The Most Worrying NSA Revelation Yet

It’s no secret I’ve shrugged at most of the revelations brought about by the documents Edward Snowden stole: most described legal programs doing things you’d expect the NSA to do — and in many cases exposed completely legitimate programs that should never be exposed.

Now, however, Bart Gellman and Ashkan Soltani have published something truly worrying: evidence that suggests the NSA has been able to surreptitiously tap  into links between servers that make up the data centers of Google and Yahoo abroad and siphon off data about their users.

But parts of the story are frustratingly vague. After raising the specter that the NSA is collecting data and content of US Person (USPER) communications, they write, “The NSA does not keep everything it collects, but it keeps a lot.” How much does it keep? The document snippets they post do not say. The exact place the NSA taps into the data is also a bit unclear — the published slide, with that smiley face that will permanently come to define the agency, makes it appear that the break-in happens at the front-end servers (basically the servers that connect users to the cloud). But then the body of the article makes it sound like the tap happens on the fiber lines connecting the data centers that make up the cloud.

The distinction between the two might be critical to understanding the legality of this program (codenamed MUSCULAR). If the front end servers are in the U.S., but are broken into for collecting “upstream” data, then that is probably illegal under Section 702 of the FISA Amendments Act. But if it taps the insecure fiber lines that connect data centers in other countries, the question becomes much murkier.

On page three of the article, they write, “It is not clear how much data from Americans is collected, and how much of that is retained.”

That seems like a critical question to me, one that goes to the heart of the legality or illegality of NSA programs. In the last paragraph of the story, the two writers mention a 2011 court case involving FISA declaring an NSA collection effort illegal under section 702. But because the program they describe takes place abroad, it happens under Executive Order 12333, which has looser disclosure requirements for Congress and possibly looser standards for collection.

I’m not at all clear how a collection effort that is illegal under 702 when aimed at Americans would not be legal when aimed at foreigners under 12333. But I think the “Americanness” of the servers is crucial. Please indulge some speculation here.

There is a big gray area about whether the foreign subsidiaries of US corporations count as USPER under the law. In some cases, like certain types of sanctions, foreign-incorporated subsidiaries of US corporations are not counted as USPER, and thus aren’t subject to sanctions (in the linked example, the US government was closing that loophole for the sanctions against Iran). Other corporations use foreign subsidiaries to avoid taxes.

Left unanswered in the Washington Post piece, then, is a huge question: do foreign subsidiaries of Google and Yahoo count as USPER, or do they not? The answer to that question, which so far I cannot answer, will determine whether the collection activity they are publicizing is just overreach thanks to fuzzy laws (and an unintended consequence of our loose tax laws) or a serious crime.

Either way, tapping into Internet companies who are already fully complying with legal requests under the PRISM program is going to be difficult, if even possible, for the NSA to justify. Put simply, it has lost this round, if not the war. While the Post is frustratingly vague about the difference between a technical capability and evidence of illegality or abuse, the government will not be able to recover the nasty image this creates of how they function — seemingly going after already compliant companies.

Lingering Questions:

  • A hand-drawn diagram? Copy-pasted into a slide? That’s all we get from a 40,000 person agency amongst the “blueprints” Snowden supposedly took? What happened to transparency? Show us the rest of the slides, please (and the rest of PRISM, too — what happened to those?).
  • That hand drawn image is seriously weird. I can’t remember ever seeing a scanned post-it note in the many TS briefings I attended (and yes I’m willing to risk censure for even saying that much). IC types have their foibles, but at the end of the day they try to be pros, and there’s no reason they couldn’t construct an identical graphic using the tools everyone has. So yeah: it’s deeply odd.
  • Sadly, there is a bit of history on these NSA stories of the initial version looking horrendous and subsequent corrections and disclosure softening the blow. (This is true least of all with Gellman, but his initial PRISM story was shot full of embarrassing holes it did not need to be.) Just like the now-questionable “NSA IS SPYING ON EUROPE” stories earlier in the week, it is possible something will come out over the next few days that mitigates this. But it’s hard to see what that is.
  • NSA Chief Keith Alexander is already denying that he had knowledge of the program as reported by the Post. Is he lying or does he not read his own agency’s publications detailing their activities? And if the latter what does that say about the capacity of the NSA director to monitor his own agency’s activities?
  • Google announced in September that it is encrypting the very data center links that this NSA program accesses. How will that be affected knowing how vulnerable they were? And is that related to those mysterious Google barges?
  • We still tend to ignore the very uncomfortable fact underneath all of these stories that the NSA can only collect this information because we gleefully hand it over to Silicon Valley in exchange for no promises of privacy and “free” services (that are paid for by monetizing our privacy). That needs a reckoning alongside the NSA.
  • Related: the Wall Street Journal ran a story last year about commercial off-the-shelf surveillance technology that included the means to break into undersea fiber cables and international gateways. These are corporations in Silicon Valley, part of the IT community, who built this stuff. The coauthor on this Washington Post story, Ashkan Solatni, assisted the Wall Street Journal with their work as well.

Lastly, just about everyone is snickering or shaking their heads at the little smiley face on the NSA’s post-it note that supposedly describes how they broke into Google’s cloud. While understandable, that’s also a bit unfair: the NSA employs thousands of geeks, and all geeks love solving puzzles. Being charitable, it seems like this was a damned tough puzzle to solve for them, so a bit of giggly excitement is to be expected. That does not change how horrible this looks to normal people, however, nor does it make the NSA look any better to the Very Serious People who cover this stuff. Like most of the leaks, regardless of how our understanding of it changes, that visual is going to endure.

Subscribe to my work!
Joshua Foust is a writer and analyst who studies foreign policy.