The NSA–telecoms partnership was highly lucrative. In return for access to 81 per cent of international telephone calls, Washington pays the private telecom giants many hundred millions of dollars a year. It is not known how much the British government pays its own domestic ‘intercept partners’, particularly the formerly state-owned BT, and Vodafone. But the sums will be similar and substantial.
By the end of the last decade, the NSA’s capabilities were astonishing. The agency, backed by Britain and its other Five Eyes allies, had access to fibre-optic cables, telephone metadata and the servers of Google and Hotmail. The NSA’s analysts were the most powerful spies in human history. Snowden maintains they were able to target practically anybody, at any time, including the president.
‘The NSA and the intelligence community in general is focused on getting intelligence everywhere and by any means possible,’ he says. ‘Originally we saw this focus very narrowly targeted on foreign intelligence. Now we see it’s happening domestically. To do that the NSA specifically targets the communications of everyone. It ingests them by default. It collects them in its systems. It filters them and it analyses them and it measures them and it stores them for periods of time simply because that’s the easiest and most efficient and most valuable way to achieve these ends.’
Looked at as a whole, the files lend weight to Snowden’s assertion that as an NSA analyst he had super-powers.
‘While they may be intending to target someone associated with a foreign government or someone they suspect of terrorism, they are collecting your communications to do so. Any analyst at any time can target anyone. Any selector, anywhere. Whether these communications may be picked up depends on the range of the sensor networks and the authorities an analyst is empowered with. Not all analysts have the ability to target everybody. But I, sitting at my desk, certainly had the authority to wiretap anyone, from you, to your accountant, to a federal judge, and even the president, if I had a personal email [address].’
The PRISM revelations provoked a howling response from the hi-tech denizens of San Francisco’s Bay Area. First there was bafflement, then denial, followed by anger. The Santa Clara valley, where most of the big tech firms are situated, likes to see itself as anti-government. The philosophical currents that waft through Cupertino and Palo Alto are libertarian and anti-establishment, a legacy of Silicon Valley’s roots in the hacker community. At the same time, these firms vie for government contracts, hire ex-Washington staff for the inside track and spend millions lobbying for legislation in their favour.
Clearly, the allegation that they were co-operating with America’s most powerful spy agency was a corporate disaster, as well as being an affront to the Valley’s self-image, and to the view of the tech industry as innovative and iconoclastic. Google prided itself on its mission statement ‘Don’t be evil’; Apple used the Jobsian imperative ‘Think Different’; Microsoft had the motto ‘Your privacy is our priority’. These corporate slogans now seemed to rebound upon their originators with mocking laughter.
Before the Guardian published the PRISM story the paper’s US business reporter, Dominic Rushe, went through his contacts book. He called Sarah Steinberg, a former Obama administration official, and now Facebook’s PR, as well as Steve Dowling, the head of PR at Apple. He rang Microsoft, PalTalk and the others. All denied any voluntary collaboration with the NSA.
‘There was total panic. They said they had never heard of it [PRISM],’ Rushe recalls. ‘They said they hadn’t given direct access to anybody. I was totally bombarded with telephone calls from increasingly senior tech executives who had more questions than answers.’
The tech companies said that they only released information to the NSA in response to a specific court order. There were no blanket policies, they said. Facebook revealed that in the last six months of 2012 it gave the personal data of between 18,000 and 19,000 users to various US law-enforcement bodies, not just to the NSA but also to the FBI, federal agencies and local police.
Several of the companies stressed they had mounted legal challenges in the FISA courts to try and say more about secret government requests for information. Google insisted: ‘We do not provide any government, including the US government, with access to our systems.’ Google’s chief architect Yonatan Zunger remarked: ‘We didn’t fight the cold war just so we could rebuild the Stasi ourselves.’ Yahoo said it had fought a two-year battle for greater disclosure, and had challenged amendments to the 2008 Foreign Intelligence Surveillance Act. Its efforts were thus far unsuccessful.
The NSA documents, though, look explicit. They say ‘direct access’.
Asked how he might explain the discrepancy, one Google executive called it a ‘conundrum’. He dismissed the PRISM slides as a piece of flimsy ‘internal marketing’. He added: ‘There is no back-door way of giving data to the NSA. It’s all through the front door. They send us court orders. We are obliged by law to follow them.’
But in October 2013 it emerged there was indeed a back door – just one that the companies involved knew nothing about. The Washington Post revealed that the NSA was secretly tapping data from Yahoo and Google. The method was ingenious: ‘on British territory’, the agency had hacked into the private fibre-optic links that inter-connect Yahoo and Google’s own data centres around the world.
The NSA codename for this tapping operation is MUSCULAR. It appears to be the British who are doing the actual hacking on the US’s behalf. (One MUSCULAR slide says ‘Operational July 2009’, and adds: ‘Large international access located in the United Kingdom.’)
The firms go to great lengths to keep their customers’ data safe. However, they transfer their information between data centres situated in Europe and America, along leased private internet cables protected by company-specific protocols. It was these cables that the NSA had managed to hack, as they transit the UK. Curiosity focused on Level 3, reported to have been hired as a cable operator by Yahoo and Google: Level 3 is named in the top-secret British documents as an ‘intercept partner’ with the codename LITTLE. The Colorado-based corporation’s response is to say it complies with legal requests in the countries where it operates.
An NSA analyst drew a child-like sketch explaining how the program works; it shows two regions marked ‘Public Internet’ and ‘Google Cloud’. There is a smiley face at the interface where the NSA hacks data. The sketch provoked a thousand Twitter parodies. ‘With so many of these slides you get the feeling people inside the NSA are bragging about their programs,’ ProPublica’s Jeff Larson says. ‘They are saying: ‘We can break encryption! We can grab protocols!”
A document from the NSA’s acquisitions directorate reports that thanks to its back-door access the agency can break into hundreds of millions of user accounts. The data is sent back to the NSA’s Fort Meade headquarters and stored. The volumes are remarkable. In a 30-day period in late 2012, 181,280,466 new records were funnelled back to the Puzzle Palace, including metadata.
Google and Yahoo reacted with apoplexy to the tapping disclosures. Google’s chief legal officer David Drummond said he was outraged at the lengths to which the US government had gone to ‘intercept data from our private fibre networks’. Yahoo repeated that it had no knowledge of the NSA’s back-door cyber-theft.
By the autumn of 2013 all the tech companies said they were scrambling to defend their systems from this kind of NSA snooping. They stood some chance of success. For the NSA’s power to suck up the world’s communications is not quite as awesome as Snowden has made it seem. Tapping into global flows of data is one thing: being able actually to read them is quite another. Particularly if they start to be encrypted.