What Happens When the NSA Shows Up with Hardware To Monitor Your Data Center

We've covered the NSA revelations and subsequent government petitions at some length, but here's a new twist to the story of the government's pervasive monitoring program -- a view of the activity from an ISP's perspective. According to Pete Ashdown, the CEO of XMission, a Utah ISP, the company received its first FISA warrant "request" in 2010. There's no way to challenge FISA warrants and no legal recourse -- so Ashdown had no choice but to install a server, one of the NSA's own machines, in their data center.

The technical aspects of the situation are remarkably straightforward. The NSA sent over a server (Ashdown was only allowed to take technical notes on how the unit was to be deployed). Data was mirrored between the NSA server and the main server -- every bit of traffic that hit the host domain was copied over to the NSA box, which was an unobtrusive black and fit right in with your standard data center deployment structure. If you've ever been in a datacenter, you know that most rack-mountable hardware is pretty anonymous save for brand logos and even those aren't always present.

Once installed, a few employees asked about it, but Ashdown told them "It's something I'm dealing with." Nothing much happened with the box and nine months after it installed the hardware, the government came back and picked it up. As far as Ashdown knows, no one was ever arrested or charged with a crime in conjunction with the monitoring. His interview with Buzzfeed, however, captures the essential problem.

These programs that violate the Bill of Rights can continue because people can’t go out and say, “This is my experience, this is what happened to me, and I don’t think it is right.” There is absolutely [a] need for secrecy when you are dealing with a criminal investigation. You don’t want to tip off criminals being monitored. But you can’t say, “You can never talk about this ever, for the rest of your life.

The FISA court should be a public court, and documents should be sealed for a set period of time, [to] let people audit the actions later. We have received lots of federal requests. I don’t think a lot of people realize just how much information is transmitted in the clear on the Internet.
One aspect of the case that Ashdown draws attention to is the fact that large companies get paid to monitor people for the government. In and of itself, that doesn't mean a great deal -- the government isn't spying on enough people to make a fundamental difference to Google or Apple's bottom line, and charging them for doing so is probably a small way to try and keep spy programs from growing too large. Even so, it's a bit chilling to know that not only is possibly your behavior monetized, the ability to watch that behavior (if the government is doing the watching) is also monetized.  

This kind of story is important because it drives home the fact that even the customers of a small regional ISP in Utah aren't safe from monitoring. Used to be, moving out West was seen as a way to get away from people and civilization in general, but that's no longer true. If the government decides it wants your data, there's little recourse, though Ashdown's  comments indicate that a Tor node can provide some level of protection (undoubtedly depending on which services you use it for).