The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, The Washington Post reported Wednesday, citing documents obtained from former NSA contractor Edward Snowden.
A secret accounting dated Jan. 9, 2013, indicates that NSA sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency's Fort Meade, Md., headquarters. In the last 30 days, field collectors had processed and sent back more than 180 million new records — ranging from "metadata," which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported Wednesday on its website.
The latest revelations were met with outrage from Google, and triggered legal questions, including whether the NSA may be violating federal wiretap laws.
"Although there's a diminished standard of legal protection for interception that occurs overseas, the fact that it was directed apparently to Google's cloud and Yahoo's cloud, and that there was no legal order as best we can tell to permit the interception, there is a good argument to make that the NSA has engaged in unlawful surveillance," said Marc Rotenberg, executive director of Electronic Privacy Information Center. The reference to 'clouds' refers to sites where the companies collect data.
The new details about the NSA's access to Yahoo and Google data centers around the world come at a time when Congress is reconsidering the government's collection practices and authority, and as European governments are responding angrily to revelations that the NSA collected data on millions of communications in their countries. Details about the government's programs have been trickling out since Snowden shared documents with the Post and Guardian newspaper in June.
The NSA's principal tool to exploit the Google and Yahoo data links is a project called MUSCULAR, operated jointly with the agency's British counterpart, GCHQ. The Post said NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.
The NSA has a separate data-gathering program, called PRISM, which uses a court order to compel Yahoo, Google and other Internet companies to provide certain data. It allows the NSA to reach into the companies' data streams and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.
In an interview with Bloomberg News Wednesday, NSA Director Gen. Keith Alexander was asked if the NSA has infiltrated Yahoo and Google databases, as detailed in the Post story.
"Not to my knowledge," said Alexander. "We are not authorized to go into a U.S. company's servers and take data. We'd have to go through a court process for doing that."
It was not clear, however, whether Alexander had any immediate knowledge of the latest disclosure in the Post report. Instead, he appeared to speak more about the PRISM program and its legal parameters.
In a separate statement, NSA spokeswoman Vanee Vines said NSA has "multiple authorities" to accomplish its mission, and she said "the assertion that we collect vast quantities of U.S. persons' data from this type of collection is also not true." At no point did the NSA deny the existence of the MUSCULAR program.
The GCHQ had no comment on the matter.
The Post said the NSA was breaking into data centers worldwide. The NSA has far looser restrictions on what it can collect outside the United States on foreigners and would not need a court order to collected foreigners' communications.
Cybersecurity expert James Lewis said it is likely that the Google and Yahoo data was part of a larger collection of communications swept up by the NSA program from the fiber-optic pipeline. He said that while the collection was probably legal, because it was done overseas, the question is what the NSA did with the data linked to U.S. citizens.
To meet legal requirements, the NSA has to distinguish between foreign and U.S. persons, and must get additional authorization in order to view information linked to Americans, said Lewis, who is with the Center for Strategic and International Studies. He said it's not clear from the reports what the NSA did with the U.S. data, and so it's difficult to say whether the agency violated the law.
David Drummond, Google's chief legal officer said the company has "long been concerned about the possibility of this kind of snooping."
"We do not provide any government, including the U.S. government, with access to our systems," said Drummond. "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
Google, which is known for its data security, noted that it has been trying to extend encryption across more and more Google services and links.
Yahoo spokeswoman Sarah Meron said there are strict controls in place to protect the security of the company's data centers. "We have not given access to our data centers to the NSA or to any other government agency," she said, adding that it is too early to speculate on whether legal action would be taken.
The MUSCULAR project documents state that this collection from Yahoo and Google has led to key intelligence leads, the Post said.
Congress members and international leaders have become increasingly angry about the NSA's data collection, as more information about the programs leak out. A delegation from the European Union Parliament came to Washington this week to conduct intense talks about reported U.S. spying on allied leaders, including the collection of phone records. And a German delegation met with U.S. officials over allegations that the NSA was monitoring Chancellor Angela Merkel's cellphone.
Alexander told lawmakers that the U.S. did not collect European records, and instead the U.S. was given data by NATO partners as part of a program to protect military interests.
Congress members, however, are working on plans that would put limits data collection. And Sen. Dianne Feinstein, chairwoman of the Senate Intelligence Committee, has called for a "total review of all intelligence programs"
More broadly, Alexander on Wednesday defended the overall NSA effort to monitor communications. And he said that as Congress considers proposals to scale back the data collection or provide more transparency to some of the programs, it's his job to lay out the resulting terrorism risks.
"I'm concerned that we give information out that impacts our ability to stop terrorist attacks. That's what most of these programs are aimed to do," Alexander said. "I believe if you look at this and you go back through everything, none of this shows that NSA is doing something illegal or that it's not been asked to do."
Pointing to thousands of terror attacks around the world, he said the U.S. has been spared much of that violence because of such programs.
"It's because you have great people in the military and the intelligence community doing everything they can with law enforcement to protect this country," he said. "But they need tools to do it. If we take away the tools, we increase the risk."
美國(guó)《華盛頓郵報(bào)》10月30日援引愛德華•斯諾登文件稱,美國(guó)國(guó)家安全局(NSA)曾入侵雅虎和谷歌遍布全球的數(shù)據(jù)中心的主要連接通道。
***曝光
日期為2013年1月9日的機(jī)密報(bào)告顯示,NSA每天從雅虎和谷歌的內(nèi)部網(wǎng)絡(luò)截取數(shù)百萬(wàn)條信息,并將這些信息發(fā)送回馬里蘭州米德堡的NSA總部的數(shù)據(jù)庫(kù)中。在此之前的30天里,數(shù)據(jù)收集人員曾處理并發(fā)回1.8億多條新記錄,這些數(shù)據(jù)包括電子郵件的發(fā)件人、收件人、時(shí)間等“元數(shù)據(jù)”,還有文本、視頻、音頻等內(nèi)容信息。
NSA和英國(guó)政府通信總部(GCHQ)聯(lián)合執(zhí)行“肌肉發(fā)達(dá)”的項(xiàng)目,入侵谷歌和雅虎數(shù)據(jù)中心。硅谷科技巨頭的數(shù)據(jù)中心之間通過光纜傳輸信息,而“肌肉發(fā)達(dá)”可以復(fù)制通過光纜的整個(gè)數(shù)據(jù)流。
此前曝光的“棱鏡”項(xiàng)目通過法院指令強(qiáng)迫谷歌、雅虎以及其他互聯(lián)網(wǎng)企業(yè)提供特定數(shù)據(jù)。NSA因此接觸到這些公司的數(shù)據(jù)流,抓取電子郵件、視頻聊天、圖片等信息。美國(guó)官員曾表示“棱鏡”只針對(duì)外國(guó)目標(biāo),科技公司則稱他們只有收到法院指令才移交信息。
***否認(rèn)
美國(guó)國(guó)家安全局局長(zhǎng)基思•亞歷山大10月30日否認(rèn)NSA侵入谷歌和雅虎數(shù)據(jù)庫(kù)。他說:“據(jù)我所知并非如此。我們沒有權(quán)利訪問美國(guó)公司的服務(wù)器并搜集數(shù)據(jù),除非獲得法庭許可。”
美國(guó)國(guó)家安全局發(fā)言人范尼•瓦因斯發(fā)布聲明中說,“有關(guān)我們以這種方式搜集海量美國(guó)公民數(shù)據(jù)的說法是不真實(shí)的。”但聲明沒有否定“肌肉發(fā)達(dá)”項(xiàng)目的存在。英國(guó)政府通信總部拒絕發(fā)表評(píng)論。
***爭(zhēng)議
最新披露的文件激起了谷歌公司的憤怒,且引起了法律爭(zhēng)議,如美國(guó)國(guó)家安全局是否可能違反了聯(lián)邦竊聽法案。
“盡管(美國(guó))對(duì)海外信息攔截的法律保障水平較低,但鑒于此類活動(dòng)明顯指向谷歌和雅虎的云數(shù)據(jù)庫(kù),而且就我們所知還沒有任何法律文件允許這樣的攔截行為,所以NSA的確進(jìn)行了非法監(jiān)聽。”電子隱私信息中心(EPIC)執(zhí)行理事馬克•羅滕貝格說。
美國(guó)戰(zhàn)略與國(guó)際研究中心的網(wǎng)絡(luò)安全專家詹姆斯•劉易斯表示,谷歌和雅虎的數(shù)據(jù)只是NSA搜集到海量數(shù)據(jù)中的一部分。他認(rèn)為,搜集行動(dòng)發(fā)生在海外,所以很有可能合法,但問題是NSA拿這些和美國(guó)公民有關(guān)的數(shù)據(jù)做了些什么。劉易斯說,按照法律要求,NSA需要區(qū)別外國(guó)人和美國(guó)人,且瀏覽有關(guān)美國(guó)人的信息時(shí)必須獲得額外的授權(quán)。但報(bào)告中沒有明確指出NSA如何處理美國(guó)數(shù)據(jù),是否違法也很難說。
谷歌首席法律顧問戴維•德拉蒙德說,谷歌“長(zhǎng)期以來一直擔(dān)心此類監(jiān)聽的可能性……我們沒有授權(quán)包括美國(guó)政府在內(nèi)的任何政府進(jìn)入我們的系統(tǒng)。我們對(duì)美國(guó)政府的行為感到憤慨。此事也凸顯了迫切改革的必要性。”素來以數(shù)據(jù)安全著的谷歌表示,該公司一直在努力將加密技術(shù)拓展到谷歌越來越多的服務(wù)和連接中。
雅虎發(fā)言人薩拉•梅龍也說,雅虎對(duì)數(shù)據(jù)中心有嚴(yán)格控制。“我們不允許NSA或任何其他政府機(jī)構(gòu)訪問我們的數(shù)據(jù)中心。”不過,她表示現(xiàn)在還不急于考慮是否采取法律行動(dòng)。
隨著越來越多監(jiān)聽項(xiàng)目的曝光,美國(guó)國(guó)會(huì)成員和國(guó)際上的領(lǐng)導(dǎo)人對(duì)NSA搜集數(shù)據(jù)的行為愈發(fā)憤怒。歐洲議會(huì)代表團(tuán)本周抵達(dá)華盛頓,就監(jiān)聽監(jiān)聽領(lǐng)導(dǎo)人一事進(jìn)行緊張談判。德國(guó)也派代表就竊聽默克爾手機(jī)一事會(huì)晤了美國(guó)官員。
***辯護(hù)
NSA局長(zhǎng)亞歷山大表示美國(guó)并沒有搜集歐洲數(shù)據(jù),相反是北約盟國(guó)為了保障軍事利益向美國(guó)提供情報(bào)。不過,國(guó)會(huì)正致力于起草法案,限制數(shù)據(jù)搜集。參議院情報(bào)委員會(huì)主席黛安娜•范斯坦已呼吁“徹查所有的情報(bào)項(xiàng)目”。
亞歷山大30日在為NSA行為辯護(hù)時(shí)說:“我擔(dān)心,公布信息會(huì)影響我們的反恐能力。而這是大部分監(jiān)控項(xiàng)目的目標(biāo)……我相信,如果你看過這些信息,再回顧整件事,會(huì)發(fā)現(xiàn)沒有任何跡象顯示NSA有違法或越權(quán)行為。”
他指出,這些項(xiàng)目讓美國(guó)避免了不少恐怖襲擊。“這是因?yàn)?,我們的軍?duì)、情報(bào)人員和執(zhí)法部門一起,盡一切努力依法保護(hù)這個(gè)國(guó)家。但是他們需要工具。如果我們剝奪這些工具,風(fēng)險(xiǎn)就會(huì)增加。”
“肌肉發(fā)達(dá)”項(xiàng)目文件顯示,從雅虎和谷歌搜集的信息提供了關(guān)鍵的情報(bào)線索。