HOW MUCH privacy are we entitled to expect on the internet, where Peeping Toms hijack webcams and baby monitors and thieves stake out our homes, asks Dani Garavelli
Technology offers us a window on to the world. We know that. Whether it’s Google or Skype or mobile apps or smart TVs, we are now better able to access information and communicate with people than ever before. At the click of a mouse or the drag of a finger across a screen, we can view vast virtual landscapes.
But all this widening of horizons comes at a cost. We are not looking through a one-way glass. If we can see out, then others – advertisers, spies, Peeping Toms and other opportunists – can see in; with every new advance, the concept of privacy is being eroded without our consent being actively sought or given.
Every now and then, we get a bit of a wake-up call. The latest is the news – revealed last week by the Information Commissioner – that a Russian website is streaming images from standalone webcams and baby monitors in hundreds of British homes and workplaces, including several in Scotland. The website also shows listings for 4,591 cameras in the US, 2,059 in France and 1,576 in the Netherlands. There are a smaller number of feeds from developing economies including Kenya, Pakistan, Paraguay and Zimbabwe.
Those in Scotland include an office in Cockenzie, the exterior of a home in a new-build housing estate in Dumfries and a whirligig in a backyard in Glasgow. But others south of the Border peer directly into people’s living rooms, kitchens and bedrooms. Most disconcertingly, a handful are trained immediately above babies’ cots and children’s beds, the mobiles and bright cartoon duvets a reminder of just how serious a threat this breach of security poses.
CONNECT WITH THE SCOTSMAN
• Subscribe to our daily newsletter (requires registration) and get the latest news, sport and business headlines delivered to your inbox every morning
Though most of the live feeds appear to have stopped working since the announcement, it is possible to see still images, including an elderly woman sitting in her home in Wakefield and a young boy watching TV in Woking.
The irony is that the people who set up these webcams did so in the belief they were protecting their properties and their families. An added attraction of the technology is that the feed can be viewed remotely, meaning they can watch over them even when they aren’t close by. But, by dint of a simple security lapse – not changing their password from the factory setting – they have inadvertently allowed others to view their comings and goings and made themselves more, rather than less, vulnerable to criminal activity. It is as if they had invested in a series of heavy duty locks, only to leave the keys sitting outside on the window ledge.
The Russian website was not set up by sophisticated hackers. All those involved had to do was to use a search engine to find the default passwords used by various manufacturers – Foscam, Linksys and Panasonic – on particular models of webcam, passwords which are freely available on the internet, and then use them to access the devices.
The website claims – somewhat disingenuously perhaps, given that it includes a how-to guide for finding and accessing other cameras – that it was motivated by a desire to expose the security risk. Webcams have previously been infiltrated for nefarious purposes. Last year, for example, a family in Texas told how they had heard a man shouting lewd comments at their two-year-old through their baby monitor.
According to the Information Commissioner, Christopher Graham, if the website were in the UK, it would be in breach of both the Data Protection Act and the Computer Misuse Act and efforts would be made to take it down. But as it is hosted outside the EU, all that can be done is to warn people to change their passwords and urge manufacturers to tighten up procedures. “Manufacturers are getting better at this,” says Professor Alan Woodward of the Surrey Centre for Cyber Security. “On most new models, customers will be prompted to change the password when setting up. But that wasn’t always the case with older models, so lots of people didn’t do it.”
Internal webcams on laptops and computers can also be infiltrated, but Woodward points out there is a simple – and very low-tech – precaution users can take: cover the lens with tape or Blu-Tack when not in use. The Electric Frontier Foundation has produced stickers which won’t mark the lens and some newer laptops have doors that slide back and forth as required.
This is important because – though the Russian website did not do so – it is possible to hack into webcams using malware, sometimes without even activating the on-light. This can be achieved by the use of remote access trojans (RATs), malicious software sent via a harmless looking attachment to a message which is activated when the user clicks it. A BBC Radio 5 Live investigation uncovered sites where hackers exchanged pictures and videos of people captured on their own webcams without their knowledge and said there was a thriving black market in access to compromised devices.
In 2011, former gang member Luis Mijangos from south California was jailed for six years for “sextortion”. He had infiltrated women’s computers, found sexual images of the users and threatened to put them online unless they provided him with more. By using RATs, he gained access to 100 computers; he could read emails and watch his victims without their knowledge through their webcams and so deliver on his threats. Earlier this year, 97 people were arrested in a global crackdown on Blackshades – also known as creepware – which was selling a RAT for $40.
However, infiltrating webcams is not the sole preserve of a few twisted individuals. In 2010, a Philadelphia school district found itself at the centre of a legal case after it secretly spied on students through laptops it had handed to them. Lower Merion School District claimed it activated the spyware installed on the machines to try to locate 80 of the 2,300 which had gone missing, but it later emerged that it had gathered 56,000 images of young people, often in their own homes.
The scandal came to light when one of the students, Blake Robbins, was shown a still image of himself in his bedroom and accused of taking drugs (he claimed he was eating sweets). His laptop had not gone missing and a lawyer later suggested the female administrator who had gathered the images might have had voyeuristic tendencies. In one email, when an IT person commented on how the viewing of the webcam pictures and screen shots from a student’s computer was like a “little LMSD [Lower Merion School District] soap opera”, she allegedly replied: “I know, I love it.”
According to Edward Snowden, intelligence agencies are at it too. The National Security Agency (NSA) whistle-blower has claimed the agency uses a plug-in called GUMFISH to take over cameras on infected machines and snap photos. Another NSA plug-in called CAPTIVATEDAUDIENCE hijacks the microphone on targeted computers to record conversations.
In the UK, it is claimed, GCHQ accessed and recorded images from millions of Yahoo users through their webcams and conversations, apparently without Yahoo’s knowledge. The program, Optic Nerve, did not focus on suspects, but collected snapshots, some of them “intimate”, in bulk and stored them on databases where there was the potential for them to be viewed illicitly by staff.
While a webcam lens can be covered with a sticker, it is more difficult to disable internal microphones which can be unmuted remotely. But you can put a dummy plug into the microphone jack when the device is not in use.
Of course, webcams are far from the only way in which our privacy is threatened by technology; indeed almost everything we use, from android phones to smart energy meters, can be exploited by those who would benefit from a window into our lives.
As Maxim Weinstein, security adviser to computer security company Sophos, puts it: “Every internet-connected device – be it a smartphone, tablet, laptop, webcam or thermostat – is essentially a monitoring device. They know where you are, what you’re doing and in many cases they can see and hear you. There’s always the risk that a criminal will hijack your ‘connected devices’.” One of the greatest risks to mobile phone users is the downloading of apps, particularly free ones, which may make their money by collating and selling on users’ personal details.
At worst, they too could be infected with malware which would allow others to spy. One NSA report suggested US and British intelligence agencies routinely try to gain access to data such as locations, websites visited and contacts through Angry Birds, Candy Crush and other mobile applications.
“Every time you sign up for something free you have to ask yourself why it’s free,” Woodward says. “It’s worth remembering that if you are not a paying customer, then you are the product. The makers are making their money somewhere – it may be that it’s a trial and they’re hoping you will sign up for the full package or it’s collecting data about you and selling it on or, in the worst case scenario, it contains malware.”
As we move towards the so-called Internet of Things – a new world in which online technology is interconnected and inextricably embedded in the physical world – and smart energy meters, smart thermostats and smart washing machines all become commonplace, there are likely to be ever more incursions into our personal lives. If, as experts suggest, there will be 25 billion “connected devices” by the end of 2015, then it seems safe to assume the amount of information generated will rise and become increasingly difficult to control.
There have already been problems with smart TVs, including claims that LG was collating information about customers’ viewing habits and sending it back to South Korea.
“The companies may say they are only doing so to improve the viewing experience [the firm wanted to be able to make viewing recommendations], but attitudes to privacy may be different in Europe than they are in the US or Korea. People may have different ideas as to what is and isn’t acceptable.”
In any case, some information provided by smart technology could do more than merely put the customer at the mercy of unsolicited leaflets or phone calls. For example, if it were possible to tell when particular systems or devices, such as the central heating or the TV were turned on or off, it would be possible to work out when people were most likely to be out, making them more vulnerable to burglaries.
Perhaps, with most of us now aware that every time we access the internet we leave a digital footprint, it’s time to accept that – criminal activity aside – new technology involves a trade-off: increased control over our environment and increased security in exchange for a surrendering of our privacy; free or cheap apps in exchange for our data being sold off to the highest bidder.
“That’s an interesting point. You could see it as a social contract,” says Woodward. “And that’s certainly how it works in practice.
“But there needs to be an open debate about it. People need to be made aware of what they are giving up so they are able to make a conscious choice. At the moment they are making an unconscious choice, and personally I think that’s wrong.” «
SCOTSMAN TABLET AND IPHONE APPS