5 Comments

Summary:

Whether these top tier tech vendors were complicit or dupes in government spying on people’s data, this news does nothing to help their credibility.

Top secret

One of the biggest questions out of the NSA snooping controversy was how much 9 tech vendors —  Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype( msft), YouTube and Apple —  knew about a National Security Administration program for snooping on their users data.

Facebook's data center in Prineville, Ore.

Facebook’s data center in Prineville, Ore

They all denied — in carefully worded ways — that they provided direct access to customer information. The source of the original story — ostensibly leaked NSA slides obtained by the Washington Post and The Guardian — indicated that the National Security Agency tapped directly into these company servers to get at customer meta data.

In a radio interview Friday on WBUR, Post reporter Barton Gellman said it’s more likely that the slide was poorly worded and that the NSA placed its own “black boxes” on vendor property next to the servers in question. Those black boxes could mirror the server and be queried as a proxy while giving those vendors plausible deniability if asked whether their own servers had been accessed.

Obviously, if that is the case it’s hard for vendors to plead ignorance to what was going on. But there are ways the government could harvest people’s Google and Facebook and other data without those vendors knowing.

First, they could eavesdrop on the HTTP traffic flowing over the internet — which is not usually encrypted. Or there could be a covert back door into these services themselves, something that Jon Oltsik, senior principal analyst at Enterprise Strategy Group finds hard to believe.

And, there have been reports that government agencies are indeed collecting data provided from internet service providers and telcos.  On Friday, The Wall Street Journal said that the NSA’s gathering data on Verizon customers, is just the tip of the iceberg. According to the Journal:

“… people familiar with the NSA’s operations said the initiative also encompasses phone-call data from AT&T Inc. and Sprint Nextel records from Internet-service providers and purchase information from credit-card providers.

Update: One security expert who did not want to be named becuase he does work for government agencies said if the NSA is doing what it does best — which is traffic analysis. This is stuff like who is talking to whom and for how long and when. “It is a kind of social network mapping … questions arise if there is a radio in an uninhabited jungle [or] when I call Djokar Tsarnaev at 1 a.m. or when one call comes in and one call goes out continguously,” he said via email.

If this is the sort of traffic analysis the NSA is doing — the default assumption — then there is “no requirement for the cooperation of the endpoints, only the carriers,” he said. In all internet-based TCP/IP situations, the communications are all multi-hop, and thus there is no need to surveil all possible paths, just the “must go through” paths,” he continued. “If I can listen one hop outside your firewall, then there is nothing you can do about it, you won’t know I am doing it, and to the extent that traffic analysis is sufficient for the surveillance team, the job is done.”

 

This is really key stuff. When you post updates to your Facebook page or Google Drive, that data typically flows unencrypted over the web. That data-in-transit could, in theory, also be intercepted at the routers directing traffic or at Content Delivery Network (CDN) points that optimize traffic flow. We just don’t know, because security agencies won’t say. But the upshot is, if the government is collecting that traffic, it truly does have a ton of information about everything you do, or at least everything you say. That is truly a sobering use of big data.

As we learned last year, it may well be compiling a full dossier on you (and everyone) which it’s storing in the no-longer-quite-so-top-secret giant NSA data center in Bluffdale Bluffton, Utah,

Beyond that, we probably won’t know the truth of what Google, Microsoft, et al. knew and if or how much they participated in snooping for years to come.

This story was updated at 4 p.m. PDT to correct the name of the town where the NSA data center is located and again at 9:14 a.m. PDT on June 8 to add additional comment and context from a security expert.

  1. Ritesh Agarwal Friday, June 7, 2013

    There is a speculation from a source that a third party start-up from Palo Alto, named “Palantir”, might have been collecting this information on behalf of the CIA, FBI, NSA, etc. It’s purported that CIA was one of their clients at some point of time and they are secretive as hell.

    Share
    1. i have seen that. not sure i buy that the NSA would use a third party but hey, what do i know?

      Share
  2. “When you post updates to your Facebook page or Google Drive, that data typically flows unencrypted over the web.”

    Yeah, both companies now encrypt the transport by default, so Man in the Middle would be difficult with access to the keys. The actual content is not encrypted, but that would require direct access.

    Share
  3. So such place as Bluffton, Utah. It’s called Bluffdale.

    Share
  4. Reflecting on this, it seems possible this is another reason obedient Congressional flunkies raised “security” concerns about Huawei rolling into the US market.

    The concern wasn’t the crap raised about China bringing backdoors into US companies and Web nodes. The concern was Huawei installers wouldn’t be in on the payola and might expose collusion.

    Share

Comments have been disabled for this post