Feeds

UK spies on MILLIONS of Yahoo! webcams, ogles sex vids - report

Perfectly legal for us to watch your unencrypted steamy cam sessions, sniffs GCHQ

Website security in corporate America

British spies allegedly intercepted and stored nude pics and other stills from millions of Yahoo! Messenger webcams – and mulled capturing snaps from the XBox's Kinect camera, too.

The UK intelligence agency GCHQ started slurping photos from innocent netizens' camera feeds in 2008, The Guardian reported today. In just one six-month period alone, pics from 1.8 million Yahoo! users were pulled into government servers.

Blighty's hush-hush nerve-center was also said to have explored the possibility of intercepting footage from the Kinect camera for Microsoft's Xbox 360 games console as it generated "fairly normal webcam traffic."

We're told the British g-men made an unfortunate discovery while allegedly harvesting the snaps: between three and 11 per cent of the obtained Yahoo! webcam pics contained "undesirable nudity."

Although Yahoo!'s instant messaging service uses SSL to encrypt passwords when logging in, it does not prevent network eavesdroppers from intercepting, decoding and storing text messages and live webcam feeds between contacts. It's alleged GCHQ grabbed stills from active cam chat sessions every five minutes – regardless of whether the users were suspected of any wrongdoing.

"Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person," GCHQ wrote in a document leaked by ex-NSA whistleblower Edward Snowden to the newspaper.

"Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography."

The spy agency did try to protect the delicate sensibilities of its staff, with a handbook note stating: "There is no perfect ability to censor material which may be offensive. Users who may feel uncomfortable about such material are advised not to open them."

Yahoo! was incensed by The Guardian's report.

"We were not aware of nor would we condone this reported activity. This report, if true, represents a whole new level of violation of our users' privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December," Yahoo! told The Register.

"We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

'Truly shocking revelation'

The American Civil Liberties Union (ACLU) was rather annoyed as well, with staff attorney Alex Abdo saying in a statement: "This is a truly shocking revelation that underscores the importance of the debate on privacy now taking place and the reforms being considered. In a world in which there is no technological barrier to pervasive surveillance, the scope of the government’s surveillance activities must be decided by the public, not secretive spy agencies interpreting secret legal authorities."

Writing on his personal Twitter feed, Christopher Soghoian, a principal technologist at the ACLU, said: "Save at least some of your outrage for Yahoo, which didn't care about users enough to encrypt their webcam traffic. Totally unacceptable.

"It doesn't take a genius to know that webcam chats are used for sensitive (read: sexual) content. Yahoo should have encrypted from day one."

GCHQ's webcam-raiding program, dubbed OPTIC NERVE, was still active in 2012, according to an intranet page that was accessed that year.

The surveillance agency wrote that "face detection has the potential to aid selection of useful images for 'mugshots' or even for face recognition by assessing the angle of the face," it said. "The best images are ones where the person is facing the camera with their face upright."

'We do not comment on intelligence matters'

GCHQ staff were told they could view "webcam images associated with similar Yahoo identifiers to your known target," The Guardian wrote. In other words, if a GCHQ target was named BadTerrorist1, then it might be acceptable for analysts to view an account named, say, BudTerrorist1.

Brit spooks tested automatic face-recognition technologies on the intercepted images as a way to search for actual suspects, but this system was briefly retired though is likely to return.

Some of the OPTIC NERVE data was fed into NSA's all-seeing XKeyscore search tool, and NSA research was used to build the technology that sniffed out the Yahoo! cam network packets. Though the NSA denies encouraging foreign intelligence partners to harvest data for it, GCHQ is known to operate under looser constraints and therefore is able to gather much more data.

In a statement, a GCHQ spokesman said: "It is a longstanding policy that we do not comment on intelligence matters.

"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position."

Today's revelations come in the wake of allegations earlier this week that GCHQ drew up plans to discredit targets online by embarrassing them with compromising photos and slander. Those slides were also leaked by Snowden. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.