With stakes such as those, there was no capability the NSA believed it should leave on the table. The agency followed orders from President George W. Bush to begin domestic collection without authority from Congress and the courts. When the NSA won those authorities later, some of them under secret interpretations of laws passed by Congress between 2007 and 2012, the Obama administration went further still.
Using PRISM, the cover name for collection of user data from Google, Yahoo, Microsoft, Apple and five other U.S.-based companies, the NSA could obtain all communications to, from or "about" any specified target. The companies had no choice but to comply with the government's request for data.
But the NSA could not use PRISM, which was overseen once a year by the surveillance court, for the collection of virtually all data handled by those companies. To widen its access, it teamed up with its British counterpart, Government Communications Headquarters, or GCHQ, to break into the private fiber-optic links that connected Google and Yahoo data centers around the world.
That operation, which used the cover name MUSCULAR, tapped into U.S. company data from outside U.S. territory. The NSA therefore believed it did not need permission from Congress or judicial oversight. Data from hundreds of millions of U.S. accounts flowed over those Google and Yahoo links, but classified rules allowed the NSA to presume that data ingested overseas belonged to foreigners.
Disclosure of the MUSCULAR project enraged and galvanized U.S. technology executives. They believed the NSA had lawful access to their front doors — and had broken down the back doors anyway.
Microsoft general counsel Brad Smith took to his company's blog and called the NSA an "advanced persistent threat" — the worst of all fighting words in U.S. cybersecurity circles, generally reserved for Chinese state-sponsored hackers and sophisticated criminal enterprises.