While president Barack Obama's plan to address concerns about the National Security Agency's overzealous data collection practices was noncommittal, there is no question that the NSA is undergoing a lot of change.

Many initiatives that started before the spy agency's former contractor Edward Snowden released classified documents about its worldwide communications surveillance to the press have been put on hold. General Keith Alexander, its current chief, is leaving (although the official version is that he has been planning to leave since before the Snowden scandal), and much of the upcoming confirmation hearing of vice admiral Michael Rogers, Obama's nominee to replace Alexander, will surely be spent discussing his plan to alleviate the public's outrage about government surveillance programs while making sure those programs stay effective.

One of the biggest allegations to come out of the Snowden leaks is that the NSA had been tapping into backbone fiber operated by companies like Level 3, Verizon, BT or Vodafone.

Upstream, the program designed to collect communications on fiber cables that was identified in one of the slides Snowden provided to the Washington Post, was meant to be used in parallel with PRISM, the program for collection of data directly from servers of some of the largest service providers on the Internet, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.

A November New York Times article pointed at Level 3 as the backbone provider used by both Google and Yahoo whose infrastructure the NSA had potentially tapped. The carrier denied any unlawful cooperation with the agency. The NSA has maintained that it has acted within legal boundaries throughout the leak scandal.

Many doors available

If the government has indeed been tapping into backbone pipes, how could it gain that access? Seth Schoen, senior staff technologist with the Electronic Frontier Foundation (EFF), says there is a number of possibilities. EFF is a San Francisco-based non-profit digital-rights group. Schoen’s statements are speculative, as no specific information on the subject has been revealed publicly.

Snowden’s slides indicate that the NSA can gain direct access to communications infrastructure in different parts of the world, he says. One way to do it would be to gain “access to the physical cables that … connect the facilities.” It could be done on land or under sea. The NSA has been tapping undersea communication cables since at least the 1970s, and it would not be hard to send somebody down a manhole to plug a wiretapping device into a cable on shore, he says.

While the access point does not have to be inside a telco’s facility, that is a possibility as well. This could be done through an agreement between the US and a foreign government, where the latter agrees to give the former access to telco infrastructure located within its jurisdiction. The foreign government can then use its power to compel a service provider to give access to their infrastructure and keep it secret, Schoen says. “I don’t know of any instances [of such agreements] that have been directly revealed,” but we do know that governments have many surveillance-related agreements, he adds.

There are numerous other possibilities, including hacking into routers or other networking gear, blackmailing or bribing telco employees and having an agent get a job with a provider, among others, Schoen says.

A recent case in point

An example of direct cooperation between the NSA and a major telco was illustrated in the mid-2000s by another leaker: Mark Klein. He was a former AT&T employee who told Wired and EFF in 2006 that the telco was routing all traffic from its network, including traffic from backbones it was peering with, to the NSA. Documents he provided included a description of a secret NSA room inside an AT&T building in San Francisco where the spy agency’s equipment was located. He said there were reasons to believe there were more such rooms in other AT&T facilities around the country.

Can colos be tapped?

Targets don’t have to be the likes of Google or Yahoo. A big chunk of all internet traffic goes through colo providers’ data centers. No information has come out to indicate there have been attempts to collect data from infrastructure operated by firms such as Equinix or Telx. But Schoen does not rule that possibility out.

Telx declined to comment but an Equinix spokeswoman wrote in an email that data security was the clients’ responsibility. “We’re responsible for physically securing the data centers themselves, and our customers are responsible for securing their data and applications,” she said.

Encryption as best defense

Internet giants have responded by lobbying for surveillance reform and focusing on encryption of traffic flowing between their data centers.

Privacy advocates have long said encryption “has the potential to protect communications regardless of the particular ways in which the infrastructure has been tapped or subverted,” Schoen says. “We don’t need to figure out whether satellites are tapping microwave links, submarines are tapping undersea cables, routers are getting compromised through software bugs, peering links are being split at peering points, insiders are installing monitoring software on backbone devices ... if encryption can protect the traffic that passes over all these untrustworthy intermediaries.”

A version of this article ran in the latest issue of DatacenterDynamics FOCUS. Visit the magazine's web page for a free subscription.