Bitwise

MUSCULAR ’Roid Rage!

NSA surveillance of Google and Yahoo is nasty and brutish—and pointless and illegal.

SSL added and removed here! :)

Image via the Washington Post

I knew the NSA drawing was real from the smiley-face. Only an eager and myopic software engineer—seeing the interception of Google and Yahoo’s data as a challenge and game rather than as a security and political matter—would make such a light-hearted and self-satisfied gesture at the prospect of hacking into Google’s internal servers.

Google knows it’s real as well. “Two engineers with close ties to Google exploded in profanity when they saw the drawing,” writes the Washington Post, which broke the story yesterday (with some help from Edward Snowden). Google’s Chief Legal Officer David Drummond issued the fighting words of someone who knows they’re winning: “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.” Google, clearly fed up, has been rushing to encrypt as much of their traffic as possible. (Full disclosure: I used to work for Google, and my wife still does, though she is refusing to tell me anything she may or may not know—even though it seems unfair that the NSA knows and I don’t.)

The NSA’s spying system is called MUSCULAR, which, according to the Post, can copy “entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants.” Even the name MUSCULAR smacks of the brutish attitude that compels the NSA to sweep up petabytes of data without being able to process most of it. Call it Broveillance, or Brotal Information Awareness. The unnamed author of the NSA slides provided to the Post is basically begging the agency to stop collecting so much useless garbage. The slides complain of the data’s “relatively small intelligence value” given that the MUSCULAR data makes up one-quarter of all information acquisition.

Just to be clear, that means that one-quarter of the NSA’s surveillance data comes from Google and Yahoo alone. The NSA intercepted the largest sewer pipes of information on the entire Internet and diverted them to dump into their data centers, so that they could search for pearls.

Combine that with the knowledge that NSA chief Keith Alexander is a macho nerd who had his command center built to look like the bridge of the Starship Enterprise (complete with doors that go whoosh), and we have a nice picture of a group of spooks that fancy themselves as James Bond’s Q but are actually closer to Inspector Gadget.

Although the diagram refers to Google, the leaked presentation only briefly refers to “defeating” Gmail. They also refer to “FB buddylist sampling since last year”—i.e., spying on your Facebook friends list—but mostly the slides talk about Yahoo.

The key passage is this one: “Yahoo has been transferring entire email accounts using the Narchive data format (a proprietary format) … Narchive traffic is collected and forwarded to NSA for memorialization.” “Narchive” is evidently Yahoo’s archival format that can contain the entire contents of a Yahoo user’s mailbox. The Narchive format is internal to Yahoo—that is, no computer outside of Yahoo ever sees it or should even be aware of its existence. (I can’t even find any references to it on the Web.) So there’s your evidence that the NSA was monitoring Yahoo’s internal operations.

Yahoo uses the Narchive format when transferring mail accounts across data centers. Your email account is located within a single one of Yahoo’s datacenters. If they decide, for one reason or another, that your mailbox should be located on a data center in Australia instead of the United States (say, because you live in Australia and so it’ll be much faster for you there), they package all of your data up into the Narchive format and send it from their United States data center to the Australia data center, where they unpack it and set it up.

This is where the NSA comes in. At least according to the slides, they are unable to monitor email accounts that reside within a data center. Instead, they catch them in the process of being transferred along the intercontinental fiber pipes via “secret access to a cable or switch” offered by “an unnamed telecommunications provider,” according to the Post. This means that the NSA can’t do ongoing monitoring of a particular email account, but they can just happen to catch whichever accounts are being transferred—at which point they just snag the whole thing. Since only a small subset of accounts are transferred intercontinentally, they are effectively capturing snapshots of a random subset of accounts at arbitrary points in time. (The slides point out that over one-half of the mail is more than three months old, and one-quarter of it is more than a year old.)

This is the very opposite of targeted collection, and of course it gives lie to any statement about how the NSA was only collecting metadata and not collecting on Americans. The NSA has no idea which of these accounts belong to Americans and which to foreigners. How would they? They admit they don’t even know what they’re sweeping up.

The slides note that “FISA restrospective [sic] collection” would be just as effective and far more efficient than the sewer pipe approach of MUSCULAR. The slides don’t mention that FISA collection would also have the happy side effect of being legal, but I suppose that issue wasn’t on the NSA’s radar. MUSCULAR: inconvenient, useless, and illegal. The perfect encapsulation of the Broveillance attitude.

Alexander and Director of National Intelligence James Clapper will say various things in response, in line with the nondenial denial already issued by the NSA, which puts so many conditionals on what it claims not to do that it might as well be a confession. Clapper and Alexander have already both lied to Congress, so there is little reason to listen to them. Alexander is on his way out, and Clapper needs to go too. Nothing short of an agency overhaul will reestablish trust.

If the definition of going mad with power is pissing off people who can cause you real trouble—like Angela Merkel and Larry Page—Alexander went mad with power the day he took the job. He has lied, broken the law, violated trusts, wasted billions of dollars, and damaged the security of the U.S. far more than anyone he has criticized. He will be seen in retrospect as the perfect illustration of a period when a modicum of technical knowledge was enough to create the illusion of competence in the eyes of the establishment.

Obama may accept the mere appearance of NSA reform in the coming months. But the pressure is mounting: When you’ve lost NSA water-carrier Dianne Feinstein, you are indeed “really screwed.” Despite Obama’s evident unwillingness to buck the system on whistleblower persecution, illegal detention, black sites, and drone strikes, he may be forced to do the right thing here and rein in this rogue agency.