KARMA POLICE: GCHQ's plan to track every Web user in the world

The KARMA POLICE program is detailed in newly released Snowden docs published on The Intercept; it began as a project to identify every listener to every Internet radio station (to find people listening to jihadi radio) and grew into an ambitious plan to identify every Web user and catalog their activities from porn habits to Skype contacts.

The program began in 2007/8 and it mined BLACK HOLE, which is GCHQ's repository for all the data sucked up by its fiber taps (which it calls "probes"). It attempted to map IP addresses to peoples' identities, and cross reference users' identities on various systems and in various locations, collecting them into "a web browsing profile for every visible user on the Internet."

Part of this was accomplished by looking at a users' cookies — if you log into Google on your phone and your laptop, GCHQ use its surveillance views into that cookie to connect all the traffic from your laptop and phone with a single identity. The agency exploited cookies from a wide variety of popular websites that put like/share buttons, beacons, and other assets on a many other sites. The targeted cookies came from Google, Microsoft, Facebook, Reddit, the BBC, Amazon, WordPress, Yahoo, and others.

KARMA POLICE drew on a frankly bewildering array of other programs, which sucked up data from a variety of sources. These programs were given exotic codenames by GCHQ: SOCIAL ANTHROPOID, MEMORY HOLE, MARBLED GECKO, INFINITE MONKEYS, etc. These logged different kinds of Internet events — search queries, Google Maps searches, and BBS/message-board posts.

The UK spy agency had an extraordinary view into the world's Internet traffic thanks to the number of oceanic fiber links that make landfall in the UK.

Like the NSA, GCHQ relied on secret interpretations of the laws on spying to paper over its activities, so that it could tell its governmental overseers that all its activities were lawful. It amassed records on people from all over the world, including Britons, and routinely allows its spying partners to search its databases. The US NSA, as well as spy agencies from Canada, Australia, and New Zealand all have access to its data on British citizens and people from all over the world.

In March, the existence of this loophole was quietly acknowledged by the U.K. parliamentary committee's surveillance review, which stated in a section of its report that "special protection and additional safeguards" did not apply to metadata swept up using external warrants and that domestic British metadata could therefore be lawfully "returned as a result of searches" conducted by GCHQ.

Perhaps unsurprisingly, GCHQ appears to have readily exploited this obscure legal technicality. Secret policy guidance papers issued to the agency's analysts instruct them that they can sift through huge troves of indiscriminately collected metadata records to spy on anyone regardless of their nationality. The guidance makes clear that there is no exemption or extra privacy protection for British people or citizens from countries that are members of the Five Eyes, a surveillance alliance that the U.K. is part of alongside the U.S., Canada, Australia, and New Zealand.

"If you are searching a purely Events only database such as MUTANT BROTH, the issue of location does not occur," states one internal GCHQ policy document, which is marked with a "last modified" date of July 2012. The document adds that analysts are free to search the databases for British metadata "without further authorization" by inputing a U.K. "selector," meaning a unique identifier such as a person's email or IP address, username, or phone number.

Authorization is "not needed for individuals in the U.K.," another GCHQ document explains, because metadata has been judged "less intrusive than communications content." All the spies are required to do to mine the metadata troves is write a short "justification" or "reason" for each search they conduct and then click a button on their computer screen.

Profiled: From Radio to Porn, British Spies Track Web Users' Online Identities
[Ryan Gallagher/The Intercept]