The British government has been running a web surveillance program far more intrusive than anything attempted by the NSA, according to Snowden documents published this morning at The Intercept. Dubbed "Karma Police," the GCHQ program pulls web data from intercontinental data cables landing at Cornwall, giving it ongoing access to as much as a quarter of global web traffic since 2009.
The data collected is officially classified as metadata, but it contains full records of sites visited, usernames, and even passwords. Unlike equivalent NSA programs, which require FISA court approval of specific queries to the database, there appears to be no meaningful judicial oversight of Karma Police, giving the GCHQ a free hand in picking through the data.
In one example, the agency targeted any internet radio station broadcasting spoken recitations from the Quran, then used the Karma Police database to track down more information on the station's listeners. By exploiting tracking cookie networks, the program was able to find other accounts held by the listeners on Skype, Yahoo, and Facebook, enabling even broader tracking.
According to the documents, that capability played a major role in the GCHQ's attack on the SIM card manufacturer Gemalto, which was revealed earlier this year. The Karma Police program allowed the GCHQ to locate Gemalto employees on the web and compromise their passwords, giving the agency the foothold it needed to implant malware and eventually steal Gemalto's encryption keys in bulk.