NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge

from the muscular dept

Early on with the Snowden documents there had been significant disagreement over the kind of "access" the NSA had to systems at the various big tech companies -- all of which denied the kind of "direct access" that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others' servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they're not subtle with their code names, are they?).

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

There's even this wacky hand-drawn diagram: There's some evidence that Google figured this out earlier. You may remember that there were reports back in September that Google had been scrambling to encrypt the information flowing between data centers, which is exactly where the NSA hit them. It looks like someone at Google figured out what the NSA was likely doing soon after the original Snowden news broke. Not surprisingly, people at these companies are not happy about this news. When the reporters spoke to "two engineers with close ties to Google," they note that the engineers "exploded in profanity" and urged the reporters to publish that drawing above to expose the NSA.

Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

It also appears that the way that the NSA is claiming this is "legal" is by only breaking into the Yahoo and Google datacenters that are outside the US, where there's significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 -- which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program -- which explains the "not under this program" language they often use around questions on 215 and 702 data collections.

The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA's Keith Alexander) about "cybersecurity" attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.

Filed Under: data centers, encryption, executive order 12333, hacking, nsa, nsa surveillance, violations
Companies: google, yahoo

Obama Apparently Tells NSA To Not Be So Damn Obvious About Spying On The UN

from the small-things dept

Back in August, it was revealed that the NSA was tapping UN communications. As we noted, this was hardly a surprise -- in fact, it seems to fit within the NSA's general job. However, it was definitely another embarrassment in a long list of them. The latest news is that President Obama has supposedly told the NSA to cut back a bit on spying on the UN, which almost certainly means "please don't get caught again, you idiots." I classify this one in the same category as the US signing a "no spying on each other" agreement. A completely meaningless gesture that will be ignored by pretty much everyone, serving only to be used as a "leak" to the press.

Filed Under: barack obama, nsa, nsa surveillance, united nations

Mike Rogers Says NSA Told Congress About Spying On Foreign Leaders; Cuts Off Rep. Who Say That's Not True

from the incredible dept

The House Intelligence Committee, led by chief NSA apologist Rep. Mike Rogers, held yet another hearing about the NSA scandal on Tuesday, with an official focus on "potential changes to the Foreign Intelligence Surveillance Act," but that was barely discussed at all. Instead, the panel, made up of Director of National Intelligence James Clapper, NSA boss Keith Alexander, Deputy Attorney General James Cole and number 2 guy at NSA Chris Inglis, mostly focused on defending the NSA, especially in light of the recent headlines concerning spying on foreign leaders. Rogers focused on tossing out a bunch of softball questions to the panel to get them to say that they had clearly informed the House Intelligence Committee about spying on foreign leaders. After the softballs were hit back, Rogers would add a stage-whispered "Hmm," followed by an angry attack on reporters for buying into the story that the NSA hadn't informed Congress.

Of course, given that Rogers' counterpart in the Senate, Dianne Feinstein, claims that she wasn't informed, this seems a bit strange. But it got even stranger when various other committee members, including Rep. Jan Schakowsky and Rep. Adam Schiff made it clear that they had no idea this was going, despite being on the committee.

That resulted in an incredible exchange, in which Rogers attacked others on the Committee, suggesting that they should just shut up if they're going to say they weren't informed -- hinting that some Committee members "do more work than others." Schiff, quite reasonably, appeared to take offense to this, and challenged Rogers, asking for more details as to when and how the Committee was told about spying on foreign leaders. Rogers without actually answering the question kept "warning" other members not to say something about this. Schiff broke in again (with Rogers trying to stop him from talking) to ask if the Committee was directly informed about this or if it was just a giant data dump of information that he would have had to go through carefully to find out who they were spying on. Rogers again refused to answer the question, and again hinted that those who put in the "effort" would have known about this -- and then flat out cut off Schiff and handed the floor to Rep. Michele Bachmann, who went back to tossing softballs (sample question: "Do you think Snowden is a traitor?").

In the end, Rogers weak attempt to continue to defend the NSA here made it pretty clear, once again, that the claims that he has not adequately informed others in Congress of what's going on are quite accurate.

Filed Under: adam schiff, chris inglis, dianne feinstein, house intelligence committee, james clapper, james cole, keith alexander, mike rogers, nsa, nsa surveillance

Intel Officials Says French And Spain Intelligence Agencies Did All The Dirty Work In Gathering Data On Millions Of Calls

from the so-many-twists,-from-so-many-twisted-entities dept

All that noise being made by French and Spanish officials over the NSA's collection of millions of phone records is turning out to be just that: noise. The Wall Street Journal reports that, while the NSA did end up with millions of foreign phone records, it didn't do the actual collection.

U.S. officials said the Snowden-provided documents had been misinterpreted and actually show phone records that were collected by French and Spanish intelligence agencies, and then shared with the NSA, according to officials briefed on those discussions.

U.S. intelligence officials studied the document published by Le Monde and have determined that it wasn't assembled by the NSA. Rather, the document appears to be a slide that was assembled based on NSA data received from French intelligence, a U.S. official said.

Rather than being a domestic collection, like the Section 215 program, the records gathered by Spanish and French intelligence agencies apparently only touched calls originating outside of these two nations.

Based on an analysis of the document, the U.S. concluded that the phone records the French had collected were actually from outside of France, and then were shared with the U.S. The data don't show that the French spied on their own people inside France.

U.S. intelligence officials haven't seen the documents cited by El Mundo but the data appear to come from similar information the NSA obtained from Spanish intelligence agencies documenting their collection efforts abroad, officials said.

While this all seems very above-board, both for the NSA and the foreign intelligence agencies, there's still a good chance that this isn't the entire picture. The NSA is still very leery of exposing methods and sources and, despite trying to defuse the current outrage, it will probably still hold some cards close to its chest. Officials are even admitting this sudden burst of clarity still leaves things uncovered.

U.S. officials said the European collection programs were part of long-standing intelligence sharing arrangements between the U.S. and its closest allies. Officials said the figures may not reflect the entirety of the phone records collected by France and Spain.

So, while European officials may be playing this off as a horrible intrusion, the latest statements seem to indicate it isn't. There may still be a layer of intrusion as of yet uncovered and both countries are still presumably doing their own domestic spying. If so, there are undoubtedly more outrages to come, only in this case, the public, rather than officials, will be making the most noise. The NSA's many cozy relationships around the world are now backfiring, even when it's not directly to blame. Making friends with foreign intelligence agencies while alienating foreign officials is a hell of a way to fight terrorism.

Filed Under: allies, europe, france, nsa, nsa surveillance, spain

As Expected, USA Freedom Act Aims To Stop Worst NSA Abuses

from the a-step-in-the-right-direction dept

As was expected, a new bill to curb the NSA's excesses was introduced in both houses of Congress this morning, with very strong backing in both houses and on both sides of the aisle (in terms of having both powerful sponsors, and lots and lots of co-sponsors). The bill is not perfect, and it is not the final answer to all the NSA's activities, but it's a big step in the right direction -- stopping dragnet surveillance, reforming the way the FISA court works and adding some more transparency (we described many of the details in our post last week, and the bill matches what was expected). It has a decent chance of passing, but getting anything through Congress can be a chore these days. We'll be following what happens with this bill closely. You can see the full bill below or the quick two pager describing the details.

Filed Under: bulk collection, dragnet collection, fisa, fisa court, fisc, james sensensbrenner, nsa, nsa surveillance, pat leahy, usa freedom

NSA Officials Livid That White House Is Pretending It Didn't Know About Spying On Foreign Leaders

from the the-wheels-of-the-bus-are-that-way dept

Earlier this month, we noted that anonymous NSA officials had been whining about not getting strong enough support from the White House. In particular, they seemed upset that President Obama wasn't front and center in the press defending their actions and that he hadn't stopped by at Ft. Meade to give them a pep talk. We found the whole thing pretty silly. The President had made remarks in support of the NSA and there were a bunch of other things on his plate at the time that seemed more pressing politically. And, also, if you need a pep talk from the President to be happy in your job, you're probably in the wrong job.

However, such talk is getting much louder now that the President has apparently told people he had no idea the NSA was spying on foreign leaders. The NSA itself confirmed that Keith Alexander had never spoken to President Obama about spying on Angela Merkel, though it's possible that the President knew about it from other sources. And, of course, now Senator Dianne Feinstein is insisting she never knew about spying on foreign leaders either. To be honest, both claims seem ridiculous -- and it seems like this kind of weak response is further pissing off NSA officials. We already noted how NSA people were freaking out about Feinstein's statements (though, some believe this is just for show), but the grumbling over the President's statements is getting much louder as NSA officials recognize that it appears the President is positioning the NSA as a rogue agency, rather than one carrying out his orders.

Professional staff members at the National Security Agency and other U.S. intelligence agencies are angry, these officials say, believing the president has cast them adrift as he tries to distance himself from the disclosures by former NSA contractor Edward Snowden that have strained ties with close allies.

In particular, they say the claims that the President didn't know about spying on foreign leaders is hogwash.

Precisely how the surveillance is conducted is unclear. But if a foreign leader is targeted for eavesdropping, the relevant U.S. ambassador and the National Security Council staffer at the White House who deals with the country are given regular reports, said two former senior intelligence officials, who spoke on condition of anonymity in discussing classified information.

Obama may not have been specifically briefed on NSA operations targeting a foreign leader's cellphone or email communications, one of the officials said. "But certainly the National Security Council and senior people across the intelligence community knew exactly what was going on, and to suggest otherwise is ridiculous."

If U.S. spying on key foreign leaders was news to the White House, current and former officials said, then White House officials have not been reading their briefing books.

The ramifications here may be serious, as the intelligence community apparently views this as President Obama completely throwing them under the bus:

Some U.S. intelligence officials said they were being blamed by the White House for conducting surveillance that was authorized under the law and utilized at the White House.

"People are furious," said a senior intelligence official who would not be identified discussing classified information. "This is officially the White House cutting off the intelligence community."

What that actually means in the long run is less certain. It's still entirely possible that this is all for show. In fact, the White House has already said Feinstein's claim that the US would stop spying on foreign leaders is simply not true.

That said, if this means more and more NSA employees are disgruntled, I would imagine there are plenty of reporters ready and willing to help them blow the whistle on more things happening within the intelligence community. I'm guessing they already know what Glenn Greenwald's email is, for example...

Filed Under: barack obama, dianne feinstein, europe, nsa, nsa surveillance, white house

The Only People The NSA Can't Spy On Is Its Own Employees

from the irony-or-just-incredibly-ugly? dept

The NSA is everywhere, hauling in everything. Recent leaks point out how the agency is collecting data on millions of phone calls across Europe, along with snagging SMS messages, email and internet traffic. This is on top of everything it's doing in the US with its many programs, which cover everything from phone metadata to a large percentage of internet traffic (once streaming services like YouTube and Netflix are removed from the equation).

But for all its spying power and prowess, the NSA still can't manage to keep an eye on its own backyard. A number of factors contributed to Snowden heading east with thousands of sensitive files, not the least of which was a complete lack of internal controls. The NSA honestly seems to have no idea what most of its contractors are doing. Rather than institute any more internal controls (or ones that work), the agency is leaning towards simply laying off 90% of its contractors. That may mitigate potential problems, but it stills leaves its internal systems exposed to "insider threats."

It seems that nothing goes unnoticed by its external "eyes," but those focused inward are limited in number and in vision. As was pointed out earlier, the NSA may be able to haul in millions of emails and sift through them for "relevant" information, but when asked to search its own internal email system, it draws a blank.

Additionally, as Mike covered last Friday, attempts at installing software for detecting internal threats have been thwarted by a vague "lack of bandwidth." This software, made by Raytheon, still isn't in place despite being ordered into use in 2010, shortly after Manning's leaks to Wikileaks surfaced. This lack of threat detection software made it much easier for Snowden to gather what he did -- an event the NSA had no contingency plan in place to deal with, much less head off.

As Mike said, it's unclear what this "lack of bandwidth" phrase is referring to. It could mean the software demands too many network resources to do its job. Or it could mean there aren't enough manhours to devote to installing and implementing the software. It could also simply mean the agency would rather not install the software and has come up with a plausible reason why it "can't."

Mark Hosenball, writing for Reuters, indicates it's a network issue.

Officials responsible for tightening data security say insider threat-detection software, which logs events such as unusually large downloads of material or attempts at unauthorized access, is expensive to adopt.

It also takes up considerable computing and communications bandwidth, degrading the performance of systems on which it is installed, they said.

By not installing this software (something the Dept. of Defense itself hasn't done yet), the NSA is in risk of violating the law governing insider threat detection. According to Hosenball, this software requirement was written into law in 2011, and agencies affected had until the end of October 2013 to have it in place. Obviously, the NSA won't be meeting this dealine. It has until October 2014 to have it both in place and fully operational, but it may have trouble even hitting that extended deadline.

One official said intelligence agencies had already asked Congress to extend the deadline beyond October 2014 but that legislators had so far refused.

Installing new software that plays nice with existing government software can be a lengthy nightmare, but this difficulty is hardly the only factor affecting its incredibly slow adoption. As Marcy Wheeler points out, the agency may not want to make the bandwidth tradeoff needed to deploy this threat detection software.

If the Intelligence Committees were unable to get the IC to take this mandate seriously after the Chelsea Manning leaks, I don’t see any reason they’ll show more focus on doing so after Edward Snowden. They seem either unable to back off their spying bandwidth draw far enough to implement the security to avoid another giant leak, or unwilling to subject their workers (or themselves?) to this kind of scrutiny.

If any combination of the above is true, it makes truly disturbing statement about the agency's mentality. For one, the NSA has resisted any sort of meaningful oversight. It may have no desire to subject its internal employees to additional scrutiny -- even if it means more "damaging" leaks -- simply because it would rather not generate any evidence of wrongdoing that could be used to threaten its ongoing programs.

It's also disturbing that the agency would seemingly make the tradeoff of internal security for uninterrupted and unimpaired collection activity. The agency and its supporters constantly claim there's a "balance" between security and liberty that must be considered. But its failure to implement a program that looks for potential leakers compromises the agency's security (and, consequently, the nation's, if its supporters are to be believed) in order to harvest even more data -- collections that haven't conclusively shown they're keeping the nation safer. The agency would rather deal with embarrassing leaks (or worse, the sale of information to enemy nations) rather than curtail its collection programs or subject its own staff to the same level of scrutiny the rest of the nation experiences.

Filed Under: insider threats, leak prevention, nsa, nsa surveillance

NSA Officials Admit: 'We're Screwed Now' After Feinstein's Statement

from the maybe-shouldn't-have-pushed-the-limits-so-much dept

While we're a bit cynical about the reasoning behind Senator Dianne Feinstein's sudden "conversion" to realizing that perhaps the NSA is out of control with its spying, and needs greater oversight and control, apparently her statement sent chills through officials at the NSA. After all, Feinstein was the strongest Senate defender of the NSA's activities -- to the point that we'd suggested in the past a somewhat co-dependent relationship. However, it sounds like she just turned on the NSA and has suggested that perhaps it needs to go to rehab. Shane Harris and John Hudson at Foreign Policy's The Cable blog have the details:

"We're really screwed now," one NSA official told The Cable. "You know things are bad when the few friends you've got disappear without a trace in the dead of night and leave no forwarding address."

Of course, that's the sort of crazy hyperbole that the NSA is increasingly known for. Feinstein hasn't "disappeared." She's just finally pointed out what many of the rest of us have been arguing for ages: that the NSA is out of control, going way beyond what it's authorized to do, and has little real oversight, in part because of its regular practice of misleading pretty much everyone over the details and extent of its surveillance programs.

Even more important, the statement from that NSA official shows that they still don't recognize what got them into this mess. If the NSA had actually been upfront about what it was doing with others, perhaps it wouldn't find itself in this mess today. It makes you wonder if the NSA is so focused on being super secret about its operations to the outside world that it couldn't distinguish enough about being transparent to government oversight bodies as well.

Filed Under: dianne feinstein, nsa, nsa surveillance, oversight

Latest Declassified NSA Records Show NSA Believes It Can Spy On Everyone's Location Based On Existing Approvals

from the of-course-it-does dept

James Clapper has declassified another batch of documents on the NSA activities. We'll probably write about a few of them, but let's start with one that's getting a lot of initial attention: the document that discusses the "test" of collecting location info from the telcos based on where your mobile phone was. The short version? Do you know where you were on April 26, 2010? Because the NSA probably does. It had already been revealed that the NSA had run "a test" of obtaining location info from the telcos. This document, which is a memo from the NSA to the Senate Intelligence Committee is just explaining some of the details, with this being the key one:

In regards to the mobility testing effort, NSA consulted with DOJ before implementing this testing effort. Based upon our description of the proposed mobility data (cell site location information) testing plans, DOJ advised in February 2010 that obtaining the data for the described testing purposes was permissable based upon the current language of the Court's BR FISA order requiring the production of 'all call detail records.' It is our understanding that DOJ also orally advised the FISC, via its staff, that we had obtained a limited set of test data sampling of cellular mobility data (cell site location information) pursuant to the Court-authorized program and that we were exploring the possibility of acquiring such mobility under the BR FISA program in the near future based upon the authority currently granted by the Court.

The key takeaway here: the NSA believes that the current FISA approval of dragnet collection of metadata on every phone call includes permission to track location data as well, even though it doesn't currently do so. The "BR FISA order" means "business records" which is what Section 215 of the PATRIOT Act is sometimes called. The fact that the NSA didn't seem to think it was necessary to check with the FISA Court before running this test, just to make sure it was actually allowed is rather telling.

Separately, can anyone explain why the redacted portions of this document are redacted? It makes no sense. They redact the number of location records that were obtained. I can't see how that number could possibly need to remain classified once the existence of such a test was declassified. The only reason I can think of to keep that classified is to avoid embarrassment over the large number of people whose location info was scooped up. Similarly, they redact the name of the lawyer who wrote the memo. Again, the only reason I can think to do this is to protect him from embarrassment and public mocking. Such a public mocking might seem unfair, but I don't see how it fits in with a reasonable classification category.

Filed Under: business records, fisa, fisc, location data, nsa, nsa surveillance, patriot act, section 215

Five Reactions To Dianne Feinstein Finally Finding Something About The NSA To Get Angry About

from the friends-in-high-places dept

Dianne Feinstein, the NSA's biggest defender in the Senate (which is ridiculous since she's also in charge of "oversight") has finally had enough. It's not because she finally understands how crazy it is that the NSA is spying on every American, including all of her constituents in California. It's not because she finally realized that the NSA specifically avoided letting her know about their widespread abuses. No, it's because she just found out that the NSA also spies on important people, like political leaders around the globe. It seems that has finally ticked off Feinstein, who has released a scathing statement about the latest revelations:

“Unlike NSA’s collection of phone records under a court order, it is clear to me that certain surveillance activities have been in effect for more than a decade and that the Senate Intelligence Committee was not satisfactorily informed. Therefore our oversight needs to be strengthened and increased.

“With respect to NSA collection of intelligence on leaders of U.S. allies—including France, Spain, Mexico and Germany—let me state unequivocally: I am totally opposed.

“Unless the United States is engaged in hostilities against a country or there is an emergency need for this type of surveillance, I do not believe the United States should be collecting phone calls or emails of friendly presidents and prime ministers. The president should be required to approve any collection of this sort.

There are so many different possible reactions to this. Let's go to list form to go through a few:

1. Most people seem a hell of a lot less concerned about spying on political leaders than the public. After all, you kind of expect espionage to target foreign leaders. It seems incredibly elitist for Feinstein to show concern about spying on political leaders, and not the public. It shows how she views the public as opposed to people on her level of political power. One of them doesn't matter. The other gets privacy.
2. For all the bluster and anger from Feinstein about this, the Senate Intelligence Committee's mandate is only about intelligence activities that touch on US persons, so it's not even clear that she has any power over their activities strictly in foreign countries targeting foreign individuals. Why she seems to have expected the NSA to let her know about that when the NSA itself has been pretty explicit that avoids telling Congress about anything it can reasonably avoid telling them.
3. Feinstein has referred to Ed Snowden's leak as "an act of treason." Now that they've revealed something that she believes is improper and deserving of much greater scrutiny, is she willing to revisit that statement?
4. Given that Feinstein has been angrily banging the drum for months about how her oversight of the intelligence community shows that everything's great, and there's no risk of rogue activity -- yet now she's finally admitting that perhaps the oversight isn't particularly comprehensive, is she willing to admit that her earlier statements are reasonably considered hogwash and discredited? She even says in her statement: "Congress needs to know exactly what our intelligence community is doing. To that end, the committee will initiate a major review into all intelligence collection programs." And yet she's been claiming that oversight has been more than enough for years?
5. The cynical viewpoint: Feinstein knows the USA Freedom Act is coming out Tuesday, and that it has tremendous political momentum. Sooner or later she was going to have to admit that NSA surveillance was going to be curbed. Did she just happen to choose this latest bit of news for a bit of political theater to join the "time to fix the NSA" crowd?

There are plenty of other things that could be added to the list, but the whole situation seems fairly ridiculous considering about whom we're talking.

Filed Under: dianne feinstein, elites, nsa, nsa surveillance, oversight, senate intelligence committee, world leaders