信總部(GCHQ)聯(lián)合執(zhí)行“肌肉發(fā)達”的項目,入侵谷歌和雅虎數(shù)據(jù)中心。硅谷科技巨頭的數(shù)據(jù)中心之間通過光纜傳輸信息,而“肌肉發(fā)達”可以復(fù)制通過光纜的整個數(shù)據(jù)流。
此前曝光的“棱鏡”項目通過法院指令強迫谷歌、雅虎以及其他互聯(lián)網(wǎng)企業(yè)提供特定數(shù)據(jù)。NSA因此接觸到這些公司的數(shù)據(jù)流,抓取電子郵件、視頻聊天、圖片等信息。美國官員曾表示“棱鏡”只針對外國目標,科技公司則稱他們只有收到法院指令才移交信息。
***否認
美國國家安全局局長基思•亞歷山大10月30日否認NSA侵入谷歌和雅虎數(shù)據(jù)庫。他說:“據(jù)我所知并非如此。我們沒有權(quán)利訪問美國公司的服務(wù)器并搜集數(shù)據(jù),除非獲得法庭許可。”
美國國家安全局發(fā)言人范尼•瓦因斯發(fā)布聲明中說,“有關(guān)我們以這種方式搜集海量美國公民數(shù)據(jù)的說法是不真實的。”但聲明沒有否定“肌肉發(fā)達”項目的存在。英國政府通信總部拒絕發(fā)表評論。
***爭議
最新披露的文件激起了谷歌公司的憤怒,且引起了法律爭議,如美國國家安全局是否可能違反了聯(lián)邦竊聽法案。
“盡管(美國)對海外信息攔截的法律保障水平較低,但鑒于此類活動明顯指向谷歌和雅虎的云數(shù)據(jù)庫,而且就我們所知還沒有任何法律文件允許這樣的攔截行為,所以NSA的確進行了非法監(jiān)聽。”電子隱私信息中心(EPIC)執(zhí)行理事馬克•羅滕貝格說。
美國戰(zhàn)略與國際研究中心的網(wǎng)絡(luò)安全專家詹姆斯•劉易斯表示,谷歌和雅虎的數(shù)據(jù)只是NSA搜集到海量數(shù)據(jù)中的一部分。他認為,搜集行動發(fā)生在海外,所以很有可能合法,但問題是NSA拿這些和美國公民有關(guān)的數(shù)據(jù)做了些什么。劉易斯說,按照法律要求,NSA需要區(qū)別外國人和美國人,且瀏覽有關(guān)美國人的信息時必須獲得額外的授權(quán)。但報告中沒有明確指出NSA如何處理美國數(shù)據(jù),是否違法也很難說。
谷歌首席法律顧問戴維•德拉蒙德說,谷歌“長期以來一直擔心此類監(jiān)聽的可能性……我們沒有授權(quán)包括美國政府在內(nèi)的任何政府進入我們的系統(tǒng)。我們對美國政府的行為感到憤慨。此事也凸顯了迫切改革的必要性。”素來以數(shù)據(jù)安全著的谷歌表示,該公司一直在努力將加密技術(shù)拓展到谷歌越來越多的服務(wù)和連接中。
雅虎發(fā)言人薩拉•梅龍也說,雅虎對數(shù)據(jù)中心有嚴格控制。“我們不允許NSA或任何其他政府機構(gòu)訪問我們的數(shù)據(jù)中心。”不過,她表示現(xiàn)在還不急于考慮是否采取法律行動。
隨著越來越多監(jiān)聽項目的曝光,美國國會成員和國際上的領(lǐng)導(dǎo)人對NSA搜集數(shù)據(jù)的行為愈發(fā)憤怒。歐洲議會代表團本周抵達華盛頓,就監(jiān)聽監(jiān)聽領(lǐng)導(dǎo)人一事進行緊張談判。德國也派代表就竊聽默克爾手機一事會晤了美國官員。
***辯護
NSA局長亞歷山大表示美國并沒有搜集歐洲數(shù)據(jù),相反是北約盟國為了保障軍事利益向美國提供情報。不過,國會正致力于起草法案,限制數(shù)據(jù)搜集。參議院情報委員會主席黛安娜•范斯坦已呼吁“徹查所有的情報項目”。
亞歷山大30日在為NSA行為辯護時說:“我擔心,公布信息會影響我們的反恐能力。而這是大部分監(jiān)控項目的目標……我相信,如果你看過這些信息,再回顧整件事,會發(fā)現(xiàn)沒有任何跡象顯示NSA有違法或越權(quán)行為。”
他指出,這些項目讓美國避免了不少恐怖襲擊。“這是因為,我們的軍隊、情報人員和執(zhí)法部門一起,盡一切努力依法保護這個國家。但是他們需要工具。如果我們剝奪這些工具,風險就會增加。”
“肌肉發(fā)達”項目文件顯示,從雅虎和谷歌搜集的信息提供了關(guān)鍵的情報線索。