SAN FRANCISCO — A British intelligence agency collected video webcam images — many of them sexually explicit — from millions of Yahoo users, regardless of whether they were suspected of illegal activity, according to accounts of documents leaked by Edward J. Snowden.
The surveillance effort operated by Britain’s Government Communications Headquarters, or GCHQ, was code-named Optic Nerve. Images from Yahoo webcam chats were captured in bulk through the agency’s fiber-optic cable taps and saved to a GCHQ database.
It is unclear how much of the data was shared with American officials at the National Security Agency, though the British ran queries of the data using a search tool provided by the N.S.A. called XKeyscore, according to a report on Thursday by The Guardian.
The report did not indicate whether the agency also collected webcam images from similar services, such as Google Hangouts or Microsoft’s Skype. The Guardian did say the British intelligence agency was studying the possibilities of using the cameras in Microsoft’s Kinect devices, which are used with its Xbox game consoles, to spy on users.
Because the British agency lacked the technical means to filter out the content of British or American citizens, and because it faces fewer legal restrictions than the N.S.A. in the United States, documents show that the GCHQ was collecting vast amounts of webcam images. In one six-month period in 2008, the agency collected webcam images from more than 1.8 million Yahoo user accounts globally, including those of Americans, according to the Guardian report.
The British agency restricted its collection by saving one image every five minutes from users’ feeds, partly to avoid overwhelming its servers. It also restricted its image searches to so-called metadata, information that tells analysts what content the files contain, such as the sender and receiver’s usernames, file types, time, date and duration of their webcam chat.
But analysts were still able to view the contents of webcam chats between users whose usernames matched those of surveillance targets. One document instructs analysts that they are allowed to view “webcam images associated with similar Yahoo identifiers to your known target.”
The agency also apparently experimented with facial-recognition technology, which searched webcam images for faces resembling those of GCHQ targets. One undated document shows that the agency shuttered this capability. It was unclear if or when it was resurrected. It is also unclear if the N.S.A. also had access to the metadata and images.
Yahoo said in a statement on Thursday that it was not aware of the program and expressed outrage at published reports.
“This report, if true, represents a whole new level of violation of our users’ privacy that is completely unacceptable and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December,” the company said in a statement. “We are committed to preserving our users’ trust and security and continue our efforts to expand encryption across all of our services.”
Microsoft also said it had never heard of the surveillance program or the British government’s interest in using the Kinect camera for spying. “However, we’re concerned about any reports of governments surreptitiously collecting private customer data,” the company said in a statement. “That’s why in December we initiated a broad effort to expand encryption across our services and are advocating for legal reforms.”
Companies like Yahoo, Google and Microsoft that operate Internet services send vast amounts of data — including video and webcam chats — through the fiber-optic lines between their data centers around the world. After recent disclosures about government tapping of some such lines, all three companies have said they are working to encrypt those links between their data centers to thwart spying.
Yahoo has said that encryption will be in place for all of its services by March 31. Google has encrypted its video chat services, including Hangouts, since at least 2010.
In response to earlier concerns about potential government surveillance of the Kinect camera, Microsoft said last year that it would allow users to turn it off. It also said it did not give any government broad access to Skype data or security technologies.
Documents dated between 2008 and 2010 show the GCHQ was collecting still images from Yahoo webcam chats and storing them in an agency database. The GCHQ’s Optic Nerve program, which began as a prototype, was still active in 2012, according to an internal GCHQ document.
The program posed unique challenges. According to one GCHQ document, between 3 and 11 percent of collected Yahoo webcam images contained sexually explicit content. “Unfortunately, there are issues with undesirable images within the data,” one GCHQ document reads. “It would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person.”
An internal agency survey of 323 Yahoo usernames found that 7.1 percent of those images contained “undesirable nudity.”
The same document also notes that because Yahoo users can broadcast webcam streams to more than one user, without a reciprocal stream, the service “appears sometimes to be used for broadcasting pornography.”
Collecting and storing content from video sources has long posed a dilemma for the N.S.A. and its intelligence counterparts because files are often larger and more difficult to store. Also, the video files often contain pornography, family videos, commercials and content of questionable intelligence value.
In its article, The Guardian described one presentation in which GCHQ analysts discuss the possibility in spying on webcam traffic from Microsoft’s Xbox 360’s Kinect camera, claiming it generated “fairly normal webcam traffic” and was being considered for part of a wider surveillance program.
Previous disclosures from documents released by Mr. Snowden show that the N.S.A. was actively exploring the video capabilities of game consoles for surveillance, and that N.S.A. analysts infiltrated virtual games like World of Warcraft and Second Life to snoop on targets.
A GCHQ spokesman cited “a longstanding policy that we do not comment on intelligence matters.”
“Furthermore,” the spokesman, who declined to be identified, said, “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the Interception and Intelligence Services commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position.”
Vaneé Vines, an N.S.A. spokeswoman, said in a statement: “The National Security Agency does not ask its foreign partners to undertake any intelligence activity that the U.S. government would be legally prohibited from undertaking itself. N.S.A. works with a number of partners in meeting its foreign intelligence mission goals, and those operations comply with U.S. law and with the applicable laws under which those partners operate.
“A key part of the protections that apply to both U.S. persons and citizens of other countries is the mandate that information be in support of a valid foreign intelligence requirement, and comply with U.S. attorney general-approved procedures to protect privacy rights. Those procedures govern the acquisition, use and retention of information about U.S. persons.”
The Guardian article referred to an internal GCHQ document that considered the legalities of the Optic Nerve program as new capabilities, like automated facial matching, were developed. But the article said that the agency would wait to consider legalities until experimental capabilities were fully developed.
As The Guardian ran its story, , global security experts and intelligence officials were in San Francisco this week at the RSA Conference on cybersecurity.
“We have to have some understanding about what we are going to collect and what we are not going to collect,” Richard Clarke, former United States counterterrorism czar, said. “If there are things that we think are so embarrassing that they wouldn’t pass the ‘front page test,’ then don’t do it.”