The word “MUSCULAR” took on new meaning this week. It now also refers to a NSA project in which data was being intercepted in transmission. We outline five initial takeaways based on this new development.
Day before yesterday, 30 October, the Washington Post in the United States published an article alleging that the US’ National Security Agency (NSA) had been infiltrating links to Yahoo, Google data centers worldwide. According the publication, the details were revealed by former NSA contractor, Edwards Snowden, and “interviews with knowledgeable officials”. In summary, although the NSA can (and is authorised) to compel online service providers (such as Google and Yahoo) to furnish data via its programme known as PRISM, it is alleged that through a project called MUSCULAR, the organisation has also been harvesting large volumes data during transmission without permission. The image below is reportedly from a NSA presentation and highlights the vulnerability that the NSA allegedly has been exploiting.
As at the time of publication of this post, the NS has refuted the claims that have been made. However, the affected service providers are reportedly furious about the revelations, stating emphatically that they were unaware of this matter and are demanding answers from the US government. In light of the hot water the US is currently in for spying on its allies, this new allegation may remain unaddressed into the immediate future. However, outlined below are five initial takeaways that might be worth considering.
1. US spying may still be deeper and more pervasive than we think
The earlier revelations, about the NSA collecting metadata from telephone calls in the US and collecting large volumes of information from online service providers via PRISM, pales in comparison to some of the most recent news about the NSA tapping the phones of senior government officials in foreign countries, and now the interception/infiltration allegations. However, we are still learning about the extent of the US’ spying capabilities and actions, and at this time we ought not to be surprised if additional scandals come to light.
2. Private leased lines might not safe as we believe
Based on news reports, although the affected online companies had leased dedicated capacity on fibre optic cables networks to carry their data, the NSA was “copying entire data flows across fiber-optic cables that carry information among the data centers of the Silicon Valley giants” (Source: Washington Post). The slide above from a NSA presentation suggests where in the routing the infiltration might have occurred. However, the key takeaway is that any sort of protection or safeguards that private leased lines inherently offer might not be enough to thwart the sophisticated interception/spying technology available to government intelligence agencies.
3. Our fear of having our privacy breached by our service provider might be what we should be worrying about
The result of this position by websites is that many users – individuals and organisations alike – are wary about using certain online properties. However, this recent allegation indicates that the interception might have been done unbeknownst to the affected online firms, and as a result we, as users, have no idea how our data is being used; who might be liable; and what recourse we might have.
4. Organisations might become more wary of cloud services and remote storage than they already are
Cloud technology and cloud services have been huge buzzwords in recent years, and in the last two years, they have been gaining traction as cost effective means of accessing data and a broad range of services over the internet. More importantly, global analysts firms, such as Gartner, have projected that data centres, and cloud technology and services will become increasingly integral to businesses into the future. However, these new allegations might be setback in the shift to greater take up of cloud and remote storage services, but may also have the positive effect of prompting persons to ask more questions of their current and prospective service providers.
5. Organisations and countries could benefit from re-examining their data protection policies and tools
Finally, when the above are considered, especially the latitude the US might have (or is prepare to take) regarding electronic data in their jurisdiction, it might be prudent for countries, and even organisations to re-examine their data protection policies and exactly how they being implemented and followed. For example, the data protection law in many countries worldwide require that personal data should only be transferred to countries that offer similar or better data protection as the home country.
In light of the US’ aggressive posture on intelligence and spying, which is supported in law, such as via the Patriot Act 2001, companies may need to seriously consider whether or not, or the extent to which they are okay with having their data access or intercepted by the US government and the alternatives they could to consider.
Salvatore Vuono / FreeDigitalPhotos.net