Feeds

UK spies on MILLIONS of Yahoo! webcams, ogles sex vids - report

Perfectly legal for us to watch your unencrypted steamy cam sessions, sniffs GCHQ

3 Big data security analytics techniques

British spies allegedly intercepted and stored nude pics and other stills from millions of Yahoo! Messenger webcams – and mulled capturing snaps from the XBox's Kinect camera, too.

The UK intelligence agency GCHQ started slurping photos from innocent netizens' camera feeds in 2008, The Guardian reported today. In just one six-month period alone, pics from 1.8 million Yahoo! users were pulled into government servers.

Blighty's hush-hush nerve-center was also said to have explored the possibility of intercepting footage from the Kinect camera for Microsoft's Xbox 360 games console as it generated "fairly normal webcam traffic."

We're told the British g-men made an unfortunate discovery while allegedly harvesting the snaps: between three and 11 per cent of the obtained Yahoo! webcam pics contained "undesirable nudity."

Although Yahoo!'s instant messaging service uses SSL to encrypt passwords when logging in, it does not prevent network eavesdroppers from intercepting, decoding and storing text messages and live webcam feeds between contacts. It's alleged GCHQ grabbed stills from active cam chat sessions every five minutes – regardless of whether the users were suspected of any wrongdoing.

"Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person," GCHQ wrote in a document leaked by ex-NSA whistleblower Edward Snowden to the newspaper.

"Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography."

The spy agency did try to protect the delicate sensibilities of its staff, with a handbook note stating: "There is no perfect ability to censor material which may be offensive. Users who may feel uncomfortable about such material are advised not to open them."

Yahoo! was incensed by The Guardian's report.

"We were not aware of nor would we condone this reported activity. This report, if true, represents a whole new level of violation of our users' privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law consistent with the principles we outlined in December," Yahoo! told The Register.

"We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

'Truly shocking revelation'

The American Civil Liberties Union (ACLU) was rather annoyed as well, with staff attorney Alex Abdo saying in a statement: "This is a truly shocking revelation that underscores the importance of the debate on privacy now taking place and the reforms being considered. In a world in which there is no technological barrier to pervasive surveillance, the scope of the government’s surveillance activities must be decided by the public, not secretive spy agencies interpreting secret legal authorities."

Writing on his personal Twitter feed, Christopher Soghoian, a principal technologist at the ACLU, said: "Save at least some of your outrage for Yahoo, which didn't care about users enough to encrypt their webcam traffic. Totally unacceptable.

"It doesn't take a genius to know that webcam chats are used for sensitive (read: sexual) content. Yahoo should have encrypted from day one."

GCHQ's webcam-raiding program, dubbed OPTIC NERVE, was still active in 2012, according to an intranet page that was accessed that year.

The surveillance agency wrote that "face detection has the potential to aid selection of useful images for 'mugshots' or even for face recognition by assessing the angle of the face," it said. "The best images are ones where the person is facing the camera with their face upright."

'We do not comment on intelligence matters'

GCHQ staff were told they could view "webcam images associated with similar Yahoo identifiers to your known target," The Guardian wrote. In other words, if a GCHQ target was named BadTerrorist1, then it might be acceptable for analysts to view an account named, say, BudTerrorist1.

Brit spooks tested automatic face-recognition technologies on the intercepted images as a way to search for actual suspects, but this system was briefly retired though is likely to return.

Some of the OPTIC NERVE data was fed into NSA's all-seeing XKeyscore search tool, and NSA research was used to build the technology that sniffed out the Yahoo! cam network packets. Though the NSA denies encouraging foreign intelligence partners to harvest data for it, GCHQ is known to operate under looser constraints and therefore is able to gather much more data.

In a statement, a GCHQ spokesman said: "It is a longstanding policy that we do not comment on intelligence matters.

"Furthermore, all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position."

Today's revelations come in the wake of allegations earlier this week that GCHQ drew up plans to discredit targets online by embarrassing them with compromising photos and slander. Those slides were also leaked by Snowden. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.