Feeds

UK spies on MILLIONS of Yahoo! webcams, ogles sex vids - report

Perfectly legal for us to watch your unencrypted steamy cam sessions, sniffs GCHQ

Protecting against web application threats using SSL

British spies allegedly intercepted and stored nude pics and other stills from millions of Yahoo! Messenger webcams – and mulled capturing snaps from the XBox's Kinect camera, too.

The UK intelligence agency GCHQ started slurping photos from innocent netizens' camera feeds in 2008, The Guardian reported today. In just one six-month period alone, pics from 1.8 million Yahoo! users were pulled into government servers.

Blighty's hush-hush nerve-center was also said to have explored the possibility of intercepting footage from the Kinect camera for Microsoft's Xbox 360 games console as it generated "fairly normal webcam traffic."

We're told the British g-men made an unfortunate discovery while allegedly harvesting the snaps: between three and 11 per cent of the obtained Yahoo! webcam pics contained "undesirable nudity."

Although Yahoo!'s instant messaging service uses SSL to encrypt passwords when logging in, it does not prevent network eavesdroppers from intercepting, decoding and storing text messages and live webcam feeds between contacts. It's alleged GCHQ grabbed stills from active cam chat sessions every five minutes – regardless of whether the users were suspected of any wrongdoing.

"Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person," GCHQ wrote in a document leaked by ex-NSA whistleblower Edward Snowden to the newspaper.

"Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography."

The spy agency did try to protect the delicate sensibilities of its staff, with a handbook note stating: "There is no perfect ability to censor material which may be offensive. Users who may feel uncomfortable about such material are advised not to open them."

Yahoo! was incensed by The Guardian's report.

"We were not aware of nor would we condone this reported activity. This report, if true, represents a whole new level of violation of our users' privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December," Yahoo! told The Register.

"We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

'Truly shocking revelation'

The American Civil Liberties Union (ACLU) was rather annoyed as well, with staff attorney Alex Abdo saying in a statement: "This is a truly shocking revelation that underscores the importance of the debate on privacy now taking place and the reforms being considered. In a world in which there is no technological barrier to pervasive surveillance, the scope of the government’s surveillance activities must be decided by the public, not secretive spy agencies interpreting secret legal authorities."

Writing on his personal Twitter feed, Christopher Soghoian, a principal technologist at the ACLU, said: "Save at least some of your outrage for Yahoo, which didn't care about users enough to encrypt their webcam traffic. Totally unacceptable.

"It doesn't take a genius to know that webcam chats are used for sensitive (read: sexual) content. Yahoo should have encrypted from day one."

GCHQ's webcam-raiding program, dubbed OPTIC NERVE, was still active in 2012, according to an intranet page that was accessed that year.

The surveillance agency wrote that "face detection has the potential to aid selection of useful images for 'mugshots' or even for face recognition by assessing the angle of the face," it said. "The best images are ones where the person is facing the camera with their face upright."

'We do not comment on intelligence matters'

GCHQ staff were told they could view "webcam images associated with similar Yahoo identifiers to your known target," The Guardian wrote. In other words, if a GCHQ target was named BadTerrorist1, then it might be acceptable for analysts to view an account named, say, BudTerrorist1.

Brit spooks tested automatic face-recognition technologies on the intercepted images as a way to search for actual suspects, but this system was briefly retired though is likely to return.

Some of the OPTIC NERVE data was fed into NSA's all-seeing XKeyscore search tool, and NSA research was used to build the technology that sniffed out the Yahoo! cam network packets. Though the NSA denies encouraging foreign intelligence partners to harvest data for it, GCHQ is known to operate under looser constraints and therefore is able to gather much more data.

In a statement, a GCHQ spokesman said: "It is a longstanding policy that we do not comment on intelligence matters.

"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position."

Today's revelations come in the wake of allegations earlier this week that GCHQ drew up plans to discredit targets online by embarrassing them with compromising photos and slander. Those slides were also leaked by Snowden. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.