Feeds

UK spies on MILLIONS of Yahoo! webcams, ogles sex vids - report

Perfectly legal for us to watch your unencrypted steamy cam sessions, sniffs GCHQ

5 things you didn’t know about cloud backup

British spies allegedly intercepted and stored nude pics and other stills from millions of Yahoo! Messenger webcams – and mulled capturing snaps from the XBox's Kinect camera, too.

The UK intelligence agency GCHQ started slurping photos from innocent netizens' camera feeds in 2008, The Guardian reported today. In just one six-month period alone, pics from 1.8 million Yahoo! users were pulled into government servers.

Blighty's hush-hush nerve-center was also said to have explored the possibility of intercepting footage from the Kinect camera for Microsoft's Xbox 360 games console as it generated "fairly normal webcam traffic."

We're told the British g-men made an unfortunate discovery while allegedly harvesting the snaps: between three and 11 per cent of the obtained Yahoo! webcam pics contained "undesirable nudity."

Although Yahoo!'s instant messaging service uses SSL to encrypt passwords when logging in, it does not prevent network eavesdroppers from intercepting, decoding and storing text messages and live webcam feeds between contacts. It's alleged GCHQ grabbed stills from active cam chat sessions every five minutes – regardless of whether the users were suspected of any wrongdoing.

"Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person," GCHQ wrote in a document leaked by ex-NSA whistleblower Edward Snowden to the newspaper.

"Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography."

The spy agency did try to protect the delicate sensibilities of its staff, with a handbook note stating: "There is no perfect ability to censor material which may be offensive. Users who may feel uncomfortable about such material are advised not to open them."

Yahoo! was incensed by The Guardian's report.

"We were not aware of nor would we condone this reported activity. This report, if true, represents a whole new level of violation of our users' privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December," Yahoo! told The Register.

"We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

'Truly shocking revelation'

The American Civil Liberties Union (ACLU) was rather annoyed as well, with staff attorney Alex Abdo saying in a statement: "This is a truly shocking revelation that underscores the importance of the debate on privacy now taking place and the reforms being considered. In a world in which there is no technological barrier to pervasive surveillance, the scope of the government’s surveillance activities must be decided by the public, not secretive spy agencies interpreting secret legal authorities."

Writing on his personal Twitter feed, Christopher Soghoian, a principal technologist at the ACLU, said: "Save at least some of your outrage for Yahoo, which didn't care about users enough to encrypt their webcam traffic. Totally unacceptable.

"It doesn't take a genius to know that webcam chats are used for sensitive (read: sexual) content. Yahoo should have encrypted from day one."

GCHQ's webcam-raiding program, dubbed OPTIC NERVE, was still active in 2012, according to an intranet page that was accessed that year.

The surveillance agency wrote that "face detection has the potential to aid selection of useful images for 'mugshots' or even for face recognition by assessing the angle of the face," it said. "The best images are ones where the person is facing the camera with their face upright."

'We do not comment on intelligence matters'

GCHQ staff were told they could view "webcam images associated with similar Yahoo identifiers to your known target," The Guardian wrote. In other words, if a GCHQ target was named BadTerrorist1, then it might be acceptable for analysts to view an account named, say, BudTerrorist1.

Brit spooks tested automatic face-recognition technologies on the intercepted images as a way to search for actual suspects, but this system was briefly retired though is likely to return.

Some of the OPTIC NERVE data was fed into NSA's all-seeing XKeyscore search tool, and NSA research was used to build the technology that sniffed out the Yahoo! cam network packets. Though the NSA denies encouraging foreign intelligence partners to harvest data for it, GCHQ is known to operate under looser constraints and therefore is able to gather much more data.

In a statement, a GCHQ spokesman said: "It is a longstanding policy that we do not comment on intelligence matters.

"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position."

Today's revelations come in the wake of allegations earlier this week that GCHQ drew up plans to discredit targets online by embarrassing them with compromising photos and slander. Those slides were also leaked by Snowden. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.