GCHQ, NSA secretly collected webcam images from millions of Yahoo users

This week saw yet another Snowden-borne revelation about the state of global surveillance, and amid banal warnings about metadata and targeted hacks, it could end up being the most salacious leak so far. The Guardian reports that the UK’s GCHQ spy agency (pictured above) has been using NSA systems to collect millions of still images from private webcam feeds — a good portion of which reportedly contained sexually explicit imagery. These feeds were captured through Yahoo infrastructure, but if Snowden has taught us anything, it’s that government hackers are neurotic completists; it is prudent to suspect that most or all major such services have been compromised as well.

The documents refer to the period of 2008 to 2010, detailing a program called Optic Nervethat was designed for dragnet surveillance. That is, this program does not restrict itself to specific targets of surveillance, but grabbed essentially every conversation it could find. In a single six-month period in 2008, Optic Nerve saved shots from 1.8 million Yahoo accounts; just how many shots were taken from each is unclear. The document claims that Optic Nerve “only” collects an image every 5 minutes, a restriction that arises from the sheer number of people being watched. The implication is that narrowing the target group would allow denser data collection.

Time to bust out the masking tape?

Yahoo has understandably voiced strong denunciations of the program, calling it a “whole new level” of violation of their users’ privacy. Many are comparing the invasion to George Orwell’s Big Brother, which looked in on citizens via cameras in the home, but it’s worth noting that Big Brother at least provided the cameras at no personal cost; this sort of surveillance uses cameras purchased by the victims themselves. Additionally, these feeds were subject to big data-style analysis the likes of which Orwell could never have dreamed; programs that automatically sift through the millions of feeds for good “mug shot” angles and other intel-friendly elements.

Optic Nerve was both developed and run with the help of NSA technology like XKeyscore, essentially making this an international spying effort. This provides strong evidence (if not outright proof) of one of the most pervasive conspiracy theories about global surveillance: that international alliances fundamentally undermine limitations on domestic spying. Though the documents do not explicitly refer to collection of American conversations, GCHQ has no ability (nor stated wish) to exclude US or UK connections from the Optic Nerve program, making it a virtual certainty that such records were collected in enormous volumes.

Edward Snowden’s historical document dump is still paying dividends as journalists comb through its jumbled contents.

Around the world, surveillance law is clear: spy agencies like NSA, the UK’s GCHQ, and Canada’s CSEC are categorically not allowedto spy on their own citizens. Americans may not spy on Americans, nor Britons on Britons — but of course, an American could spy on a Canadian. When those two governments share data with each other more readily than with their own citizens, the loophole becomes obvious. Even assuming that these agencies adhere strictly to the letter of the law, their ability to spy on their own citizens might be impeded only slightly, if at all.

President Obama made waves earlier this month with a promise that no international ally has been given a “no spy” exemption from NSA’s prying eyes — a statement that reportedly distressed several governments who had believed themselves to be under the protection of just such a deal. For nations within the so-called Five Eyes spying alliance, however, this announcement might have sounded more like a promise: we will keep watch on your people, so you don’t have to. As we see here, that relationship definitely runs both ways. (Read: Tech giants team up to battle NSA surveillance, governmental snooping.)

Snippet from the GCHQ/webcam leak

Probably the most sensational aspect of this story, though, is the inclusion of sexually explicit photos in GCHQ’s webcam haul. (Maybe Optic Perv was a better name for the program?) Any random assortment of webcam traffic will, unavoidably, carry a hefty number of sexy feeds — in a conversation between long-distance partners, for instance — and GCHQ does not have the technological ability to sift these out and exclude them from the reports. Agents are instructed to select these records for viewing purely through their metadata tags, and only when those tags implied that a particular webcam image was relevant to an ongoing investigation.

The documents do refer to a genuine effort to weed out sexually explicit images, and to keep them from the eyes of agents, but those same documents make it clear that the efforts fell far short of success. In an industry obsessed with analytic automation, one can only imagine the areola-recognition algorithms that arose to meet this challenge. The Snowden documents reveal no specific discussion of the legal or privacy implication of collecting and storing webcam information in the first place, however. (Read: How to use the 25% of the internet that the NSA doesn’t monitor.)

From basic privacy concerns to possible future blackmail, this is a revelation that strikes most internet users harder than metadata collection or Google cookie exploits. More than that, it is among the first pieces of direct evidence that substantive sharing of intelligence between Five Eyes countries could threaten privacy worldwide.

More on::extremetech.com