Britain’s surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal.
GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not.
In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo reacted furiously to the webcam interception when approached by the Guardian. The company denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy“.
GCHQ does not have the technical means to make sure no images of UK or US citizens are collected and stored by the system, and there are no restrictions under UK law to prevent Americans’ images being accessed by British analysts without an individual warrant.
The documents also chronicle GCHQ’s sustained struggle to keep the large store of sexually explicit imagery collected by Optic Nerve away from the eyes of its staff, though there is little discussion about the privacy implications of storing this material in the first place.
Optic Nerve, the documents provided by NSA whistleblower Edward Snowden show, began as a prototype in 2008 and was still active in 2012, according to an internal GCHQ wiki page accessed that year.
The system, eerily reminiscent of the telescreens evoked in George Orwell’s 1984, was used for experiments in automated facial recognition, to monitor GCHQ’s existing targets, and to discover new targets of interest. Such searches could be used to try to find terror suspects or criminals making use of multiple, anonymous user IDs.
Rather than collecting webcam chats in their entirety, the program saved one image every five minutes from the users’ feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ’s servers. The documents describe these users as “unselected” – intelligence agency parlance for bulk rather than targeted collection.
One document even likened the program’s “bulk access to Yahoo webcam images/events” to a massive digital police mugbook of previously arrested individuals.
“Face detection has the potential to aid selection of useful images for ‘mugshots’ or even for face recognition by assessing the angle of the face,” it reads. “The best images are ones where the person is facing the camera with their face upright.”
The agency did make efforts to limit analysts’ ability to see webcam images, restricting bulk searches to metadata only.
However, analysts were shown the faces of people with similar usernames to surveillance targets, potentially dragging in large numbers of innocent people. One document tells agency staff they were allowed to display “webcam images associated with similar Yahoo identifiers to your known target”.
Optic Nerve was based on collecting information from GCHQ’s huge network of internet cable taps, which was then processed and fed into systems provided by the NSA. Webcam information was fed into NSA’s XKeyscore search tool, and NSA research was used to build the tool which identified Yahoo’s webcam traffic.
Bulk surveillance on Yahoo users was begun, the documents said, because “Yahoo webcam is known to be used by GCHQ targets”.
Programs like Optic Nerve, which collect information in bulk from largely anonymous user IDs, are unable to filter out information from UK or US citizens. Unlike the NSA, GCHQ is not required by UK law to “minimize”, or remove, domestic citizens’ information from its databases. However, additional legal authorisations are required before analysts can search for the data of individuals likely to be in the British Isles at the time of the search.
There are no such legal safeguards for searches on people believed to be in the US or the other allied “Five Eyes” nations – Australia, New Zealand and Canada.
GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law.
The documents also show that GCHQ trialled automatic searches based on facial recognition technology, for people resembling existing GCHQ targets: “[I]f you search for similar IDs to your target, you will be able to request automatic comparison of the face in the similar IDs to those in your target’s ID”.
The undated document, from GCHQ’s internal wiki information site, noted this capability was “now closed … but shortly to return!”
The privacy risks of mass collection from video sources have long been known to the NSA and GCHQ, as a research document from the mid-2000s noted: “One of the greatest hindrances to exploiting video data is the fact that the vast majority of videos received have no intelligence value whatsoever, such as pornography, commercials, movie clips and family home movies.”
Sexually explicit webcam material proved to be a particular problem for GCHQ, as one document delicately put it: “Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person. Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography.”
The document estimates that between 3% and 11% of the Yahoo webcam imagery harvested by GCHQ contains “undesirable nudity”. Discussing efforts to make the interface “safer to use”, it noted that current “naïve” pornography detectors assessed the amount of flesh in any given shot, and so attracted lots of false positives by incorrectly tagging shots of people’s faces as pornography.
GCHQ did not make any specific attempts to prevent the collection or storage of explicit images, the documents suggest, but did eventually compromise by excluding images in which software had not detected any faces from search results – a bid to prevent many of the lewd shots being seen by analysts.
The system was not perfect at stopping those images reaching the eyes of GCHQ staff, though. An internal guide cautioned prospective Optic Nerve users that “there is no perfect ability to censor material which may be offensive. Users who may feel uncomfortable about such material are advised not to open them”.
It further notes that “under GCHQ’s offensive material policy, the dissemination of offensive material is a disciplinary offence”.