MUSCULAR (2013 disclosure): The NSA-GCHQ Tap on Google and Yahoo Data Links.

What MUSCULAR was, in a paragraph.

MUSCULAR was a joint program of the U.S. National Security Agency and the U.K. Government Communications Headquarters (GCHQ) that intercepted data flowing across the private fiber-optic links connecting the overseas data centers of Google and Yahoo. Large internet companies replicate user data — emails, documents, contacts, and more — across geographically distributed data centers, and at the time this internal traffic often crossed the companies' private wide-area networks unencrypted, because it was assumed to be inaccessible to outsiders. MUSCULAR exploited that gap by collecting the traffic at access points outside the United States (with GCHQ providing access on U.K.-controlled infrastructure), copying it, and forwarding selected data to NSA systems for processing. Because the collection occurred abroad and against links carrying foreign and U.S. data indiscriminately, it operated outside the legal framework (Section 702, FISA Court oversight) that governed the NSA's domestic-facing PRISM collection — a key distinction, since MUSCULAR could acquire data in bulk, including Americans', without the targeting and minimization regime that applied inside the United States. The program was disclosed by The Washington Post's Barton Gellman and Ashkan Soltani on October 30, 2013, based on Snowden documents. The reporting reproduced an internal NSA presentation slide on which an analyst had hand-drawn the boundary where the companies' encryption (“SSL”) was “added and removed,” annotated with a smiley face — an image that became a symbol of the agencies' attitude toward circumventing corporate security. The disclosure provoked fury from Google and Yahoo engineers and rapidly accelerated the encryption of internal data-center traffic across the industry.

The documented record.

The vulnerability: unencrypted internal links

The program exploited a specific architectural assumption. Verified To keep services fast and resilient, companies like Google and Yahoo continuously copied user data among data centers across the world over private network links. At the time, much of this internal traffic was not encrypted — the companies encrypted connections between users and their services (and increasingly so after 2010), but treated their own private backbone as trusted. MUSCULAR targeted exactly that trusted-but-unencrypted internal traffic [1][2].

The collection

MUSCULAR collected at overseas access points. Verified The program acquired data from the Google and Yahoo data-center interconnects at a collection point outside the United States, with GCHQ operating the access on infrastructure under U.K. control and sharing the take with the NSA. According to the disclosed documents, the volume was very large — the reporting cited internal figures indicating that, over a roughly one-month period, many millions of records were sent from the access point into NSA systems — reflecting the bulk nature of tapping a backbone link rather than targeting individual accounts [1][2].

The “SSL added and removed here” slide

The disclosure's defining artifact was a hand-drawn slide. Verified An internal NSA presentation explaining how Google's infrastructure worked included a sketch showing the “public internet” on one side and Google's internal “cloud” on the other, with an arrow marking the point where Secure Sockets Layer (SSL) encryption was “added and removed here” — i.e., where the traffic became unencrypted inside Google's network and thus collectible. The analyst had drawn a smiley face beside the annotation. When the slide was published, it crystallized the perception that the NSA was gleefully exploiting the gap in corporate encryption, and it became one of the most-reproduced images of the Snowden affair [1][2][3].

The legal distinction from PRISM

MUSCULAR's significance lay partly in how it differed from PRISM. Verified PRISM collected data inside the United States, from U.S. providers, under Section 702 with FISA Court oversight and targeting/minimization rules. MUSCULAR collected outside the United States, off the companies' private links, under Executive Order 12333 — the authority governing the NSA's overseas signals intelligence, which is not subject to the same FISA-Court regime. This meant MUSCULAR could sweep up data in bulk, including the communications and stored data of Americans whose information resided on or transited those foreign links, with far fewer of the protections that applied domestically. The two programs together let the agency obtain the same companies' data through both the front door (PRISM, with process) and the back door (MUSCULAR, without it) [1][2][4].

The industry response

The disclosure triggered a rapid technical countermeasure. Verified Google and Yahoo, and other major companies, moved quickly to encrypt the traffic flowing between their data centers, closing the MUSCULAR access. Google engineers reacted publicly with anger at the revelation. The episode is widely credited with accelerating the broad industry shift to pervasive encryption of internal and inter-data-center traffic in the years after 2013 — one of the most concrete consequences of the Snowden disclosures [2][3][5].

The official explanation.

The NSA's response to the MUSCULAR disclosure emphasized legality and foreign focus. Claimed The agency stated that its activities were focused on valid foreign-intelligence targets and that it operated under lawful authority; it pushed back on the characterization that it was indiscriminately collecting Americans' data, while not denying the existence of overseas collection. The agency's framing rested on the overseas locus of the collection and on Executive Order 12333 authority [1][4].

Critics — including privacy advocates and the affected companies — argued that conducting the collection abroad, outside the FISA framework, was precisely the point: it allowed the bulk acquisition of data, including Americans', that could not lawfully have been collected the same way inside the United States. Disputed The dispute centers on whether collecting Americans' data abroad, off corporate backbones, under EO 12333 rather than FISA, is a legitimate distinction or a deliberate circumvention of domestic legal protections. The companies' position was that their users' data had been taken without their knowledge or consent and that the program betrayed the trust placed in private infrastructure [1][2][4].

The unanswered questions.

The full scale and the Americans collected

The precise total volume of data collected under MUSCULAR, and how much of it belonged to Americans, is not fully documented. Unverified The disclosed records gave a snapshot (millions of records in a month from one access point), but the program's complete reach and its U.S.-person impact were never officially quantified [1][2].

The other providers and links

The disclosure focused on Google and Yahoo, but whether similar collection targeted other companies' internal links is not fully established in the public record. Disputed Related programs and access points have been reported, but a complete inventory of which backbones were tapped does not exist publicly [1][4].

The EO 12333 oversight question

Because MUSCULAR operated under Executive Order 12333 rather than statute, the degree of independent oversight it received is unclear. Unverified EO 12333 collection has historically had far less external oversight than FISA-governed collection, and the specific controls on MUSCULAR were not publicly detailed [4].

Primary material.

The accessible record on MUSCULAR is held principally at these locations:

• The October 30, 2013 Washington Post report by Barton Gellman and Ashkan Soltani, with the reproduced NSA slides including the “SSL added and removed here” sketch — the primary disclosure.
• The leaked NSA presentation slides on the MUSCULAR access and Google/Yahoo infrastructure, from the Snowden material.
• Statements by Google and Yahoo responding to the disclosure, and the companies' subsequent announcements of inter-data-center encryption.
• Analyses of Executive Order 12333 collection by civil-liberties organizations and former officials, contextualizing MUSCULAR's legal basis.
• Barton Gellman, Dark Mirror (2020) — the reporter's account of the MUSCULAR reporting.

Critical individual sources include: the October 30, 2013 report and slides; the companies' encryption announcements; and the EO 12333 legal analyses.

The sequence.

1. Late 2000s–early 2010s Google and Yahoo replicate user data across data centers over private links, much of it unencrypted.
2. By the early 2010s The NSA and GCHQ operate MUSCULAR, collecting from those links at an overseas access point under EO 12333.
3. October 30, 2013 The Washington Post discloses MUSCULAR and publishes the “SSL added and removed here” slide.
4. Late 2013–2014 Google and Yahoo encrypt inter-data-center traffic, closing the access; the industry shift to pervasive encryption accelerates.

Cases on this archive that connect.

PRISM (File 176) — the legal, process-based collection from the same companies inside the United States. MUSCULAR is the extralegal, overseas counterpart against the same targets.

The Snowden Disclosures (File 025) — the source of the MUSCULAR documents and the broader corpus.

STELLAR WIND (File 175) — the post-9/11 warrantless program; MUSCULAR continues the pattern of collection outside the FISA framework.

The ECHELON Network (File 180) — the NSA-GCHQ Five Eyes signals-intelligence partnership of which MUSCULAR is a modern, internet-era expression.

More related files coming as the archive grows. Planned: Executive Order 12333, UPSTREAM collection, and GCHQ's Tempora program.

Full bibliography.

1. Gellman, Barton, and Soltani, Ashkan, “NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say,” The Washington Post, October 30, 2013.
2. The leaked NSA MUSCULAR presentation slides (Snowden material), including the “SSL added and removed here” sketch.
3. Public statements by Google and Yahoo on the disclosure and on data-center traffic encryption, 2013–2014.
4. Civil-liberties and legal analyses of Executive Order 12333 signals-intelligence collection (e.g., ACLU, former State Department official John Napier Tye's 2014 commentary).
5. Gellman, Barton, Dark Mirror: Edward Snowden and the American Surveillance State, Penguin Press, 2020.