The spies who came into the virtual

News has been breaking that the United States National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ), the British equivalent of the NSA, “infiltrated” various on-line gaming platforms and virtual worlds as part of the anti-terrorist activities.

Information on the operations, obtained via Edward Snowden, the former CIA employee / NSA contractor, who released some 200,000 documents to the press, is at the centre of a series of reports the Guardian newspaper in the UK in partnership with The New York Times and ProPublica, and which have been widely picked-up by the on-line media on both sides of the Atlantic. The reports show that both the NSA and GCHQ were so concerned about the various methods nefarious individuals might use to communicate with one another, that they started targeting various on-line platforms – often on the thinnest of reasoning.

The actual activities were varied in scope, ranging from specific data gathering through the use of “mass-collection capabilities”, through to operatives posing as players on various platforms seeking information and also charged with recruiting potential informants from the more technically aware members of the various communities – with Second Life being one of the targeted platforms.

In some respects, the interest in virtual world and games platforms is unsurprising; I’d frankly be more concerned if the security agencies hadn’t considered the potential for such platforms to be used by militant or terrorist groups (which, I would also add, should not be taken to mean I necessarily condone their actions). However, what I do find to be eyebrow-raising, and doubtless what other people will as well, is the degree to which GVEs – games and virtual environments – were subjected to surveillance and what went on.

For example, ProPublica reports that in 2009, a 3-day “test” of capabilities to gather data from within Second Life, Britain’s GCHQ gathered real-time data on chats, IMs and L$ transactions which amounted to some 176,677 lines of data. How widespread this data-gathering was, who was affected by it and what happened to the data, is unclear.

GCHQ’s interest in Second Life appears to have started out as a legitimate activity. Towards the end of 2008, they were involved in tracking down a credit card fraud ring in what was known as “Operation Galician”. When the fraud ring attempted to move some of their activities to Second Life, GCHQ and the police followed. Even so, the success (or otherwise) of that operation doesn’t seem to stand up as justification for the wholesale gathering of data as occurred in 2009.

The British security agency was no slouch when it came to other virtual and gaming environments, either, as the Guardian’s report reveals:

At the request of GCHQ, the NSA had begun a deliberate effort to extract World of Warcraft metadata from their troves of intelligence, and trying to link “accounts, characters and guilds” to Islamic extremism and arms dealing efforts. A later memo noted that among the game’s active subscribers were “telecom engineers, embassy drivers, scientists, the military and other intelligence agencies.”

GCHQ was also the motivating force behind data gathering activities directed at the Xbox Live console network, and developed “exploitation modules” for various platforms. Much of this activity appears to have been carried out at Menwith Hill, a Royal Air Force base which provides communications and intelligence support services to the United Kingdom and the United States of America, and where GCHQ and NSA operatives worked side-by-side to infiltrate World of Warcraft.

Activities appear to have started in 2007, reaching their peak in around 2009, although it is far from clear how much is still going on today. Ironically, initially interest may have been sparked as a direct result of Second Life. Because it was in 2007 that LL’s former CTO, Cory Ondrejka, himself a former Navy officer who had worked at the NSA prior to entering the private sector, met with NSA officials at the agency’s headquarters in Fort Meade Maryland, to explain how Second Life presented USD agencies with “the opportunity to understand the motivation, context and consequent behaviours of non-Americans through observation, without leaving US soil”.

Nor was he alone in courting the intelligence services. At the same time, US government contractor Science Applications International Corporation (SAIC), active within Second Life, was promoting its ability to support “intelligence collection in the game space” while at the same time warning of the risk of militant groups using on-line game environments as a means of recruitment, providing them “with a powerful platform to reach core target audiences.”

Just how big a potential security threat GVEs presented is debatable; while the likes of Second Life offers a degree of anonymity to its users and also provides a micro transaction system complete with the ability to both transfer and cash-out funds, it’s fair to say that such platforms are still policed by the companies operating them. Records are kept and transaction trails can be traced; ergo, their appeal would appear to be somewhat minimal for those wishing to cover their tracks and minimise the risk of exposure.

That said, there has been evidence to suggest that games have been identified as a potential medium for recruitment by extremist organisations – the documents passed-on by Mr. Snowden note that Hezbollah had produced a game called Special Forces 2, specifically intended to be a “radicalising medium” with the ultimate goal of the player to become a “suicide martyr”. It’s also fair to say that SL has from time-to-time been used to promote extremist views. But just how widespread and serious these latter endeavours may have been is really hard to determine.

Overall, the scale of the operations mounted by intelligence and law enforcement agencies within GVEs appears to have been well out of keeping with any perceived risk such platforms were thought to contain. So much so, that with the likes of the FBI, CIA and US Defense Humint (Human Intelligence) Service all involved in Second Life undercover operations in what might be termed something of an intelligence agency pile-on test (or perhaps “pile-up” test might be a better description), it was suggested that a “deconflicting group” was required in order to prevent the various agencies tripping over one another’s activities.

As I mentioned earlier, I’m not that surprised that security agencies have taken an interest in GVEs; what I do find surprising is the extent to which that interest went, and just how complicit the various companies running the platforms mentioned in the article were in matters. Were the chat, IM and L$ transactions data gathered by GCHQ with or without LL’s knowledge, for example. And either way, what does it mean for our perceptions of on-line privacy and security as users of Second Life – or any other platform, for that matter? If, indeed, we really have any.

Related Links

• Spy agencies in covert push to infiltrate virtual world of online gaming – The Guardian.com
• World of Spycraft: NSA and CIA Spied in Online Games – ProPublica
• NSA documents on games and virtual worlds – ProPublica
• Spies’ Dragnet Reaches a Playing Field of Elves and Trolls – New York Times
• NSA and GCHQ spies ‘operated in games including World of Warcraft and Second Life’ – The Telegraph.co.uk
• Google and Facebook unite to call for restrictions on NSA spying – The Telegraph.co.uk
• Reform Government Surveillance