Before today, Silicon Valley tech companies were mad about the NSA’s data-collection programs, as revealed by Edward Snowden. But they weren’t that mad. After all, to the extent that companies like Google and Facebook were turning over user data to the government, they were doing so because they were forced to, in response to specific requests made through the FISA Amendments Act. They knew which users’ information was being let out of their hands, and while they probably weren’t thrilled about the snooping, they were at least able to keep the NSA from getting direct access to their servers.
Or so they thought. Today, new Snowden documents published by the Washington Post reveal that the NSA set up a program called MUSCULAR (and illustrated by the cartoonish scribble above) that allowed them to hack into foreign data centers of companies like Google and Yahoo, bypassing the FISA process and getting the key to millions upon millions of entire user-data sets without the companies’ knowledge. Project MUSCULAR is, or should be, a watershed moment for Silicon Valley’s largest tech firms in the fight against government surveillance.
The details of project MUSCULAR are still being sorted out — NSA director Keith Alexander denies that the agency broke into Yahoo and Google’s systems — but it’s clear that the notion of an intercontinental NSA hack is already much graver news to Silicon Valley than anything that’s come before. Upon learning of MUSCULAR, “two engineers with close ties to Google exploded in profanity,” according to the Post.
How the MUSCULAR program reportedly works is fairly simple, on a broad level:
- Google, Yahoo, and other companies maintain huge data centers around the world, where user information flows between Google’s front-end services and back-end databases.
- The NSA wanted access to these streams of information, but didn’t want to have to ask for it through the usual court-approval process.
- American law doesn’t allow that.
- So the NSA went overseas, partnering with Britain’s GCHQ to tap into the Google and Yahoo data centers in places where U.S. restrictions don’t apply.
- The information from these data centers, which includes data from American users, is then sent back to Fort Meade to be analyzed.
The nature and scope of the MUSCULAR program, which reportedly collected 181,280,466 different records in 30 days earlier this year, make it a far bigger deal, in some ways, than PRISM. PRISM was shocking because ordinary citizens had no idea it was going on; MUSCULAR is shocking because even Google and Yahoo didn’t know it was going on. If the Snowden documents are accurate, the NSA essentially invented a workaround way to collect entire data streams from the world’s largest tech companies, without their knowledge or consent, and without needing to go through any official approval process.
As more details about the program emerge, I expect lawsuits, hearings, and grandstanding from various political corners. But it’s the tech giants themselves who should be the most enraged. They’ve clearly anticipated some government interference. (Google raced to encrypt its intra-data-center communication earlier this year.) But they seem, from the Post’s report, to have had no idea that the NSA had already broken in.
After the initial reports on PRISM, I thought the tech community might band together to fight the program, in the same way they united against SOPA and PIPA last year. I expected anti-PRISM Twitter avatars, letter-writing campaigns, and online displays of outrage. But while there were some half-baked expressions of discomfort with PRISM among Silicon Valley’s elite, the fact that the targeted companies themselves were often legally prohibited from acknowledging the program’s existence meant that they could never really mount a coordinated countercampaign.
The MUSCULAR program should change that. It appears to be all-encompassing and untargeted in a way PRISM never was. And its clandestine nature represents a massive breach of trust between the government and the tech giants. If the NSA is proven to have been snooping on Americans with the help of overseas data-center hacking meant to circumvent American privacy laws, it will be all the evidence Silicon Valley needs to get fighting mad. Now, Google et al. aren’t just the enablers of the NSA’s data-collection strategy, they’re the unwitting victims.