The Most Worrying NSA Revelation Yet

It’s no secret I’ve shrugged at most of the rev­e­la­tions brought about by the doc­u­ments Edward Snow­den stole: most described legal pro­grams doing things you’d expect the NSA to do — and in many cas­es exposed com­plete­ly legit­i­mate pro­grams that should nev­er be exposed.

Now, how­ev­er, Bart Gell­man and Ashkan Soltani have pub­lished some­thing tru­ly wor­ry­ing: evi­dence that sug­gests the NSA has been able to sur­rep­ti­tious­ly tap  into links between servers that make up the data cen­ters of Google and Yahoo abroad and siphon off data about their users.

But parts of the sto­ry are frus­trat­ing­ly vague. After rais­ing the specter that the NSA is col­lect­ing data and con­tent of US Per­son (USPER) com­mu­ni­ca­tions, they write, “The NSA does not keep every­thing it col­lects, but it keeps a lot.” How much does it keep? The doc­u­ment snip­pets they post do not say. The exact place the NSA taps into the data is also a bit unclear — the pub­lished slide, with that smi­ley face that will per­ma­nent­ly come to define the agency, makes it appear that the break-in hap­pens at the front-end servers (basi­cal­ly the servers that con­nect users to the cloud). But then the body of the arti­cle makes it sound like the tap hap­pens on the fiber lines con­nect­ing the data cen­ters that make up the cloud.

The dis­tinc­tion between the two might be crit­i­cal to under­stand­ing the legal­i­ty of this pro­gram (code­named MUSCULAR). If the front end servers are in the U.S., but are bro­ken into for col­lect­ing “upstream” data, then that is prob­a­bly ille­gal under Sec­tion 702 of the FISA Amend­ments Act. But if it taps the inse­cure fiber lines that con­nect data cen­ters in oth­er coun­tries, the ques­tion becomes much murki­er.

On page three of the arti­cle, they write, “It is not clear how much data from Amer­i­cans is col­lect­ed, and how much of that is retained.”

That seems like a crit­i­cal ques­tion to me, one that goes to the heart of the legal­i­ty or ille­gal­i­ty of NSA pro­grams. In the last para­graph of the sto­ry, the two writ­ers men­tion a 2011 court case involv­ing FISA declar­ing an NSA col­lec­tion effort ille­gal under sec­tion 702. But because the pro­gram they describe takes place abroad, it hap­pens under Exec­u­tive Order 12333, which has loos­er dis­clo­sure require­ments for Con­gress and pos­si­bly loos­er stan­dards for col­lec­tion.

I’m not at all clear how a col­lec­tion effort that is ille­gal under 702 when aimed at Amer­i­cans would not be legal when aimed at for­eign­ers under 12333. But I think the “Amer­i­can­ness” of the servers is cru­cial. Please indulge some spec­u­la­tion here.

There is a big gray area about whether the for­eign sub­sidiaries of US cor­po­ra­tions count as USPER under the law. In some cas­es, like cer­tain types of sanc­tions, for­eign-incor­po­rat­ed sub­sidiaries of US cor­po­ra­tions are not count­ed as USPER, and thus aren’t sub­ject to sanc­tions (in the linked exam­ple, the US gov­ern­ment was clos­ing that loop­hole for the sanc­tions against Iran). Oth­er cor­po­ra­tions use for­eign sub­sidiaries to avoid tax­es.

Left unan­swered in the Wash­ing­ton Post piece, then, is a huge ques­tion: do for­eign sub­sidiaries of Google and Yahoo count as USPER, or do they not? The answer to that ques­tion, which so far I can­not answer, will deter­mine whether the col­lec­tion activ­i­ty they are pub­li­ciz­ing is just over­reach thanks to fuzzy laws (and an unin­tend­ed con­se­quence of our loose tax laws) or a seri­ous crime.

Either way, tap­ping into Inter­net com­pa­nies who are already ful­ly com­ply­ing with legal requests under the PRISM pro­gram is going to be dif­fi­cult, if even pos­si­ble, for the NSA to jus­ti­fy. Put sim­ply, it has lost this round, if not the war. While the Post is frus­trat­ing­ly vague about the dif­fer­ence between a tech­ni­cal capa­bil­i­ty and evi­dence of ille­gal­i­ty or abuse, the gov­ern­ment will not be able to recov­er the nasty image this cre­ates of how they func­tion — seem­ing­ly going after already com­pli­ant com­pa­nies.

Lin­ger­ing Ques­tions:

  • A hand-drawn dia­gram? Copy-past­ed into a slide? That’s all we get from a 40,000 per­son agency amongst the “blue­prints” Snow­den sup­pos­ed­ly took? What hap­pened to trans­paren­cy? Show us the rest of the slides, please (and the rest of PRISM, too — what hap­pened to those?).
  • That hand drawn image is seri­ous­ly weird. I can’t remem­ber ever see­ing a scanned post-it note in the many TS brief­in­gs I attend­ed (and yes I’m will­ing to risk cen­sure for even say­ing that much). IC types have their foibles, but at the end of the day they try to be pros, and there’s no rea­son they could­n’t con­struct an iden­ti­cal graph­ic using the tools every­one has. So yeah: it’s deeply odd.
  • Sad­ly, there is a bit of his­to­ry on these NSA sto­ries of the ini­tial ver­sion look­ing hor­ren­dous and sub­se­quent cor­rec­tions and dis­clo­sure soft­en­ing the blow. (This is true least of all with Gell­man, but his ini­tial PRISM sto­ry was shot full of embar­rass­ing holes it did not need to be.) Just like the now-ques­tion­ableNSA IS SPYING ON EUROPE” sto­ries ear­li­er in the week, it is pos­si­ble some­thing will come out over the next few days that mit­i­gates this. But it’s hard to see what that is.
  • NSA Chief Kei­th Alexan­der is already deny­ing that he had knowl­edge of the pro­gram as report­ed by the Post. Is he lying or does he not read his own agen­cy’s pub­li­ca­tions detail­ing their activ­i­ties? And if the lat­ter what does that say about the capac­i­ty of the NSA direc­tor to mon­i­tor his own agen­cy’s activ­i­ties?
  • Google announced in Sep­tem­ber that it is encrypt­ing the very data cen­ter links that this NSA pro­gram access­es. How will that be affect­ed know­ing how vul­ner­a­ble they were? And is that relat­ed to those mys­te­ri­ous Google barges?
  • We still tend to ignore the very uncom­fort­able fact under­neath all of these sto­ries that the NSA can only col­lect this infor­ma­tion because we glee­ful­ly hand it over to Sil­i­con Val­ley in exchange for no promis­es of pri­va­cy and “free” ser­vices (that are paid for by mon­e­tiz­ing our pri­va­cy). That needs a reck­on­ing along­side the NSA.
  • Relat­ed: the Wall Street Jour­nal ran a sto­ry last year about com­mer­cial off-the-shelf sur­veil­lance tech­nol­o­gy that includ­ed the means to break into under­sea fiber cables and inter­na­tion­al gate­ways. These are cor­po­ra­tions in Sil­i­con Val­ley, part of the IT com­mu­ni­ty, who built this stuff. The coau­thor on this Wash­ing­ton Post sto­ry, Ashkan Solat­ni, assist­ed the Wall Street Jour­nal with their work as well.

Last­ly, just about every­one is snick­er­ing or shak­ing their heads at the lit­tle smi­ley face on the NSA’s post-it note that sup­pos­ed­ly describes how they broke into Google’s cloud. While under­stand­able, that’s also a bit unfair: the NSA employs thou­sands of geeks, and all geeks love solv­ing puz­zles. Being char­i­ta­ble, it seems like this was a damned tough puz­zle to solve for them, so a bit of gig­gly excite­ment is to be expect­ed. That does not change how hor­ri­ble this looks to nor­mal peo­ple, how­ev­er, nor does it make the NSA look any bet­ter to the Very Seri­ous Peo­ple who cov­er this stuff. Like most of the leaks, regard­less of how our under­stand­ing of it changes, that visu­al is going to endure.

Subscribe to my work!
Joshua Foust used to be a foreign policy maven. Now he helps organizations communicate strategically and build audiences.