Analysis: NSA's data grab ought to boost privacy concerns

Byron Acohido | USA TODAY

SEATTLE — The latest revelation of how government spies tap into the personal data that U.S. consumers so blithely place into the control of the Internet's advertising giants is the most profound yet.

The Washington Post today outed a National Security Agency data snooping program, code-named MUSCULAR, that copies all traffic flowing between two of the largest online advertising giants: Google and Yahoo.

In the latest installment of revelations from Edward Snowden, the Post is reporting that NSA partnered with its British counterpart, GCHQ, to carry out MUSCULAR.

"This is the first real evidence of deep intrusions by NSA and GCHQ into the internal networks of major Internet companies," says Dave Jevans, chief technology officer of mobile security firm Marble Security. "By essentially copying all traffic that flows through these networks, the intelligence agencies can see everything that happens at these companies."

CyberTruth video: Cybersecurity experts react to the NSA's surveillance rationale

MUSCULAR appears to give government snoops access to not just contact lists and address books — last week's Snowden revelation — but all e-mail and business documents, including Google docs which is used by hundreds of thousands of companies.

It's unlikely the government does any data mining beyond the narrow parameters of ferreting out terror plots; NSA chief, Gen. Keith Alexander, has said the surveillance programs that tap in commercial Internet traffic has helped curtail 54 terrorists attacks.

"Consider what the NSA is trying to do — detect and monitor terrorist organizations," says Dave Frymier, chief information security officer at IT supplier Unisys, "They are looking for a proverbial needle in the haystack — and to find that needle, you need access to the haystack."

Yet the steady flow of revelations from the Snowden documents may be having the effect of keeping convenience-minded consumers more attuned to the intensive harvesting of their every online move by Google, Yahoo, Facebook, Instagram, LinkedIn, Microsoft, AOL and other major and minor players treating consumer privacy as a free profit-making resource.

Tanuj Gulati, chief technology officer at security intelligence firm Seuronix, says raising the privacy consciousness of consumers and businesses could alter the course of how we use mobile devices and Internet cloud services.

"In the last few years, many businesses have increased their reliance on cloud providers for essential service," says Gulati. "If NSA is able to get their hands on this data, there may be others that may be tapping into the same data. All cloud providers need to act quickly to regain customer confidence."

Consumers and companies should not take this lightly. "We can assume a whole new level of threat," Jevans says. "The NSA and GCHQ must have insiders either working at Google and Yahoo, or in the data centers where their servers are housed."

Global companies could be susceptible to similar government snooping and should assess the security of data transfers between various data centers. "This is going to add significant cost to the operation of these data centers," Jevans says.

The large-scale collection of data that is happening through the MUSCULAR program would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner, The Washington Post explained.

"The scope of MUSCULAR program and the fact that it blatantly leverages loopholes in the legal system is particularly concerning," says Michael Sutton, a researcher at network security firm Zscaler. "MUSCULAR is fundamentally different than PRISM, which is subject to oversight from U.S. courts. MUSCULAR is intentionally focused overseas where the same U.S. laws don't apply and the NSA has far greater freedom with data collection practices."

Even so, many security and military experts and law enforcement officials strongly support in principal the NSA's antiterrorism efforts.

Says Sutton: "We shouldn't blame the NSA — they're performing exactly what they've been tasked to do — use every legal means necessary to collect intelligence. Blame for programs such as PRISM and MUSCULAR rests squarely with the politicians that have implemented a system riddled with loopholes and such loose oversight that the rules are meaningless."

J.J. Thompson, founder and CEO of the security consultancy firm Rook Consulting, agrees. "The leading intelligence agencies are doing what they need to do to detect and prevent threats. In this case, fiber optic taps appear to be used on international Internet connections and in insecure locations within the trusted network space in the Google and Yahoo data centers."