• 1.8m users targeted by UK agency in six-month period alone
• Optic Nerve program collected Yahoo webcam images in bulk
• Yahoo: ‘A whole new level of violation of our users’ privacy’
• Material included large quantity of sexually explicit images
The GCHQ program saved one image every five minutes from the users’ feeds. Photograph: Chris Jackson/Getty Images
Britain’s surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal.
files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not.
In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo reacted furiously to the webcam interception when approached by the Guardian. The company denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy“.
does not have the technical means to make sure no images of UK or US citizens are collected and stored by the system, and there are no restrictions under UK law to prevent Americans’ images being accessed by British analysts without an individual warrant.
The documents also chronicle ‘s sustained struggle to keep the large store of sexually explicit imagery collected by Optic Nerve away from the eyes of its staff, though there is little discussion about the privacy implications of storing this material in the first place.
Optic Nerve, the documents provided by NSA whistleblower Edward Snowden show, began as a prototype in 2008 and was still active in 2012, according to an internal wiki page accessed that year.
The system, eerily reminiscent of the telescreens evoked in George Orwell’s 1984, was used for experiments in automated facial recognition, to monitor ‘s existing targets, and to discover new targets of interest. Such searches could be used to try to find terror suspects or criminals making use of multiple, anonymous user IDs.
Rather than collecting webcam chats in their entirety, the program saved one image every five minutes from the users’ feeds, partly to comply with human rights legislation, and also to avoid overloading ‘s servers. The documents describe these users as “unselected” – intelligence agency parlance for bulk rather than targeted collection.
One document even likened the program’s “bulk access to Yahoo webcam images/events” to a massive digital police mugbook of previously arrested individuals.
“Face detection has the potential to aid selection of useful images for ‘mugshots’ or even for face recognition by assessing the angle of the face,” it reads. “The best images are ones where the person is facing the camera with their face upright.”
The agency did make efforts to limit analysts’ ability to see webcam images, restricting bulk searches to only.
However, analysts were shown the faces of people with similar usernames to surveillance targets, potentially dragging in large numbers of innocent people. One document tells agency staff they were allowed to display “webcam images associated with similar Yahoo identifiers to your known target”.
Optic Nerve was based on collecting information from ‘s huge network of internet cable taps, which was then processed and fed into systems provided by the . Webcam information was fed into NSA’s search tool, and NSA research was used to build the tool which identified Yahoo’s webcam traffic.
Bulk surveillance on Yahoo users was begun, the documents said, because “Yahoo webcam is known to be used by targets”.
Programs like Optic Nerve, which collect information in bulk from largely anonymous user IDs, are unable to filter out information from UK or US citizens. Unlike the , is not required by UK law to “minimize”, or remove, domestic citizens’ information from its databases. However, additional legal authorisations are required before analysts can search for the data of individuals likely to be in the British Isles at the time of the search.
Read More Here