15 years ago, the NSA spied on World of Warcraft — but did a leak change anything?

It sounds like the plot of a Bush-era young-adult spy thriller: as millions of players raided their way through Azeroth from 2006 to at least 2013, Western intelligence agencies like the NSA and the British Government Communications Headquarters were working out ways to surveil and build informant networks to keep tabs on suspected Islamic extremists in World of Warcraft.

WoW wasn’t the NSA’s only target: Together with GCHQ, the NSA also turned its eye toward social MMO Second Life, Microsoft’s original Xbox Live chat service, and other popular “Games and Virtual Environments.”

We know this today because of former NSA contractor turned whistleblower Edward Snowden, who worked with newspapers The Guardian and The New York Times, as well as investigative nonprofit ProPublica, to release a trove of classified documents from the agency in 2013.

According to the leaked documents, MMOs were fertile grounds for exploitation along both signals intelligence and human intelligence lines. In one such document, GCHQ claimed that it had found clear evidence of suspected terrorists logging into WoW and Second Life, correlating usernames and IP addresses to targets, and according to the joint news report, the British spy agency had even used an informant in Second Life to bust an online crime ring.

At the time, the story was a bombshell, prompting companies like Linden Lab, the maker of Second Life, and Blizzard, the developer of World of Warcraft, to deny that any government surveillance was happening with their knowledge.

Looking back on this story almost a decade later, three questions remained unclear: How did the NSA do it? Why did it care? And what did it accomplish?

Eyes in the sky

The story of NSA analysts snooping on Alliance guild meetings begins not with World of Warcraft or even video games at large, but instead — as many stories of international espionage do — with the Cold War.

After World War II, the United States entered into an agreement with the U.K. and commonwealth countries Canada, Aotearoa, and Australia, to automatically share all SIGINT data the constituent nations collected with each other. The UKUSA Agreement, colloquially known as the “Five Eyes,” established a network of listening posts at various points around the world, all pointed in the Soviet Union’s direction.

As nations began deploying satellites and computer networks emerged, these listening posts became digital information collection centers. One of the many programs created during this period of technological shift was called “Echelon,” and its explicit goal was to monitor satellite communications networks.

Thanks to the documents Snowden leaked, we have at least one idea of how Echelon was used. By 2006, at the height of the war on terrorism, Echelon was collecting large quantities of data from around the world every day. Some of the data being scooped up came from WoW, namely “country and time zone data, local IP addresses and realm server addresses,” according to the leaked documents linked above. GCHQ and the NSA trained an open-source packet sniffer called SNORT to separate that data from the rest of the information pile they pulled in. This method reportedly allowed the agencies to identify “accounts, characters, and guilds related to Islamic Extremist Groups, Nuclear Proliferation and Arms Dealing,” according to a particular leaked NSA document titled “Topic: Exploiting Terrorist Use of Games & Virtual Environments.”

In this document, released in 2007, the NSA recommended broader interagency cooperation. By the next year, the office of director of national intelligence Mike McConnell would be sending Congress a brief 15-page report of its own detailing data mining projects to be carried out by ODNI’s research division, IARPA. One of these projects, Project Reynard, aimed “to identify the emerging social, behavioral and cultural norms in virtual worlds and gaming environments” and “apply the lessons learned to determine the feasibility of automatically detecting suspicious behavior and actions in the virtual world.”

This research project lasted from 2009 to 2012 and included work from Stanford University, Lockheed Martin, and the Palo Alto Research Center. According to the ProPublica report on the Snowden leak, researchers involved with the Reynard Project were asked not to speculate on how their research would be used.

Shadows in the dark

Spying on online games intuitively seems kind of silly. For most players, the virtual worlds they visit in their downtime or as a hobby are escapes from the pressures of reality, not doorways through which that reality can seep in. The idea that terrorists would be using those spaces to recruit, propagandize, and plan real-world attacks doesn’t inherently make a lot of sense, even in a “purely” social sim like Second Life. As King’s College cybersecurity researcher Timothy Stevens notes in his 2015 paper “Security and surveillance in virtual worlds: Who is watching the warlocks and why,” contemporary news reporting on so-called terrorism in online games along these lines was met with “hostility and derision from the online commentariat.”

“This scepticism was well founded: establishing direct connections between acts of ‘virtual’ vandalism and actual terrorism was as absurd as it was unsubstantiated,” he wrote. “Why would a jihadist group form a recognisable entity in a quasi-public space to wage an insurgency against the ‘government’ of Second Life, let alone to pursue more nefarious ends? What was the basis for ‘expert’ claims that terrorists were using virtual worlds for training and recruitment?”

In the mid-2000s the United States and its allies — including the U.K. and some of its commonwealth states — were chest-deep into waging the war on terrorism and everything that entailed. For the U.K.’s part, in 2005 suicide bombers carried out a coordinated attack on London’s transit system, killing over 50 people and injuring hundreds more on the London Underground and bus system. Even if all there had been was a vague rumor that suspected terrorists were using these games and virtual spaces to organize, GCHQ, to say nothing of the NSA, was likely to check it out.

According to Stevens, the absurdity is the point. Spy agencies know that suspected extremists operating online are both tech-savvy and aware of good operational security practices. But games, places where nothing is inherently supposed to be taken seriously except maybe in the context of the in-world lore and story, are also places where one might inherently let their guard down. According to one of the Snowden documents linked above, NSA analysts wrote, “These applications and their servers however, are trusted by their users and makes an connection [sic] to another computer on the Internet, which can then be exploited.”

In short: While many see MMOs as sites separate from their daily lives, where they play and fight and occasionally get rewarded for their efforts with treasure, the intelligence community saw (and potentially still sees) MMOs themselves as the treasure, to be continuously plundered for fresh data on potential targets. The IC doesn’t see the “magic circle” of Azeroth or Eorzea or Linden World as a barrier, but rather, as a veil from the public’s critical gaze.

While the most damning revelations from the Snowden leaks — like the fact that Microsoft had been a participant in the PRISM program and GCHQ had considered spying on people through their Kinects — caused a long-term uproar, the forays into direct online game surveillance were taken less seriously, like in this clip of then-Daily Show host Jon Stewart making fun of the government for spying in WoW. Even as follow-up reports came out, like one detailing possible NSA/GCHQ surveillance in Angry Birds, it seemed like public outcry over this died as quickly as it erupted.

Whispers in the crowd

A World of Warcraft: Legion screenshot shows characters firing attacks at one another
World of Warcraft: Legion
Image: Blizzard Entertainment

While civil libertarians might balk at such flagrant exploitation of a public space and personal data, according to Stevens many members of the intelligence community fall into a “realist” position — where the “Internet’s basic characteristics” are “dangerously inimical to state interests” and “the global village becomes a virtual battlespace” — and thus are more likely to look past those issues, provided said exploitation produces results.

Did the programs get results, or was it a “virtual waste of time,” as one NBC headline called it in 2013?

We asked the NSA and GCHQ for comment, as well as various companies who publish MMOs and virtual world games. Six companies got back to us with a variation of Blizzard’s own statement to ProPublica and company from 2013: “We are unaware of any surveillance taking place. […] If it was, it would have been done without our knowledge or permission.” One company, Square Enix, did not respond to our request for comment.

While no new documentation has come to light concerning attempts by spy agencies to snoop on games, researchers like Stevens believe surveillance has continued.

“We can be certain that all virtual environments, of which MMOs are a small subset, will be subject to increased surveillance and monitoring in the name of security, particularly for the purposes of counterterrorism and domestic counter-subversion,” he wrote. “However MMOs evolve they are unlikely to be ignored by an intelligence community armed with research funds and powerful ‘big data’ analytics.”

What is also certain is that there is now a much larger “attack surface” for intelligence agencies to go after: more network-connected devices, more online games, bigger, more diverse audiences. If MMOs were enticing to spy agencies in the mid-2000s, they certainly haven’t become less so in 2023. And as Ben Egliston wrote at Wired in 2022, it’s never been easier for companies to collect mountains of player data independent of any government, down to special tools in the game engines themselves.

Watchers in the night

So what did happen in the decade between the Snowden leaks and today? In short: The world changed. While most conventional war still takes place along battle lines drawn by former Presidents Bush, Obama, and Trump, online the overriding threat has shifted away from a focus on foreign terrorism and toward domestic extremism. Researchers like Alex Newhouse, deputy director of the Center on Terrorism, Extremism, and Counterterrorism at Middlebury, have been studying right-wing accelerationist networks as they extend to platforms like Roblox.

“The overall environment that we’re observing in the threat landscape is that there are a number of users who are using the social features of Roblox to basically create and propagandize elements that are associated with accelerationist violence,” he tells Polygon. He cites an example of a Roblox group taking on the name of a 1970s-era white power paramilitary organization, as well as groups affiliated with Patriot Front and Atomwaffen Division.

“One of the surprising aspects was just how robust all of these networks are; they’re pretty big,” Newhouse says. “They have a lot of propaganda built for the Roblox platform. They’re really creatively using the different features of Roblox to do certain things. And the content moderation evasion tactics are really, really well developed.” In response, Roblox says it uses a mix of staff and “state-of-the-art automated machine learning technology” to track and remove extremist content, and that “it is very unlikely [players who don’t seek it out] would be exposed to such content on our platform.”

Roblox is a member of several tech industry organizations, like Tech Against Terrorism, the Christchurch Call, and the Global Internet Forum to Counter Terrorism, according to the company’s vice president of public affairs, Remy Malan. “We maintain a number of dialogues with people who study and track trends, and this helps us be informed on what’s happening in the real world,” Malan tells Polygon. “Because our view is if things are happening in the real world, then we need to be vigilant about people trying to bring those things onto Roblox itself.”

Additionally, Malan says the company invests resources into app moderation, chat filtering, and its reporting system, as well as regular training for the trust and safety team on new trends to be on the lookout for.

A spokesman for VRChat mentioned a similar system in place for its virtual world in an emailed statement, where a trust and safety team “uses a number of detection methods and investigative tools (both proactive and reactive) to locate and — when appropriate — remove extremist content from the service.”

And in a similar vein, a spokesman for Linden Lab, creator of Second Life, wrote: “Privacy and security are cornerstone values of Second Life. Over the past decade, we’ve enhanced our account security posture in numerous ways to prioritize the safety of our residents. Those enhancements include establishing increased identity verifications methods (including ‘Know Your Client’ procedures to better verify individuals during financial transactions), implementing enhanced identity verification methods, making improvements to our in-house tools to faster expose account threats, monitoring new behavior markers, using artificial intelligence to determine potential threats in real-time and implementing MFA (multi-factor authentication) across all accounts.”

And if the government comes knocking? Roblox VP Malan says, “If we get a subpoena request or other legal notice, then we’ll look at ‘can we comply with that,’ but we don’t do anything different than any other private entity would do.”

Ghosts in the machine

A screenshot shows a bustling city, built in Roblox, built up in the sky.
Roblox
Image: Roblox Corporation

There’s something jarring, knowing that for at least a few years (and probably still to this day), the United States and the U.K. turned the eye of their surveillance apparatus onto the activity of random gamers; that money was spent and grants were doled out for research on the ways gamers interacted with each other and how they conceived of themselves in virtual space, which was then likely used to improve intelligence analysis on those games for that apparatus.

Playing online games often comes with a set of unconscious assumptions on the player’s part. One such assumption is that there is an inviolable “magic circle” where the “real” world can’t be permitted to penetrate, lest the illusion of the game be broken. We hear this the most when someone demands that critics and developers “keep politics out of my games!” Building on that assumption is one where there is an “imagined community” of gamers that transcends national allegiances and circumvents sociocultural problems like racism and colonialism — that is to say, while inside the magic circle, all players are unified by whatever goal the game has set for them.

And maybe most fundamentally, there’s the pervasive techno-libertarian notion that anything online — including and maybe especially games — is by necessity a site of unmitigated individual freedom, especially from government interference. Anything that rubs against those assumptions creates a kind of cognitive dissonance, where such violation of the game space is simply too ridiculous to be possible.

At the same time, it seems as though surveillance and data collection, by corporations as well as governments, has become thoroughly normalized. We have become used to the idea that someone, somewhere has been snooping around in our digital wake, to the point where a common joke on social media involves the teller’s personal FBI or NSA agent in the punchline. Our ironic reaction to this “panopticism,” as Michel Foucault put it, doesn’t make us immune to its effects.

“What [the NSA] will argue is that they don’t use this for nefarious purposes against American citizens; in some ways that’s true,” Edward Snowden said in an interview with Last Week Tonight’s John Oliver one year after the NSA leaks. “But the real problem is that they’re using these capabilities to make us vulnerable to them, and then saying, ‘While I have a gun pointed at your head, I’m not going to pull the trigger. Trust me.’”

We would do well not to forget the gun, much less the fingers on the trigger.

Update: We have added details of Roblox’s moderation policies to this story.