Even though they cooperate with the US spy agency on court-ordered surveillance, firms like Google and Yahoo are subject to additional surveillance they never agreed to

No data is safe (Image: Google/Rex Features)

The US National Security Agency has access to the internal networks of Google and Yahoo – and this time even company executives had no idea they had been tapped.

Thanks to documents leaked by former NSA contractor Edward Snowden, we know that tech giants including Google, Yahoo, Apple and Facebook cooperate with the NSA’s PRISM scheme, which lets the agency request user data through court orders under the Foreign Intelligence Surveillance Act (FISA).

It now seems the agency’s access goes even further. On Wednesday, The Washington Post reported that the NSA is working with its British counterpart GCHQ to gain direct access to the optical fibre networks linking Google and Yahoo’s internal data centres, under a separate project codenamed MUSCULAR.


Web companies host copies of your data on servers around the world, reducing the chance of losing your information should one fail. When you log in to an account with these firms, the data sent between you and their servers is encrypted, making it difficult to snoop – but the internal transfers between data centres are unencrypted. And because many of the transfers take place outside the US, approval from a FISA court isn’t required to tap the information.

Both Google and Yahoo say they did not cooperate with the NSA. “We have not given access to our data centres to the NSA or to any other government agency,” said a Yahoo spokesperson. “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fibre networks,” Google’s chief legal officer David Drummond said in a company statement.

According to the Post, GCHQ gathers three to five days of traffic at a time and the NSA uses software filters to keep a subset of it – including text, audio and video content, and metadata on the flow of emails. A top-secret NSA document from January reports over 180 million records had been collected in 30 days – a volume of data that even the agency struggles with.

How the data is accessed is unclear. “There are ways to get information out of fibre. If you just bend it a bit, light spills out,” says David Payne of the University of Southampton, UK, who pioneered many of the fibre-optic techniques used today. In fact, fibre networking equipment already contains such taps to let engineers monitor connection quality.

Rather than tapping the optical signal, though, Payne says it would be easier to wait until the equipment converts it into an electrical signal that computers can read before patching in. “I don’t think the NSA is surreptitiously digging up a cable and sneaking off some data,” he says.

After Snowden’s first leaks, Google announced plans to encrypt its internal communications, and the latest revelations serve to underline why. Yahoo has not yet announced any encryption plans, but it seems to be the only way to protect against snooping. Web firms can’t stop using fibres to coordinate their data centres, as alternative technologies such as microwave links are too expensive or unreliable, says Alan Mauldin of TeleGeography, a telecommunications research firm based in San Diego, California. “You’re not going to see companies moving away from using fibre-optic cables in the near future.”

This article will appear in print under the headline “Tapped at the source”