The weakest link: How the NSA may have hacked Google and Yahoo

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

We've known since last month about the US Government spying on Internet giants Google and Yahoo. Now we're beginning to understand how they may have done it.

And no--they probably didn't send James Bond or Mata Hari to seduce an employee. In today’s espionage, bits and bytes trump bullets and babes.

The Washington Post disclosed back in October that the National Security Agency (NSA) has been gathering data from Google and Yahoo without either company's knowledge. And this was on top of the information that both Google and Yahoo were knowingly sharing with the government. See our previous story, NSA spying on Google and Yahoo without their knowledge, for more information on that

No one without a security clearance knows exactly how the NSA tapped into these companies' servers. But in a New York Times article, Nicole Perlroth and John Markoff offer a very plausible theory.

Secretly breaking into either of these corporations wouldn't be easy--even for the NSA. Both Yahoo and Google protect their data "with full-time security and state-of-the-art surveillance, including heat sensors and iris scanners." The weak link in the security chain was outside the companies' control, where the "information was unencrypted and an easier target for government intercept efforts," according to three people familiar with the companies who spoke on the condition of anonymity.

According to Perlroth and Markoff, these people "believe that government spies bypassed the big Internet companies and hit them at a weak spot — the fiber-optic cables that connect data centers around the world..." These data centers are not owned by Google and Yahoo, but by "companies like Verizon Communications, the BT Group, the Vodafone Group, and Level 3 Communications."

And of these companies, Level 3 is the likely suspect. You probably haven't heard of Level 3, but a lot of what you watch, listen to, and read (including, quite probably, this article) flows through its servers. It's the world’s largest Internet backbone provider, and both Google and Yahoo make use of its extensive fiber network to connect their geographically diverse data centers. The information those corporations sent over these wires was, until very recently, unencrypted.

Not surprisingly, that's changing. Both companies have recently announced that they have started encrypting the data moving across these cables. According to Perlroth and Markoff, Microsoft will likely soon follow.

Level 3 has not, and probably cannot, answer a direct question about facilitating government spying. But the Times quoted a company statement which explained that “It is our policy and our practice to comply with laws in every country where we operate, and to provide government agencies access to customer data only when we are compelled to do so by the laws in the country where the data is located.”

But Perlroth and Markoff found another Level 3 document-- a financial filing--that was a bit more damning: “We are party to an agreement with the U.S. Departments of Homeland Security, Justice and Defense addressing the U.S. government’s national security and law enforcement concerns."  The agreement "imposes significant requirements on us," including something they call only "other matters.”

It's pretty clear that the NSA wants to know everything about everyone. And they'll gladly use one company to spy on another.

This story, "The weakest link: How the NSA may have hacked Google and Yahoo" was originally published by BrandPost.