[andrewmccall]

I had the same question and it leads me to believe the companies saying they had no idea. Someone at Google/MS/Facebook would almost surely notice those extra servers over there, all that extra network traffic going somewhere, or those cables that seem to go into a locked closet.

I think it's far more likely this is built off the back of the data they're already known to be sucking down via major exchanges.

A national security letter for the TLS certs and you can take what you want, when you want off straight from the stream of packets.