Chris Dougherty

Activist Post

NSA hacks Google. How could it affect you? Emails? Online searches? Think bigger…

Recently it was leaked that the National Security Agency tapped into primary overseas communication links that connect Yahoo and Google data centers around the world. According to former NSA contractor Edward Snowden, the agency has access to raw data from hundreds of millions of Internet users, and many of them are Americans.

This is not the first disclosure from Snowden about NSA operations. Snowden is currently living in Russia after being granted temporary asylum following his release of other top secret NSA documents, including those about another agency surveillance program called PRISM. As expected, the U.S. Government would like to have a word with Mr. Snowden about the theft and unauthorized disclosure of that top-secret information.

According to a Washington Post article, a top-secret accounting dated January 9th 2013 provides evidence that the NSA‘s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to government data warehouses in Fort Meade, MD. In the 30 days prior to the report being released, the report states NSA analysts had processed more than 180 million records. By tapping those pipelines, the agency has access to not only the metadata, which includes information telling who sent what message and when, but analysts also have access to all of the raw data including text, audio and video.

The following slide was taken from a National Security Agency presentation on “Google Cloud Exploitation”. It shows that while most traffic passing from Internet users to Google is encrypted, the traffic passing back and forth on the networks connecting Google data centers is in an unencrypted, or “clear text” format.

NSA “Google Cloud Exploitation” Presentation

The primary tool that the NSA uses to infiltrate the data links is called MUSCULAR. The program is operated jointly between the National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ). MUSCULAR allows the agencies to copy raw data flows across fiber-optic lines that carry information between the Google data centers.

It is important to note that this program is different than the previously disclosed PRISM program, which gathers user information from court orders. Instead, the MUSCULAR program targets tech companies and collects user data without their knowledge.

Google’s Chief Legal Officer, David Drummond, said the following in response to the news that the National Security Agency had secretly broken into the main links connecting Google’s data centers:

We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.

However, in the past we have heard stories about Google cooperating with the NSA in joint operations. Last summer VirtualThreat.com posted a story about the Department of Justice asking for a court order to keep the Google and NSA partnership a secret. However, in this case it seems the search giant had no prior knowledge of the NSA’s activity.

In response to the allegations that the NSA had broken into Google’s network the National Security Agency released the following statement:

NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true. The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true. NSA applies Attorney General-approved processes to protect the privacy of U.S. persons – minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention, and dissemination. NSA is a foreign intelligence agency. And we’re focused on discovering and developing intelligence about valid foreign intelligence targets only.

On October 30th, at the Bloomberg Cyber Security Conference in Washington D.C., the head of the National Security Agency, General Keith Alexander, said:

I can tell you factually we do not have access to Google servers, Yahoo servers…We go through a court order. We issue that court order to them through the FBI. And its not millions, its thousands of those that are done. And its almost all against terrorism and other things like that. It has nothing to do with U.S. persons.

The PRISM program allows the NSA to gather huge amounts of Internet communications by legally compelling U.S. tech companies, including Gooogle, to cooperate with officials and turn over all data that matches court approved search queries. That program, also disclosed by Edward Snowden, is authorized under Section 702 of the FISA Amendments Act. PRISM operations are overseen by the Foreign Intelligence Surveillance Court (FISC).

It doesn’t take a rocket scientist to see the clear advantages for the NSA with regard to their decision to intercept communications using MUSCULAR and overseas access points. With less oversight and looser regulations the agency has the ability to collect data from tech giants like Google using “full take”, “bulk access” and “high volume” operations.

These large-scale collection operations would be illegal in the United States; however, they are taking place overseas. Here the NSA can assume that anyone with information traversing these links must in fact be a foreigner.

What Are The Implications of a Program Like MUSCULAR?

Many people are saying to themselves “Sure, but how does this affect me?” Most people only think about Google being used for online searches and email. But did you know Google also has privately branded services that are being used by corporations, non-profit organizations and educational institutions?

For example, my own daughter uses Gmail and Google Drive for her school projects. Her school has assigned every student with a Google email address and a login for the school’s Google Drive account. Google Drive is a service where classroom documents are often stored.

In addition, a company that I worked for in the past used “Google Apps for Business” in order to provide email accounts, chat/voice/video conferencing, document storage and calendaring for its employees. By tapping primary Google data center links, the government potentially has access to all types of information.

Google has many service offerings that provide everything from Internet searches and email to video conferencing and private data storage. Did you know Google recently bought Motorola Mobility and is now manufacturing mobile phones?

Google is also the creator of the Android software that runs on many mobile phones and Internet tablets. Millions of individuals and organizations around the world trust Google to store their data securely away from the prying eyes of hackers and others that would use that information for their own advantage.

To get an idea of how much private information might be traveling across those Google data center links, take a look at the following info-graphic. It only shows a portion of the products offered by Google, but you quickly gain a better understanding of how much data potentially flows across the Google wires.

Google Products…more than just simple email and online searches.

Still think the government only has access to your online search histories and email? One of the coolest/scariest things I’ve noticed recently is the facial recognition software being deployed by Google and other social networking sites like Facebook. Have you ever noticed when you upload photos of people to a site like Picaso or Facebook you are immediately prompted to tag the names of other people in the image?

Typically the software has already completed the hard work of identifying individuals for you, all you have to do is confirm the selections made by the underlying program.

Google has added the capability to instantly recognize people, places, objects and text in photographs both on the Internet and on your hard drive. Don’t believe me? Watch the following video and then test it for yourself at http://images.google.com.

When you perform your tests try using photos of celebrities, politicians, TV/radio hosts, musicians, local Realtors, and so on. Let me know your results in the comments below this article.

Considering the fact that Google indexes nearly every web page and photograph on the open Internet, try to imagine the vast amounts of identity information that must be traveling back and forth on some of those Google data center links. Combine that information with all of the additional data listed in the info-graphic shown earlier and you have a recipe for privacy abuse and identity theft.

Any person or agency with the keys to all of that raw data could easily build complete profiles on hundreds of millions of individual people, places, companies and organizations at will.

Remember, it all comes down to who’s holding the keys. This time it was the National Security Agency tapping into Google’s data. Next time maybe it will be a hacker group, terrorist organization, or foreign government. It really doesn’t matter who does it in the end.

What really matters is that we have evolved into a society where we voluntarily surrender this information, and our very right to privacy, to the likes of Google, the NSA and hackers from around the world.

Chris Dougherty is a grey hat hacker and online security expert. Please visit his blog, www.VirtualThreat.com, for more excellent news and information about protecting yourself in cyberspace.