MUSCULAR Spasm: Let’s Blame Canada for NSA Surveillance

Back in August, I e-mailed a Guy Who Knows Stuff:

> In order to fudge the legal limitations on collection of strictly intra-US phone calls by US persons, could the US gov ask ATT (which, I expect, has a pretty close working relationship with Bell Canada) to route calls either by number or in bulk to Canada and then back to the USA?  Then the NSA could pick up the traffic on the outbound or inbound end, or the Canadians could rummage through it on our behalf.  Unfortunately, I have no concrete information to back up this brainwave, but it would seem to be a logical way for the NSA to advance its goal of getting all the data.  Any thoughts on this?

And he replied:

Yes.  They could certainly do that.

But then I came across:

David Skillicorn, a professor in the School of Computing at Queen’s University, says this is one piece of the data-sharing relationship "that has always been carefully constructed."

"The Americans will not use Canadians to collect data on U.S. persons, nor will any of the other Five Eyes countries," Skillicorn says.

"In fact, in practice, it’s as if the five countries’ citizens were one large, collective group, and their mutual communications are not intercepted by any in the Five Eyes community."

Poked around a bit, came up empty, didn’t pursue it.

Then, today, courtesy of Barton Gellman at the Washington Post, there’s this, describing an NSA program that circumvents limits on domestic surveillance by intercepting Google and Yahoo! traffic between their data centers through our Anglophone allies/proxies:

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

As for that “undisclosed intercept point”, I vote for Canada as the most likely suspect.  North American traffic traverses Canada, gets bundled off to Blighty, and stored for sharing with the NSA.

Naturally, we’re treated to generous descriptions of Google outrage and privacy heroism:

In order to obtain free access to data center traffic, the NSA had to circumvent gold standard security measures. Google “goes to great lengths to protect the data and intellectual property in these centers,” according to one of the company’s blog posts, with tightly audited access controls, heat sensitive cameras, round-the-clock guards and biometric verification of identities.

Google and Yahoo also pay for premium data links, designed to be faster, more reliable and more secure. In recent years, each of them is said to have bought or leased thousands of miles of fiber optic cables for their own exclusive use. They had reason to think, insiders said, that their private, internal networks were safe from prying eyes. 

In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data resides. In hand-printed letters, the drawing notes that encryption is “added and removed here!” The artist adds a smiley face, a cheeky celebration of victory over Google security. 

Two engineers with close ties to Google exploded in profanity when they saw the drawing. “I hope you publish this,” one of them said. 

Publish what?  Evidence that Google's security is cracked?  Or document Google's hyperbolic anger at NSA transgressions to reassure Google Cloud customers?

If you’re searching for privacy heroes, I think you’d better scratch Google off your list.  Per Gellman:

Last month, long before The Post approached Google to discuss the penetration of its cloud, vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. “It’s an arms race,” he said then. “We see these government agencies as among the most skilled players in this game.”

Google knew, kids.  Get used to it.

Another guy I’m crossing off my personal list together with David Skillicorn is John Schindler, whose tweets, posts, and sneers are a mainstay of defenders of the NSA:

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.”

But what about that "honesty" elixir you were peddling to the NSA in that smarmy open letter that appeared the same day Gellman's piece came out?

[H]ey, I’m fine with secrecy in principle – intelligence is conducted in secret by its very nature. But the current crisis has exposed the Agency to scrutiny based on falsehoods proffered by Kremlin-backed scoundrels and their useful idiots among activists masquerading as journalists. Time to beat that back with some honesty, what might seem scarily radical honesty to old SIGINT hands.

...

Rebrand now while you still can and regain the public’s trust. I’m confident that, once they understand what NSA really does, the vast majority of Americans will be glad the Agency is on watch. 

Good luck with that rebranding, "Dash":
 

I also think the NSA has platoons of shills and their entire job is figuring out how to stay within the realm of plausible deniability and minimize transparency by exploiting every loophole.  But, given their commitment to suppressing instead of informing public debate about surveillance, I don’t see any reason to trust them or listen to them.  Why anyone would rely on Schindler for objective and honest insight into the scope and implementation of the US surveillance regime is beyond me.