Someday, the unraveling of the National Security Agency's spying on virtually everyone might make a great spy movie. In the latest revelation, there are reports the secretive federal agency may have tapped Google and Yahoo through major Internet backbone providers.
On Monday, a story in The New York Times asked how the National Security Agency could spy on Google and Yahoo users without having direct access to those companies' data centers, which have Mission Impossible-levels of security . The Times said that "people knowledgeable about Google and Yahoo's infrastructure" believe the NSA tapped into the fiber-optic cables of such Net backbone providers as Verizon, the BT Group and Level 3.
In particular, the story points at Level 3, the largest backbone provider on the planet. Data traveling through the backbones was not encrypted, although both Google and Yahoo are now encrypting the data they send through the backbones. Level 3 responded to the Times to say that it complies "with laws in every country where we operate," and provides governmental access to customer data "only when we are compelled to do so by the laws in the country where the data is located."
Millions Sent Daily
It's not yet clear if Level 3 was a willing participant in such an arrangement. Although the Internet has a seemingly infinite number of destinations, there are only a handful of major backbone providers. If accurate, the report points to the NSA's ability to tap virtually any corporate data center without their knowledge or consent.
Earlier this month, reports surfaced that the documents released by former NSA contract employee Edward Snowden showed the NSA had tapped the transmissions to and from Google's and Yahoo's data centers. The taps meant that the agency had access to hundreds of millions of user accounts, many of which are owned by Americans.
In its story on the reports, The Washington Post cited a top-secret document in the Snowden-released files, dated January of this year, which revealed that millions of records were sent daily from the Yahoo and Google networks to NSA headquarters in Maryland. The document noted that more than 181 million records, plus metadata, had been sent in the 30 days preceding that document's date.
In response to the reports that its data centers had been compromised, Google said it had not provided access and was "outraged" at the steps the governmental agency had taken. Yahoo said it had "strict controls" in place, and had not granted access.
That's the back door. The NSA also has front-door access to user accounts, which requires approval by a Foreign Intelligence Surveillance Court.
In September, security firm RSA warned about another system-wide infiltration by the NSA. RSA advised its customers to avoid using a component in its widely used Data Protection Manager security software, because a Pseudo-Random Number Generator in the software had been flagged by the National Institute of Standards and Technology, another federal agency. NIST indicated it had reason to believe that the NSA, during the public process that created the number generator, may have included code that made the security software easier to break.