Feeds

UK spies on MILLIONS of Yahoo! webcams, ogles sex vids - report

Perfectly legal for us to watch your unencrypted steamy cam sessions, sniffs GCHQ

The Essential Guide to IT Transformation

British spies allegedly intercepted and stored nude pics and other stills from millions of Yahoo! Messenger webcams – and mulled capturing snaps from the XBox's Kinect camera, too.

The UK intelligence agency GCHQ started slurping photos from innocent netizens' camera feeds in 2008, The Guardian reported today. In just one six-month period alone, pics from 1.8 million Yahoo! users were pulled into government servers.

Blighty's hush-hush nerve-center was also said to have explored the possibility of intercepting footage from the Kinect camera for Microsoft's Xbox 360 games console as it generated "fairly normal webcam traffic."

We're told the British g-men made an unfortunate discovery while allegedly harvesting the snaps: between three and 11 per cent of the obtained Yahoo! webcam pics contained "undesirable nudity."

Although Yahoo!'s instant messaging service uses SSL to encrypt passwords when logging in, it does not prevent network eavesdroppers from intercepting, decoding and storing text messages and live webcam feeds between contacts. It's alleged GCHQ grabbed stills from active cam chat sessions every five minutes – regardless of whether the users were suspected of any wrongdoing.

"Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person," GCHQ wrote in a document leaked by ex-NSA whistleblower Edward Snowden to the newspaper.

"Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography."

The spy agency did try to protect the delicate sensibilities of its staff, with a handbook note stating: "There is no perfect ability to censor material which may be offensive. Users who may feel uncomfortable about such material are advised not to open them."

Yahoo! was incensed by The Guardian's report.

"We were not aware of nor would we condone this reported activity. This report, if true, represents a whole new level of violation of our users' privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December," Yahoo! told The Register.

"We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

'Truly shocking revelation'

The American Civil Liberties Union (ACLU) was rather annoyed as well, with staff attorney Alex Abdo saying in a statement: "This is a truly shocking revelation that underscores the importance of the debate on privacy now taking place and the reforms being considered. In a world in which there is no technological barrier to pervasive surveillance, the scope of the government’s surveillance activities must be decided by the public, not secretive spy agencies interpreting secret legal authorities."

Writing on his personal Twitter feed, Christopher Soghoian, a principal technologist at the ACLU, said: "Save at least some of your outrage for Yahoo, which didn't care about users enough to encrypt their webcam traffic. Totally unacceptable.

"It doesn't take a genius to know that webcam chats are used for sensitive (read: sexual) content. Yahoo should have encrypted from day one."

GCHQ's webcam-raiding program, dubbed OPTIC NERVE, was still active in 2012, according to an intranet page that was accessed that year.

The surveillance agency wrote that "face detection has the potential to aid selection of useful images for 'mugshots' or even for face recognition by assessing the angle of the face," it said. "The best images are ones where the person is facing the camera with their face upright."

'We do not comment on intelligence matters'

GCHQ staff were told they could view "webcam images associated with similar Yahoo identifiers to your known target," The Guardian wrote. In other words, if a GCHQ target was named BadTerrorist1, then it might be acceptable for analysts to view an account named, say, BudTerrorist1.

Brit spooks tested automatic face-recognition technologies on the intercepted images as a way to search for actual suspects, but this system was briefly retired though is likely to return.

Some of the OPTIC NERVE data was fed into NSA's all-seeing XKeyscore search tool, and NSA research was used to build the technology that sniffed out the Yahoo! cam network packets. Though the NSA denies encouraging foreign intelligence partners to harvest data for it, GCHQ is known to operate under looser constraints and therefore is able to gather much more data.

In a statement, a GCHQ spokesman said: "It is a longstanding policy that we do not comment on intelligence matters.

"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position."

Today's revelations come in the wake of allegations earlier this week that GCHQ drew up plans to discredit targets online by embarrassing them with compromising photos and slander. Those slides were also leaked by Snowden. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.