In its bid to ‘counter terrorism’, the NSA’s British sidekick GHCQ collected millions of random webcam images from random Yahoo! users, and saved them in a database, regardless of whether the user was an intelligence target. Many of these images were of a sexually explicit nature.
According to the Guardian, documents (presumably obtained courtesy of Mr Edward Snowden) show that as part of its OPTIC NERVE program, GHCQ collected 1.8 million such images in just one six month period alone, and millions more over a period spanning 2008 to 2010.
The images were collected because they had ‘the potential to aid selection of useful images for “mugshots” or even for face recognition by assessing the angle of the face,’ and were submitted to into the NSA’s XKeyscore search and analysis tool. Although some limits were set on analysts’ ability to view the images (bulk searches were restricted to metadata only), they could view the faces of (presumably completely innocent) individuals with usernames similar to a target’s.
No legal protection
UK law does not prohibit the collection of such information about its own citizens, and the bulk (and largely anonymous) nature of the collection would ensure there was no way to filter out UK (or US) citizens anyway. UK citizens are protected from additional search analysis (which requires additional legal authorisations), but citizens of other ‘Five Eyes’ nations (US, Australia, New Zealand and Canada) receive no such protection, let alone citizens of non-Anglophone nations.
US agencies such as the NSA, while unable to collect such images themselves, are under no restrictions on using images of US citizens collected and shared with them by GHCQ.
Unsurprisingly, GHCQ claims that everything it does necessary, proportionate, and in accordance with UK law.
Underlining the scale to which this program invaded the privacy of random and completely innocent Yahoo! users, between 3 and 11 percent of the images contained ‘undesirable nudity’,
‘Unfortunately there are issues with undesirable images within the data. It would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person. Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography.’
Automatic computer filters were employed to try and screen out these ‘undesired images’, and guidelines were put into place for protecting employees ‘who may feel uncomfortable about such material’, but at no point does anyone seem to have questioned the validity (or utility) of harvesting Yahoo! images, many of which were of innocent peoples’ penises.
Yahoo!, who were completely unaware of the program, are justifiably outraged,
‘We were not aware of, nor would we condone, this reported activity. This report, if true, represents a whole new level of violation of our users’ privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December. We are committed to preserving our users’ trust and security and continue our efforts to expand encryption across all of our services.’
Politicians (from all UK parties) and human rights groups have also reacted angrily to the news, although so far mainstream media (and hence general public) interest has been muted.
We hope that all UK citizens (of which the writer is one) are sleeping better in knowledge of the sterling that GHCQ is tirelessly putting in to protecting us.
Protecting your privacy
VPN can afford a high degree of privacy on the internet, as it masks your IP address so that it appears to be that of your VPN provider’s server. The connection from the VPN server back to your computer is securely encrypted, so no-one, not even your ISP or the NSA (probably), can see what passes between them. Good VPN providers keep no logs and share a single IP address among many users, so identifying an individual with any activity on the internet is very difficult.
Although we don’t know the details, we should however probably assume that GHCQ somehow obtained direct access to Yahoo!’s servers. This means that even if connected via VPN, users would have been signed into their Yahoo! accounts, and would therefore likely be easily identifiable by GHCQ through their account details.
While probably a step too far for most, we should note that if you signed up for a Yahoo! account anonymously (i.e. did not use your real-world details), and only connected to Yahoo! using VPN (so Yahoo! would have no record of your true IP), there would be very little to trace your account (and any images collected) back to you as an individual.