"Although there's a diminished standard of legal protection for interception that occurs overseas, the fact that it was directed apparently to Google's cloud and Yahoo's cloud, and that there was no legal order as best we can tell to permit the interception, there is a good argument to make that the NSA has engaged in unlawful surveillance," said Marc Rotenberg, executive director of Electronic Privacy Information Center. The reference to 'clouds' refers to sites where the companies collect data.
The NSA's principal tool to exploit the Google and Yahoo data links is a project called MUSCULAR, operated jointly with the agency's British counterpart, GCHQ. The Post said NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.
The NSA has a separate data-gathering program, called PRISM, which uses a court order to compel Yahoo, Google and other Internet companies to provide certain data. It allows the NSA to reach into the companies' data streams and grab emails, video chats, pictures and more. U.S. officials have said the program is narrowly focused on foreign targets, and technology companies say they turn over information only if required by court order.
In an interview with Bloomberg News Wednesday, NSA Director Gen. Keith Alexander was asked if the NSA has infiltrated Yahoo and Google databases.
"Not to my knowledge," said Alexander. "We are not authorized to go into a U.S. company's servers and take data. We'd have to go through a court process for doing that."
It was not clear whether Alexander had any immediate knowledge of the latest disclosure in the Post report.
The GCHQ had no comment on the matter.
The NSA has far looser restrictions on what it can collect outside the United States on foreigners and would not need a court order to collected foreigners' communications.
Cybersecurity expert James Lewis said it is likely that the Google and Yahoo data collection was probably legal because it was done overseas, but the question is what the NSA did with the data linked to U.S. citizens.
To meet legal requirements, the NSA has to distinguish between a foreign and a U.S. person, and must get additional authorization to view information linked to Americans, said Lewis, who is with the Center for Strategic and International Studies. He said it's not clear from the reports what NSA did with the U.S. data, and so it's difficult to say whether the agency violated the law.
David Drummond, Google's chief legal officer, said "We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks."
Yahoo spokeswoman Sarah Meron said "We have not given access to our data centers to the NSA or to any other government agency," adding that it is too early to speculate on whether legal action would be taken.