News that government intelligence agency GCHQ has been intercepting and storing webcam images from 1.8 million users of Yahoo’s chat service under the codename Optic Nerve is a reminder of how close we are to living in a surveillance state. Webcams, embedded in laptops and sitting on top of monitors, have become a standard piece of computing equipment, but it has now become clear that these can be used against us.
Hackers have been stealing webcam images of unsuspecting users for some time. The Metasploit tool comes with packages that make it easy for even a novice hacker to gain access to the webcam of any computer that doesn’t have all of the available patches and updates installed.
Equally worrying are reports that hackers could use the webcam on your laptop without even triggering the embedded warning light that indicates to the owner that the camera is in use.
Once they’ve gained access to your webcam, a hacker can then go on to trade or sell access to it on hidden websites and password protected chat rooms.
How GCHQ did it
But now it seems we have another unwelcome guest watching us as we type and chat. And what makes the actions of GCHQ unique is the scale on which it is capturing these images.
The Edward Snowden leaks revealed that GCHQ is tapping many of the large internet backbone cables that carry hundreds of gigabits of information from computers all over the world every second, including unencrypted Yahoo chat sessions.
GCHQ’s main technical achievement was to find a way of scanning this massive amount of data and extracting the webcam images. While easy to do for a single image, the scale on which GCHQ did this must have taken a great deal of both technical expertise and computing power.
The second issue GCHQ had was how to store so much data. Here compromises were made. Only one still image from every five minutes of video was stored. GCHQ’s aim was to view images from known targets (or users with screen names that were similar to known targets). It also experimented with face recognition technology to try to detect images of known suspects. But the leaks published by the Guardian make it clear that many of the images stored were from highly private, and in some cases sexually explicit, chats between individuals who were not intelligence targets.
Alternatives for Yahoo deserters
The best way to protect the privacy of your webcam chats is to make sure that they are encrypted. Yahoo’s web chat server was based on its Yahoo Messenger system, which dates back to the nineties. This legacy system has never supported encryption and it was this weakness that made it possible for GCHQ to harvest personal images on such a large scale.
Google’s offering, Google Talk, was developed much more recently and is possibly a better option in these post-Snowden times. The service encrypts data between the user and its servers, and then re-encrypts it when it is sent to another user. This would make the mass harvesting of images harder, but still allows Google access to the images. So in some ways you are more protected, but it means putting faith in Google to keep your data away from prying eyes.
Apple’s FaceTime encrypts the images end-to-end, all the way from one user to the other, giving the best level of protection. That said, incidents such as the recently discovered “goto fail” bug in Apple’s encryption remind us that any protection system can fail.
The best option of all would be for some discussion about how we strike the balance between personal privacy and national or international security. According to the latest leaked documents, GCHQ staff have been viewing intimate images of webcam users who were not intelligence targets.
This would be illegal if a hacker had done it but it is likely that GCHQ’s actions are legal under the UK Regulation of Investigatory Powers Act. Even so, it seems doubtful that the mass collection of intimate images of innocent people was something that the authors of this law intended. We need to think about whether we can update this and other laws to better suit the digital age. That means better suited to everyone, rather than just GCHQ.
The University of Birmingham, where the author works, is a “GCHQ Academic Centre of Excellence.”