NSA had reverse-engineered many of Google’s and Yahoo’s inner workings.

Google has started to encrypt its traffic between its data centers, effectively halting the broad surveillance of its inner workings by the joint National Security Agency-GCHQ program known as MUSCULAR. The move turns off a giant source of information to the two agencies, which at one point accounted for nearly a third of the NSA’s daily data intake for its primary intelligence analysis database—at least for now.

Yesterday, the Washington Post shared additional slides produced by the NSA on the MUSCULAR program, which tapped into the fiber-optic networks carrying traffic to and from Google’s and Yahoo’s overseas data centers. The slides indicated that data from the networks frequently reached the daily intelligence briefing provided to President Barack Obama. They cited the joint operation with GHCQ as the fifteenth-largest source of intelligence data for those briefings.

The slides also revealed that the NSA obtained an intimate understanding of the internal operations of these networks, which suggests it either launched a significant reverse-engineering operation to pry apart Google’s and Yahoo’s secrets or it obtained this information from people who worked for the two companies (maybe even some combination of the two). Either way, the effort amounts to a major intelligence operation to discover the trade secrets of two major American companies.

The APIs to the Kingdom

If the NSA and GCHQ are in fact shut out of Google’s network, it would mean the loss of a substantial amount of work. (Remember, the NSA needed to first understand the complicated inner workings of Google’s applications before it could obtain troves of useful information from the traffic.) The effort allowed the NSA to do highly detailed tracking of individual Google and Yahoo users of interest and to gather metadata on an even larger number of users to watch for specific types of behavior.

The NSA created sets of “defeats” that allowed it to screen multiple types of traffic at Yahoo and Google for identifying “fingerprints” in data—keywords or identifying elements in the traffic within those networks that it associated with individuals or organizations of interest.

As of 2012, the NSA developed “defeat fingerprints” to scan the server-to-server communications that powered Google Adwords, Blogger, the BigTable database that powers Google Drive and other applications, and the TeraGoogle search index interface. These fingerprints allowed the NSA to scan Google internal traffic and identify elements associated with the usage of specific individuals or for searches and other behavior around a particular subject of interest (like, say, “pressure cooker bomb”).

That information could be pulled into the NSA’s MARINA metadata database, a sort of secret social graph similar in form (but not function) to Facebook’s graph database. It provided NSA analysts with the ability to search for various types of online behavior and identify potential individuals of interest. A second set of NSA tools, called Serendipity, gave the agency the ability to target specific Google accounts for monitoring as they accessed service, including: 

• Chrome synchronization, including bookmark sync to the cloud
• “Talkgadget,” the Google Talk component of Gmail
• The now-defunct iGoogle personalized pages
• Google searches
• Picasa photo sharing
• YouTube

As of 2012, the “user agent string” identifier used by these protocols—Google’s internal identifier for Google user accounts—had not yet been integrated into MARINA for tracking metadata. The NSA was in the process of performing that final step of integration.

For Yahoo, the NSA had developed another set of hooks, fully accessing its internal mail protocols as well as its Messenger instant messaging service, advertising tracker, and “Web beacons” used to track whether users had opened HTML-formatted emails. And the agency had to respond to a flood of unwanted data from these sources by instituting blocks—mostly to deal with Yahoo’s periodic movement of entire user mailboxes.

“Fuck these guys”

Last Thursday, as news started to emerge about the NSA’s monitoring of traffic within the private networks of Google and Yahoo, Google security team engineer Brandon Downey wrote a post to Google+ expressing his personal opinion on the matter: “Fuck these guys.” Yesterday, another Google security engineer, Mike Hearn, echoed the sentiment with substance:

“I now join [Downey] in issuing a giant Fuck You to the people who made these slides,” Hearn wrote. “I am not an American, I am a Brit, but it’s no different—GCHQ turns out to be even worse than the NSA… The traffic shown in the slides is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.”

Hearn did not reveal how the traffic was being encrypted. But Google has been making an effort to encrypt its intra-data center traffic for over a year as it strove to deal with potential surveillance.

That effort was accelerated this summer in the wake of the leaked information about the NSA/FBI PRISM program—the warrant-based program by which the NSA could obtain access to user data from Google, Yahoo, and other cloud providers. The company wanted to make broad surveillance of its own networks more difficult. Now, with the details of actual surveillance public knowledge, Google has moved to shut the door entirely to unfettered access to its networks. Google also started to encrypt all search requests from users by default in September, protecting users from surveillance outside its network.

There’s no word on what Yahoo’s plans are regarding encryption of internal traffic; requests from Ars to Yahoo for comment went unanswered at the time of this post.