The feds and corporations are hijacking Americans’ webcams to conduct surveillance, and there isn’t much legal recourse for innocent victims when it happens, according to a new report.
The paper, which details these 1984 telescreen-like capabilities using court documents, was released this week by a team of lawyers with the Chicago-Kent College Privacy Program.
The report’s authors say that federal officials who remotely activate webcams routinely flout the Bill of Rights, and call for an end to the practice.
“Allowing law enforcement to remotely activate webcams is akin to giving the government a pair of eyes in every home—something the Founders prohibited in the Third Amendment, which prohibits the quartering of soldiers without the owner’s consent, except in a manner prescribed by law,” the report states. It adds that the spycraft also inherently violates the Fourth Amendment, given how routine computer sharing is.
While there is no ban on feds hacking into your webcam to spy on you, judges have denied requests from cops seeking express permission to do it.
In one 2013 case highlighted in the report, the FBI asked a judge to grant a warrant allowing them to remotely access “software on an unspecified computer in an unknown location, and to perform remote electronic surveillance, including by activating its webcam.” The device was suspected to have been involved in an attempt to hack into someone’s computer to make a “sizeable transfer” to a foreign bank account.
Judge Stephen W. Smith denied the FBI’s request for numerous reasons.
“What if the Target Computer is located in a public library, an internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme?” the judge asked rhetorically. He recommended that the FBI use less invasive surveillance tools.
The FBI was held in check that case, but it’s now widely known that the often-unaccountable US intelligence community has the capability to routinely hijack webcams.
Documents provided to journalists by NSA whistleblower Edward Snowden show how the agency has developed “groundbreaking surveillance…to infect potentially millions of computers worldwide with malware “implants.” One piece of malware, codenamed “GUMFISH” can reportedly “covertly take over a computer’s webcam and snap photographs.”
Corporate surveillance poses serious problems as well that federal law does not do nearly enough to rectify. “Private businesses should be prohibited from remotely activating users’ webcams, because their doing so poses extraordinary threats to users’ privacy that the actual or perceived benefits do not come close to balancing,” the report says.
If left unaddressed, this type of spying is likely to become more pervasive. “When a technology is available, it is available for abuse, and corporations and law enforcement don’t have any great history of restraint here,” one of the authors of the report, Dan Massoglia, told The Sentinel,
In one case, a manager at the rent-to-own chain, Aaron’s, remotely-accessed customer Brian Byrd’s computer webcam as many as 347 times in the course of a month, and collected screenshots of his wife in her underwear. The manager claimed the couple was late on payment—a claim later proven wrong by a receipt.
Byrd filed suit against Aaron’s and a host of companies associated with the incident. He alleged that the companies intercepted his communications in violation of the Electronic Communications Privacy Act (ECPA) and accessed his hard drive in violation of the Computer Fraud and Abuse Act (CFAA).
But the court ultimately rejected most of Byrd’s claims. It ruled that screenshots taken from a hacked webcam were technically not “intercepted” communications protected by ECPA, since it was never in transit to another individual.
Attempts to fill this legal loophole have proven fruitless. In 2010, Sen. Arlen Specter (D-Pa.) sought to broaden the definition of an “intercept” with the Surreptitious Surveillance Video Act. The bill prohibited discrete video interceptions without a warrant, but never made it out of committee.
Byrd’s argument that the company violated the CFAA was also tossed out, since he couldn’t prove damages in excess of $5,000 as required by the law. Although every state has law prohibiting this type of computer intrusion, many states similarly require proof of monetary damages.
“The Byrd case highlights a significant shortcoming in the law,” the report states. Not only are corporations not bound by constitutional considerations, but laws like ECPA and CFAA have loopholes that prevent victims from have proper recourse.
“The overwhelming majority of lawmakers are not paying enough–or any–attention to webcam hacking,” said Massoglia.
This becomes particularly troublesome when corporations are working with law enforcement. The report illustrated a case where a private company conducted webcam surveillance on a woman suspected of stealing a computer. Using the very device at the heart of allegations, the company snapped comprising photos of her through her webcam as she was talking with her boyfriend, and then passed the images on to law enforcement. Although it was later revealed that the woman was not involved in the computer theft, police used the photos to humiliate her during questioning. The cops were later cleared of any wrongdoing by a judge.
Most punishment for companies engaged in illicit webcam spying has been meted out by the Federal Trade Commission. In 2012, seven rent-to-own companies, including Aaron’s, settled with the FTC over charges of webcam spying.
“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said then-Chairman of the FTC, Jon Leibowitz.
The settlement prohibited the companies from remotely accessing webcams and using other under-handed tactics to collect sensitive personal information.
But ultimately, more needs to be done, the authors of the report argue.
Lori Andrews, Michael Holloway, and Dan Massoglia produced the Digital Peepholes report. You can read it in full here.