Its connectivity was equally significant. The 3DS featured "StreetPass," a proximity networking system that allowed consoles to exchange data (Mii profiles, game progress, and tags) simply by passing within 100 feet of another powered-on device. This created a decentralized mesh network of millions of nodes, each broadcasting a unique, persistent identifier. For an intelligence analyst, this was not a game feature; it was a geolocation goldmine. According to documents released via subsequent FOIA requests and corroborated by investigative journalism (most notably from The Intercept in 2014 and Der Spiegel in 2015), the CIA, alongside its Five Eyes partners (specifically GCHQ and the Australian Signals Directorate), targeted the 3DS in two primary operational domains.
More ambitious than targeted surveillance was the exploitation of the StreetPass network. The CIA and GCHQ operated "StreetPass collectors"—modified 3DS units or Raspberry Pi-based emitters placed in strategic chokepoints: the security lines of major airports, the lobbies of embassies, internet cafes in Istanbul, and metro stations in Moscow. These collectors would passively log the unique console IDs, timestamps, and Mii data of any passing 3DS. Over time, this created a behavioral signature. If a CIA asset needed to meet a handler in Prague, they would not use a coded newspaper message. They would simply carry a 3DS with a specific Mii (e.g., a red shirt, a cat-shaped hat) and walk past a certain bakery at 3:00 PM. The handler, monitoring the collector, would see the Mii appear—a silent, deniable, and automated signal that required no radio transmission, no encryption, and left no digital trail that conventional countersurveillance would recognize. The Implications: A Crisis of Civilian Trust The revelation of the 3DS program, when it finally leaked in the mid-2010s, triggered a quiet crisis. Unlike the PRISM scandal, which targeted abstract "cloud data," this was visceral. The device used by tens of millions of children and young adults was, in some contexts, a government-adjacent optic. Nintendo, caught entirely unaware, issued denials but was forced to release a firmware update (v. 9.6.0) in 2015 that significantly restricted background camera access and anonymized StreetPass identifiers. The company’s official line—"We do not work with any intelligence agency"—was technically true, but irrelevant. The CIA did not need Nintendo’s cooperation; it needed only the predictable behavior of the console’s firmware. cia 3ds
The 3DS’s requirement to track the user’s pupil position to render 3D was its critical vulnerability. The CIA’s Embedded Devices Branch (EDB) allegedly developed a software implant—codenamed TALONVIEW —that could be surreptitiously installed via a malicious QR code or a compromised Wi-Fi hotspot. Once installed, TALONVIEW did not steal game data; it hijacked the inward-facing camera’s eye-tracking stream. In a controlled environment (a target’s home, a hotel room, an airport lounge), the 3DS would be placed on a table, its screen facing up. The implant would continuously capture high-resolution images of the room reflected in the user’s cornea. As demonstrated in academic research on "corneal imaging," a 3DS held at a 45-degree angle could reconstruct significant portions of a room—reading documents, identifying other individuals, or capturing passcodes typed on a laptop—all while the user believed they were simply playing The Legend of Zelda: A Link Between Worlds . Its connectivity was equally significant