"Optic Nerve" program collected Yahoo webcam images in bulk | 1.8m users targeted by UK agency in six-month period alone | Yahoo: ‘A whole new level of violation of our users’ privacy’ | Material included large quantity of sexually explicit images
Britain’s surveillance agency GCHQ, with aid from the US National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal.
GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not.
In one six-month period in 2008 alone, the agency collected webcam imagery – including substantial quantities of sexually explicit communications – from more than 1.8 million Yahoo user accounts globally.
Yahoo reacted furiously to the webcam interception when approached by the Guardian. The company denied any prior knowledge of the program, accusing the agencies of “a whole new level of violation of our users’ privacy”.
GCHQ does not have the technical means to make sure no images of UK or US citizens are collected and stored by the system, and there are no restrictions under UK law to prevent Americans’ images being accessed by British analysts without an individual warrant.
Sexually explicit webcam material proved to be a particular problem for GCHQ, as one document delicately put it: “Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person. Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography.”
In his interview with The Post, Snowden noted matter-of-factly that Standard Form 312, the classified-information nondisclosure agreement, is a civil contract. He signed it, but he pledged his fealty elsewhere.(via Edward Snowden, after months of NSA revelations, says his mission’s accomplished - The Washington Post) This article / interview is an extraordinary thing to read.
“The oath of allegiance is not an oath of secrecy,” he said. “That is an oath to the Constitution. That is the oath that I kept that Keith Alexander and James Clapper did not.”
People who accuse him of disloyalty, he said, mistake his purpose. “I am not trying to bring down the NSA, I am working to improve the NSA,” he said. “I am still working for the NSA right now. They are the only ones who don’t realize it.”
What entitled Snowden, now 30, to take on that responsibility? “That whole question — who elected you? — inverts the model,” he said. “They elected me. The overseers.”
He named the chairmen of the Senate and House intelligence committees. “Dianne Feinstein elected me when she asked softball questions” in committee hearings, he said. “Mike Rogers elected me when he kept these programs hidden. . . . The FISA court elected me when they decided to legislate from the bench on things that were far beyond the mandate of what that court was ever intended to do. The system failed comprehensively, and each level of oversight, each level of responsibility that should have addressed this, abdicated their responsibility.”
“It wasn’t that they put it on me as an individual — that I’m uniquely qualified, an angel descending from the heavens — as that they put it on someone, somewhere,” he said. “You have the capability, and you realize every other [person] sitting around the table has the same capability but they don’t do it. So somebody has to be the first.”
In an open letter to President Obama and Congress, eight of the most prominent U.S. tech companies have demanded that strict new limits be put on government surveillance, citing revelations made earlier this summer, when stories based Edward Snowden’s leaked documents began running in The Guardian. “The balance in many countries has tipped too far in favor of the state and away from the rights of the individual,” they argue, “rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.”
They’ve staked out an extraordinary position.
Google, Facebook, Apple, Microsoft, Twitter, Yahoo, LinkedIn, and AOL all have an interest in restoring public trust in their products and averting new regulatory challenges in countries disinclined to let a spying hegemon control the Internet. My colleague James Fallows has written eloquently about the damage the NSA’s behavior could do to U.S. economic might as other countries react to it. The companies could’ve made a compelling case for reform on those grounds alone.
Instead, they’ve gone quite a bit farther.
Read more. [Image: Jason Lee/Reuters]
The phrase ‘Pick your poison’ was created for scenarios just like this.
Eric Schmidt, former CEO of Google, September 2013:
"There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgement on that, it’s the nature of our society."
Eric Schmidt, former CEO of Google, November 2013:
"It’s really outrageous that the National Security Agency was looking between the Google data centers, if true." His comment follows recent reports of a nefarious tool crafted by the agency and the UK’s GCHQ that accessed Google and Yahoo data lairs without permission. Schmidt also said that to “potentially violate people’s privacy, it’s not OK,”
Facebook severed Path’s invite ability over the weekend, however, in the wake of a dust-up with a U.K.-based user who joined Path one evening before bed, only to wake up and find that Path had sent texts, e-mails and (inadvertently) phone calls lobbying his friends to join Path on his behalf.
Facebook confirmed to AllThingsD.com that it had cut off its “Find Friends” access to Path at the moment, but emphasized that users can still syndicate content from Path back to Facebook. Facebook did not address whether the restriction came as a result of Path’s recent spamming accusations, and Morin told me he didn’t know why Facebook chose to cut him off when it did.
[insert laughter here]
Robert Edwards had been on the popular dating site OKCupid.com for about six months when the administrators asked him to be a community moderator. “They wrote and said I am a responsible user, whatever that means,” he recalled, admitting that at first he was befuddled. Though fairly active on the site, Edwards, a medical professional who lives in the Mission District, had remained a confirmed bachelor.
But curiosity drove him to click the “moderation” button, and within minutes he was reading people’s messages to each other and perusing profiles flagged for possible terms of service violations.
Online love-seekers might not be aware of it, but OKCupid has deputized random strangers to gain access to intimate conversations between others — correspondence that many users, as well as Internet privacy experts, assumed to be private.
See, to me this should be a crime, although I’d be lying if I said I didn’t also find it very funny/ridiculous. In Europe, I believe the owners of OKCupid would be looking at large fines and probably jail time. That should be the consequence of violating customer privacy in the US, as well. In a sane world, Facebook’s officers would be re-thinking their new phone app, because they’d be afraid of going to jail for the violations of user privacy that are an inevitable by-product of the service/app.
A few weeks ago a friend of mine said she was getting harassing text messages from a particular phone number, which she didn’t recognize and which didn’t appear in any of her own records. On a whim, I suggested entering the number into the Facebook search box, whereupon we found the guy’s profile (even though he had no friends in common with the account we were logged in under), realized who he was, and ratted the thirty-something out to his Mom.
Then I thought: Is it really a good idea, for this to be possible? I tried entering consecutive phone numbers (starting with a random valid number, and varying the last 2 digits from 00 to 99) into Facebook’s search box, and 13 of them came up with valid matches. None of those matches had any friends in common with the account we were searching from; as far as I can tell, anybody could enter any phone number into Facebook’s search box and find the account associated with it, if there is one.
I think this has non-trivial privacy implications. (I repeatedly contacted Facebook explaining why I think this is a problem, but they haven’t responded.) I’m not talking about the ability to find the account associated with a particular phone number — I think relatively few people have a legitimate need to send text messages from a truly anonymous phone number, and if they do, it’s their own fault if they’re dumb enough to put that number on their Facebook profile. And it wouldn’t be a practical way to unmask the phone number associated with a particular account, either — even if you knew the person’s area code, and narrowed down the list of possible exchange numbers following the area code, you’d still have to try tens of thousands of possibilities.
Rather, the problem is that you could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account. Not only would you know the names associated with each of the numbers, you could associate the phone number with anything else that was discoverable from the person’s Facebook profile &mdash which usually includes their location, their interests, and the names of their other friends. (By default, all such information is visible on your Facebook profile — even to users who aren’t your Facebook friends and have no friends in common with you — but your contact information is supposed to be hidden from other users unless you’ve confirmed them as friends.)
The callers that Seely recorded thought they were speaking directly to the government agencies because they looked up the telephone number on Google Maps. What they didn’t know was that Seely had set up fake listings for the San Francisco FBI office and Secret Service in Washington, D.C., displaying numbers that went to a phone account he set up rather than the federal offices. After Seely’s numbers received the calls, they were seamlessly forwarded to the real offices the callers were trying to reach, only now the audio of their conversations with real federal agents was being captured by Seely. Seely told Valleywag:
Who is gonna think twice about what Google publishes on their maps? Everyone trusts Google implicitly and it’s completely unwarranted and it’s completely unsafe. I could make a duplicate of the White House and take every inbound phone call from the White House. I could do it for every Senator, every Congressman, every mayor, every governor—every Democratic, every Republican candidate. Every office.
My $50,000 Twitter Username Was Stolen Thanks to PayPal and GoDaddy I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up. While eating lunch on January 20, 2014, I received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating….[more at the link.]
While controlling a camera remotely has long been a source of concern to privacy advocates, conventional wisdom said there was at least no way to deactivate the warning light. New evidence indicates otherwise.
Now research from Johns Hopkins University provides the first public confirmation that it’s possible to do just that, and demonstrates how. While the research focused on MacBook and iMac models released before 2008, the authors say similar techniques could work on more recent computers from a wide variety of vendors. In other words, if a laptop has a built-in camera, it’s possible someone — whether the federal government or a malicious 19 year old — could access it to spy on the user at any time.
This is not good news.
In 1999, Scott McNealy, the chief executive of Sun Microsystems, summed up the valley’s attitude toward personal data in what became a defining comment of the dot-com boom. “You have zero privacy,” he said. “Get over it.”
Mr. McNealy is not retracting that comment, not quite; but like Mr. Metcalfe he is more worried about potential government abuse than he used to be. “Should you be afraid if AT&T has your data? Google?” he asked. “They’re private entities. AT&T can’t hurt me. Jerry Brown and Barack Obama can.” An outspoken critic of the California state government, and Mr. Brown, the governor, Mr. McNealy said his taxes are audited every year.
Today in Plutocracy: No matter what anyone else says about this surveillance story, it’s a lock that no one will say anything as dumb as that Scott McNealy quote.
Path, the photo-centric social network that just hit 10 million users yesterday, has been getting some heat for what some users say are spammy tactics to recruit new users.
Digital marketer Stephen Kenwright downloaded the app earlier this week, tried it out, uninstalled it, and went to bed. When he woke up, he found that Path had gone on a rogue mission early in the morning, texting and robocalling an unknown number of his contacts, including his grandparents.
By the time Kenwright got to work, it became clear that Path had gotten in touch with his entire phone book. Coworkers, friends, and family were asking him about the text or phone call they’d received from Path, which stated that Kenwright wanted to share photos with them. “Having uninstalled the app yesterday when I decided it wasn’t for me, I’m going to go ahead and assume that Path took this data out of my phonebook sometime during the half hour I had it installed,” Kenwright said in a blog post about the incident.
This is not the first or second time Path has fucked over its users. I don’t understand why people think the ability to share some fucking photographs with ‘friends’ is worth the complete abdication of your - and your friends’ - privacy. Who on earth wants Path texting and robocalling their friends, trying to sell them on signing up for a service that texts and robocalling their friends? Path’s only response to this? “The app is working fine, shut up.”
OUR browsing habits, search terms, e-mail communication — even our offering of our ZIP codes at the supermarket checkout — reveal bits of information that can be assembled by data companies, usually for the purpose of knowing what sorts of products we’re most likely to buy. The online advertising industry insists that the data is scrambled to make it impossible to identify individuals.
Mr. Acquisti offers a sobering counterpoint. In 2011, he took snapshots with a webcam of nearly 100 students on campus. Within minutes, he had identified about one-third of them using facial recognition software. In addition, for about a fourth of the subjects whom he could identify, he found out enough about them on Facebook to guess at least a portion of their Social Security numbers.
The point of the experiment was to show how easy it is to identify people from the rich trail of data they scatter around the Web, including seemingly harmless pictures. Facebook can be especially valuable for identity thieves, particularly when a user’s birth date is visible to the public.
Does that mean Facebook users should lie about their birthdays (and break Facebook’s terms of service)? Mr. Acquisti demurred. He would say only that there are “complex trade-offs” to be made.
“I reveal my date of birth and hometown on my Facebook profile and an identity thief can reconstruct my Social Security number and steal my identity,” he said, “or someone can send me ‘happy birthday’ messages on the day of my birthday, which makes me feel very good.”
There are 2 really good articles on Internet privacy in today’s NY Times.