NSA could have accessed Google, Yahoo data through private cable provider

26 Nov, 2013 17:26 / Updated 11 years ago

A new analysis of the National Security Agency’s covert eavesdropping operations suggests the private American company that supplies the likes of Google and Yahoo with fiber optic cables might have allowed the NSA to infiltrate those networks.

Reporters at the New York Times wrote this week that Level 3 Communications — the Colorado-based internet company that manages online traffic for much of North America, Latin America and Europe — is likely responsible for letting the NSA and its British counterpart silently collect troves of sensitive data from the biggest firms on the web.

Last month, top-secret leaked documents released to the media by former intelligence contractor, Edward Snowden, revealed efforts by the NSA to intercept web traffic going between data centers owned by big companies in an unencrypted state. A Washington Post report from late October attributes those Snowden leaks as saying that the NSA was receiving millions of records every day from internal Yahoo and Google networks and transferring that information to a facility at the agency’s Fort Meade, Maryland headquarters - all in spite of previously leaked documents which detailed how those companies and others had been providing the NSA with front-door access as part of the agency’s PRISM operation.

Nevertheless, the Post reported last month that “From undisclosed interception points, the NSA and the GCHQ are copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants.” Data stored within those facilities is highly secure and encrypted, but not while in transit on cables primarily owned by Level 3.

Nearly one month later, an article published this Monday by Nicole Perlroth and John Markoff at the Times says those interception points could have been approved by Level 3, who owns the cable infrastructure that the majority of America’s web traffic travels through.

People knowledgeable about Google and Yahoo’s infrastructure say they believe that government spies bypassed the big Internet companies and hit them at a weak spot — the fiber-optic cables that connect data centers around the world that are owned by companies like Verizon Communications, the BT Group, the Vodafone Group and Level 3 Communications,” Perlroth and Markoff wrote. “In particular, fingers have been pointed at Level 3, the world’s largest so-called Internet backbone provider, whose cables are used by Google and Yahoo.”

It is impossible to say for certain how the NSA managed to get Google and Yahoo’s data without the companies’ knowledge,” the Times article continued, “But both companies, in response to concerns over those vulnerabilities, recently said they were now encrypting data that runs on the cables between their data centers.”

Through the NSA’s PRISM operation first disclosed by Mr Snowden in June, the government is alleged to have “upstream” access to data that non-US persons send through the servers of major internet companies, even compensating those firms in order to ensure they’re fully compliant with the feds’ requests. When word of a backdoor operation targeting those same PRISM-partners was disclosed last month, Google said at the time, “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

If the latest analysis in the Times proves to be correct, the lengths that the NSA and its British counterpart have gone to wouldn't necessarily be considered all that outrageous. In fact, those agencies could have been obtaining access from Level 3 perhaps with just a contract.

Reached by the Times for comment, Level 3 said, “It is our policy and our practice to comply with laws in every country where we operate, and to provide government agencies access to customer data only when we are compelled to do so by the laws in the country where the data is located.”

In a financial report made by the company and obtained by the paper, however, Level 3 is revealed to have much more of a relationship with the government then one that just involves the occasional compliance order. According to that report, the company announced, “We are party to an agreement with the US Departments of Homeland Security, Justice and Defense addressing the US government’s national security and law enforcement concerns. This agreement imposes significant requirements on us related to information storage and management; traffic management; physical, logical and network security arrangements; personnel screening and training and other matters.”

When news of the eavesdropping operation surfaced last month, Christopher Soghoian, a technologist at the American Civil Liberties Union, speculated on Twitter that if Level 3 indeed allowed the government to tap its cables, they’d likely not be covered by the same legal protections in the Foreign Intelligence Surveillance Act, or FISA, that let feds conduct widespread surveillance over private companies’ data.

If Level 3 voluntarily let NSA/GCHQ tap Google's data, the immunity available via FISA 702 orders won't apply and they can be sued.

— Christopher Soghoian (@csoghoian) October 31, 2013

Neither Google nor Yahoo have publicly commented on the suggestion that Level 3 compromised their networks’ data, nor have they indicated any willingness to file suit.