By Jennifer Garnett – Edited by Abhilasha Nautiyal
Earlier this month, Mike Hearn of Google’s Security Department posted online that Google has successfully encrypted the data traffic between its servers. This undoes the National Security Agency’s (“NSA”) work in creating the surveillance program “MUSCULAR,” which taps into the connections between Google and Yahoo’s private data centers.
On October 30, the Washington Post released another wave of information attributed to Edward Snowden that described how the NSA had “broken into” the communication links between Google and Yahoo’s private data centers under a program codenamed MUSCULAR. The NSA is reported to operate this program jointly with its British counterpart, the Government Communications Headquarters. The tapping of these communication fibers gives the NSA access to millions of users’ data, including both metadata and content, regardless of whether or not they were suspected terrorists or criminals.
RT quotes Google’s chief legal officer, David Drummond as being “outraged” over the program, explaining that they have “long been concerned” about this kind of activity, and have been slowly extending encryption across Google’s myriad of services in an attempt to protect its users. Drummond’s statement was made in response to the Washington Post report of October 30 and continues, “[w]e are outraged at the lengths to which the government seems to have gone to intercept data form our private fiber networks, and it underscores the need for urgent reform.”
According to Ars Technica, Google has had a full-encryption initiative for over a year, but accelerated the initiative in June after Snowden leaked the news of the NSA and FBI’s joint “PRISM” program. Under this program, the NSA could gain front-door access to users’ data by demanding data related to certain keywords or search terms. This program was previously covered by the Digest.
The MUSCULAR reconnaissance serves to bypass NSA’s earlier PRISM program of demanding information from these tech companies for targeted keywords by breaking into the communication links between these companies’ private data centers. According to the Washington Post the government’s reasons for this additional broad-scope program are two-fold: First, much of the data mining takes place overseas, where there are weaker oversight mechanisms and the Foreign Surveillance Intelligence Court (“FISC”) has no jurisdiction. Second, this method of data gathering is less visible to tech companies, who are becoming increasingly transparent about the information that they turn over to the government. This allowed the NSA to access enormous volumes of data without alerting any privacy concerns. Indeed, the Post reported that the latest leaked documents “refer directly to ‘full take,’ ‘bulk access,’ and ‘high volume’ operations.”
One question for the tech world is what practical impact Google’s encryption will have. The Post notes that the encryption will not be sufficient to stop the NSA from acquiring access to data that they want, quoting Christopher Soghoian, of the ACLU, who said that, “[i]f the NSA wants to get into your system, they’re going to get in.” However, the Post also notes that encryption prevents the broad oversight the NSA is currently capable of by forcing them to decode the massive amounts of data that they have tapped. It notes:
Security experts say the time and energy required to defeat encryption forces surveillance efforts to be targeted more narrowly on the highest-priority targets — such as terrorism suspects — and limits the ability of governments to simply cast a net into the huge rivers of data flowing across the Internet.
This arguably is what PRISM was meant to accomplish in the first instance, by limiting access to data to information about certain court-approved keywords. One interesting question, then, is whether this actually achieves a desirable outcome in terms of balancing national security interests with individual privacy concerns.
There is also some uncertainty about the NSA’s current abilities to break encryption. The New York Times reported that the NSA is “winning its long-running secret war on encryption,” using supercomputers to break codes, inserting its own back-doors into encryption technology that it puts out on the market, and coercing others companies to do the same. This development was also reported in the Digest. However, Google told the Post that its program is designed to be “end-to-end,” meaning it is encrypted both in the data servers and along the fiber-optic lines, with “very strong” technology.
Many, such as Mike Masnick from TechDirt, demand more, urging Google to use its “political pull to fight the NSA in DC.” Others, however, are more realistic about prospects of fighting the NSA in court. As Hearne suggests, instead they will continue to do “what internet engineers have always done — build more secure software.”