Former intelligence officials and technology industry executives reacted with anger and anxiety over the latest revelations that the National Security Agency is reportedly infiltrating some of the world’s biggest technology companies and making off with the private communications of millions of their customers. And if the reports are accurate, it could be very bad news for U.S. technology companies, who have been complaining for months that their government’s secretive intelligence operations are threatening their business and driving customers towards their foreign competitors.
"I think they’re in an almost impossible situation," Rep. Adam Schiff, a senior member of the Intelligence Committee, told The Cable. Speaking of Silicon Valley firms who are obligated to cooperate with the NSA, Schiff said recent leak revelations threatened to negatively impact their bottom lines. "It’s definitely going to hurt their business and I think we ought to do everything we can to mitigate that damage. I’m very sympathetic to what they have to confront."
The Washington Post reported today that the agency "has secretly broken into the main communications links that connect Yahoo and Google data centers around the world." According to documents provided by former NSA contractor Edward Snowden, the agency is intercepting emails, documents, and other electronic communications as they move between the companies’ privately controlled facilities and the public Internet, giving the NSA access to data in nearly real-time.
The latest revelations are likely to inflame an already tense relationship between the Obama administration and American technology companies, many of whose customers live outside the United States and are not protected by laws that prohibit the NSA from spying on Americans en masse.
"Why in the world would we burn a relationship with Google by breaking into a data center?" one former intelligence officer asked.
According to an August report by the Information Technology and Innovation Foundation, the NSA scandal could cost cloud companies with U.S.-based servers between $21.5 billion and $35 billion over the next three years as customers flock to European firms that may have more legal protection from U.S. spies.
"The most enduring setback on national security from all of this could well be the impact on U.S. companies," observed a former U.S. official intimately involved with intelligence matters.
"We’ve created a Huawei problem for these companies," this official said, referring to the Chinese telecommunications firm that many U.S. lawmakers and intelligence officials believe is a proxy spy for the Chinese government.
The NSA has also reportedly worked to undermine encryption standards that are used around the world to protect private information and secure commercial transactions. Technology experts were outraged to learn that a government agency they thought they could trust was secretly working to make it easier to spy on people.
The former intelligence officer wondered aloud why the agency would engage in intelligence gathering that, if exposed, would make companies seem unable to protect their customers’ data from prying government eyes. "My personal concern is that an American company like Cisco that’s doing business with governments overseas could face real problems in that line of business."
Schiff, a California Democrat, stressed that he could not confirm or deny the substance of the Post allegations, but he did say the claims raise valid concerns if proven to be true . "If there are allegations that either because of the way these technologies now operate and get routed through the United States that there were court requirements that were circumvented that’s something that the committee absolutely ought to investigate," he said.
Representatives for Google and Yahoo told the Post that the surveillance was conducted without their knowledge. But communications experts with years of experience implementing government surveillance orders found that hard to believe. They described to The Cable a number of ways the NSA could have intercepted the company’s data, all of which seemed likely to alert Google and Yahoo that their information was being collected, or at least to raise suspicions.
The NSA document published by the Post appears to show the agency focusing on a kind of junction where a Google data center connects to the public Internet. Labeled "GFE," which the diagram says stands for Google front end server, this is the point where encryption is removed from data before it travels to Google’s cloud. If the NSA could intercept communications at that vulnerable point, then the agency could read them in their unencrypted form.
To capture or siphon off data at the point labeled GFE, the NSA could implant surveillance equipment, said two of the experts. This could be a fairly small piece of hardware, but it might be difficult to install without the consent of the people running the data center. One of the experts likened it to the secret room that the NSA is believed to have installed at an AT&T facility in San Francisco, where data was split from the company’s network and given to the NSA. That GFE point would be the likely place to install such a facility.
Curiously, both experts noted, in the world of official surveillance, GFE stands for something else: "government furnished equipment."
One of the experts said that if NSA wanted to avoid installing devices at the companies’ data centers, it would have to intercept the information on a fiber optic line as it moved from the data center to the public Internet. To do that and still capture the data while it was unencrypted, the interception point would have to be physically located no more than a few hundred yards from the data center, the expert said. In that case people working in the data center itself would likely see some physical structure nearby.
There are still other options for the NSA to capture the data from a distance, experts said, such as tunneling into the GFE from another computer. But whatever the method, the agency would have to have some way to directly tap into that GFE, whether by hacking it, installing equipment with the companies consent, or using a previously installed back door or hole in the system that was unknown to its manufacturer.
The NSA has reportedly struck deals with technology companies to install hidden access points in their equipment that can be used for surveillance. And the agency is believed to be the biggest purchaser of so-called "zero day" vulnerabilities, which are flaws in a piece of hardware or software discovered by a hacker but never revealed publicly. One of the communications experts said it was possible NSA had bought such zero days and used them to get exclusive access to the GFEs without any companies every knowing it.
Experts had already predicted that the agency’s global eavesdropping would give foreign customers a reason to stop using popular services like Google and Yahoo in favor of companies that don’t store their data in the United States or aren’t subject to U.S. laws. The government of Brazil is considering whether to force U.S. companies to locate any data on its citizens within the countries borders.
An NSA spokesman rejected the Post’s report and said the agency is following laws that protect Americans’ privacy. "NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation," NSA spokesperson Vanee Vines in a statement. She called reports in the Post that the agency uses an executive order, instead of surveillance law, to get around limitations imposed on it in the United States "not true."
"NSA is a foreign intelligence agency. And we’re focused on discovering and developing intelligence about valid foreign intelligence targets only," Vines said.
In a statement to The Cable, Dutch Ruppersberger (D-MD), the ranking member of the House Intelligence Committee, defended the NSA’s practices. "NSA is a foreign intelligence agency," he said. "It does not have the resources, capacity, or interest in collecting data on Americans. The claim that NSA collects large volumes of data on US persons is incorrect. NSA respects the privacy of US persons by using Attorney-General approved processes to minimize the likelihood of their information in NSA’s collection."
Technology company executives have criticized the Obama administration for trying to assuage public anxiety about surveillance by emphasizing that the NSA only spies on foreigners. Many of those companies’ customers live outside the United States, and some of them have been outraged by reports of the NSA hoovering up personal data on the Internet. Mark Zuckerberg, the CEO of Facebook, said the administration "blew it" in its attempts to counter the narrative that the NSA isn’t engaged in unbridled spying. The vast majority of Facebook’s users reside outside the United States.
Technology company representatives in Washington have quietly lobbied administration officials to change their talking points, and to stop emphasizing what the companies see as a double standard in how the United States spies on people’s communications, according to sources familiar with those discussions.