美國安全局“肌肉發達” 被指“行竊”谷歌雅虎

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, The Washington Post reported Wednesday, citing documents obtained from former NSA contractor Edward Snowden.

A secret accounting dated Jan. 9, 2013, indicates that NSA sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency's Fort Meade, Md., headquarters. In the last 30 days, field collectors had processed and sent back more than 180 million new records — ranging from "metadata," which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported Wednesday on its website.

The latest revelations were met with outrage from Google, and triggered legal questions, including whether the NSA may be violating federal wiretap laws.

"Although there's a diminished standard of legal protection for interception that occurs overseas, the fact that it was directed apparently to Google's cloud and Yahoo's cloud, and that there was no legal order as best we can tell to permit the interception, there is a good argument to make that the NSA has engaged in unlawful surveillance," said Marc Rotenberg, executive director of Electronic Privacy Information Center. The reference to 'clouds' refers to sites where the companies collect data.

The new details about the NSA's access to Yahoo and Google data centers around the world come at a time when Congress is reconsidering the government's collection practices and authority, and as European governments are responding angrily to revelations that the NSA collected data on millions of communications in their countries. Details about the government's programs have been trickling out since Snowden shared documents with the Post and Guardian newspaper in June.

The NSA's principal tool to exploit the Google and Yahoo data links is a project called MUSCULAR, operated jointly with the agency's British counterpart, GCHQ. The Post said NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

The NSA has a separate data-gathering program, called PRISM, which uses a court order to compel Yahoo, Google and other Internet companies to provide certain data. It allows the NSA to reach into the companies' data streams and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.

In an interview with Bloomberg News Wednesday, NSA Director Gen. Keith Alexander was asked if the NSA has infiltrated Yahoo and Google databases, as detailed in the Post story.

"Not to my knowledge," said Alexander. "We are not authorized to go into a U.S. company's servers and take data. We'd have to go through a court process for doing that."

It was not clear, however, whether Alexander had any immediate knowledge of the latest disclosure in the Post report. Instead, he appeared to speak more about the PRISM program and its legal parameters.

In a separate statement, NSA spokeswoman Vanee Vines said NSA has "multiple authorities" to accomplish its mission, and she said "the assertion that we collect vast quantities of U.S. persons' data from this type of collection is also not true." At no point did the NSA deny the existence of the MUSCULAR program.

The GCHQ had no comment on the matter.

The Post said the NSA was breaking into data centers worldwide. The NSA has far looser restrictions on what it can collect outside the United States on foreigners and would not need a court order to collected foreigners' communications.

Cybersecurity expert James Lewis said it is likely that the Google and Yahoo data was part of a larger collection of communications swept up by the NSA program from the fiber-optic pipeline. He said that while the collection was probably legal, because it was done overseas, the question is what the NSA did with the data linked to U.S. citizens.

To meet legal requirements, the NSA has to distinguish between foreign and U.S. persons, and must get additional authorization in order to view information linked to Americans, said Lewis, who is with the Center for Strategic and International Studies. He said it's not clear from the reports what the NSA did with the U.S. data, and so it's difficult to say whether the agency violated the law.

David Drummond, Google's chief legal officer said the company has "long been concerned about the possibility of this kind of snooping."

"We do not provide any government, including the U.S. government, with access to our systems," said Drummond. "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

Google, which is known for its data security, noted that it has been trying to extend encryption across more and more Google services and links.

Yahoo spokeswoman Sarah Meron said there are strict controls in place to protect the security of the company's data centers. "We have not given access to our data centers to the NSA or to any other government agency," she said, adding that it is too early to speculate on whether legal action would be taken.

The MUSCULAR project documents state that this collection from Yahoo and Google has led to key intelligence leads, the Post said.

Congress members and international leaders have become increasingly angry about the NSA's data collection, as more information about the programs leak out. A delegation from the European Union Parliament came to Washington this week to conduct intense talks about reported U.S. spying on allied leaders, including the collection of phone records. And a German delegation met with U.S. officials over allegations that the NSA was monitoring Chancellor Angela Merkel's cellphone.

Alexander told lawmakers that the U.S. did not collect European records, and instead the U.S. was given data by NATO partners as part of a program to protect military interests.

Congress members, however, are working on plans that would put limits data collection. And Sen. Dianne Feinstein, chairwoman of the Senate Intelligence Committee, has called for a "total review of all intelligence programs"

More broadly, Alexander on Wednesday defended the overall NSA effort to monitor communications. And he said that as Congress considers proposals to scale back the data collection or provide more transparency to some of the programs, it's his job to lay out the resulting terrorism risks.

"I'm concerned that we give information out that impacts our ability to stop terrorist attacks. That's what most of these programs are aimed to do," Alexander said. "I believe if you look at this and you go back through everything, none of this shows that NSA is doing something illegal or that it's not been asked to do."

Pointing to thousands of terror attacks around the world, he said the U.S. has been spared much of that violence because of such programs.

"It's because you have great people in the military and the intelligence community doing everything they can with law enforcement to protect this country," he said. "But they need tools to do it. If we take away the tools, we increase the risk."美國《華盛頓郵報》10月30日援引愛德華•斯諾登文件稱，美國國家安全局（NSA）曾入侵雅虎和谷歌遍佈全球的數據中心的主要連接通道。

***曝光

日期爲2013年1月9日的機密報告顯示，NSA每天從雅虎和谷歌的內部網絡截取數百萬條信息，並將這些信息發送回馬裏蘭州米德堡的NSA總部的數據庫中。在此之前的30天裏，數據收集人員曾處理併發回1.8億多條新記錄，這些數據包括電子郵件的發件人、收件人、時間等“元數據”，還有文本、視頻、音頻等內容信息。

NSA和英國政府通信總部（GCHQ）聯合執行“肌肉發達”的項目，入侵谷歌和雅虎數據中心。硅谷科技巨頭的數據中心之間通過光纜傳輸信息，而“肌肉發達”可以複製通過光纜的整個數據流。

此前曝光的“棱鏡”項目通過法院指令強迫谷歌、雅虎以及其他互聯網企業提供特定數據。NSA因此接觸到這些公司的數據流，抓取電子郵件、視頻聊天、圖片等信息。美國官員曾表示“棱鏡”只針對外國目標，科技公司則稱他們只有收到法院指令才移交信息。

***否認

美國國家安全局局長基思•亞歷山大10月30日否認NSA侵入谷歌和雅虎數據庫。他說：“據我所知並非如此。我們沒有權利訪問美國公司的服務器並蒐集數據，除非獲得法庭許可。”

美國國家安全局發言人範尼•瓦因斯發佈聲明中說，“有關我們以這種方式蒐集海量美國公民數據的說法是不真實的。”但聲明沒有否定“肌肉發達”項目的存在。英國政府通信總部拒絕發表評論。

***爭議

最新披露的文件激起了谷歌公司的憤怒，且引起了法律爭議，如美國國家安全局是否可能違反了聯邦竊聽法案。

“儘管（美國）對海外信息攔截的法律保障水平較低，但鑑於此類活動明顯指向谷歌和雅虎的雲數據庫，而且就我們所知還沒有任何法律文件允許這樣的攔截行爲，所以NSA的確進行了非法監聽。”電子隱私信息中心（EPIC）執行理事馬克•羅滕貝格說。

美國戰略與國際研究中心的網絡安全專家詹姆斯•劉易斯表示，谷歌和雅虎的數據只是NSA蒐集到海量數據中的一部分。他認爲，蒐集行動發生在海外，所以很有可能合法，但問題是NSA拿這些和美國公民有關的數據做了些什麼。劉易斯說，按照法律要求，NSA需要區別外國人和美國人，且瀏覽有關美國人的信息時必須獲得額外的授權。但報告中沒有明確指出NSA如何處理美國數據，是否違法也很難說。

谷歌首席法律顧問戴維•德拉蒙德說，谷歌“長期以來一直擔心此類監聽的可能性……我們沒有授權包括美國政府在內的任何政府進入我們的系統。我們對美國政府的行爲感到憤慨。此事也凸顯了迫切改革的必要性。”素來以數據安全著的谷歌表示，該公司一直在努力將加密技術拓展到谷歌越來越多的服務和連接中。

雅虎發言人薩拉•梅龍也說，雅虎對數據中心有嚴格控制。“我們不允許NSA或任何其他政府機構訪問我們的數據中心。”不過，她表示現在還不急於考慮是否採取法律行動。

隨着越來越多監聽項目的曝光，美國國會成員和國際上的領導人對NSA蒐集數據的行爲愈發憤怒。歐洲議會代表團本週抵達華盛頓，就監聽監聽領導人一事進行緊張談判。德國也派代表就竊聽默克爾手機一事會晤了美國官員。

***辯護

NSA局長亞歷山大表示美國並沒有蒐集歐洲數據，相反是北約盟國爲了保障軍事利益向美國提供情報。不過，國會正致力於起草法案，限制數據蒐集。參議院情報委員會主席黛安娜•范斯坦已呼籲“徹查所有的情報項目”。

亞歷山大30日在爲NSA行爲辯護時說：“我擔心，公佈信息會影響我們的反恐能力。而這是大部分監控項目的目標……我相信，如果你看過這些信息，再回顧整件事，會發現沒有任何跡象顯示NSA有違法或越權行爲。”

他指出，這些項目讓美國避免了不少恐怖襲擊。“這是因爲，我們的軍隊、情報人員和執法部門一起，盡一切努力依法保護這個國家。但是他們需要工具。如果我們剝奪這些工具，風險就會增加。”

“肌肉發達”項目文件顯示，從雅虎和谷歌蒐集的信息提供了關鍵的情報線索。