The Webcam Hacking Epidemic

Flickr user mofetos

It'd be easy for policy makers to correct gaps in protections against remote access tools used to spy on individuals. So why haven't they?

In 2009, when Susan Clements-Jeffrey purchased a used laptop from a student at the high school where she substitute taught, chances are she didn’t expect that the transaction would conclude with local police in her living room, laughing at her and calling her "stupid" while showing her explicit pictures of herself taken from her computer. Later, at the police station, according to court documents, the abuse continued, with the men now calling her disgusting while reading from her private instant message chats. The laptop, it turned out, had been stolen before she bought it, and it came equipped with a Remote Access Tool, or RAT.

RATs are software that allow a third party to spy on a computer user from afar, whether rifling through messages and browsing activity, photographing the computer screen, or in many cases hijacking the webcam and taking photographs of whomever is on the other side. RATs are widely used in a variety of contexts, some benign, others not. Across the board, abuse tends to be the rule.

It’s hard to know how many RATs are out there because of their covert nature. Recent reports confirm hundreds of thousands of computers infected in 2014 by only a single type of RAT, with the actual number of infections across years and technology far, far higher. School districts have used RATs to spy on students in their bedrooms; rent-to-own computer stores have secretly watched their customers. Online, at places like HackForums.net, individuals, often men, trade and sell access to strangers' computers, often women, gained via RAT. The jargon that ratters use underscores the power dynamic—ratted computers are called "slaves."

The National Security Agency, too, is involved. The agency has budgeted tens of millions of dollars for an aggressive effort to scale its hacking operations and "own the net," a proposition that, as The Intercept reported, envisions indiscriminately infecting millions with malware that has the capability for remote video surveillance by webcam. The Department of Justice, for its part, expended considerable effort in 2014 making vague arguments in support of expansions in Federal Bureau of Investigation ability to use malware, like RATs, for domestic law enforcement.

There's a real threat of being watched and recorded where you live, and without your knowledge or consent. Anyone with or near a computer and its webcam is potentially at risk. While cautious browsing can make a difference when it comes to protecting yourself, for ratting victims, U.S. law, late as usual to the party, is lacking.

* * *

Despite repeated violations of privacy via webcam hacking, legal protections against RATs in the United States leave many behind. Theoretically available state-level protections vary widely from place to place, and federal law, as a privacy backstop, is inadequate.

There are counter-intuitive interpretations of aging electronic privacy statute passed before webcams were invented and a federal hacking law that offers a private individual the right to sue but imposes requirements on this right that exclude most victims of ratters. In the case of the government’s use of RATs against the public, the process is comically and characteristically opaque.

Simple changes to U.S. law and policy, though, can meaningfully improve the status quo and ensure that the public is protected. As one of the authors of a recent policy paper reviewing the legal, technological, and policy issues surrounding RATs, I've given a lot of thought to the problem and how we can fix it.

The federal government should clarify the definition of “interception” under Title I of the Electronic Communications Privacy Act (ECPA) and reconsider the damages requirement for private claims in the Computer Fraud and Abuse Act (CFAA) in light of the often non-economic nature of privacy harms. A victim’s suffering is often not financial but emotional.

On a constitutional and procedural level, we should require that law enforcement hacking include automatic transparency, ban government webcam hacking, and be exacting in applying the Fourth Amendment’s warrant requirements. Together, with political will and popular support behind them, change in these areas would empower the public to better respond to ratters—whether individuals or government agents—and improve the privacy of millions.

* * *

Electronic privacy law in the United States is guided by the overlap of the Federal Trade Commission, state law, criminal procedure, executive order, and federal statute. In the last category, few statutes have more potential than the ECPA. ECPA was passed in 1986 as an amendment to the federal Wiretap Act, and, among other things, generally forbids the interception of electronic communications without the consent of a party to that communication. It’s a rule that sounds fairly simple. But in applying the 28-year-old law—which Sen. Patrick Leahy noted in 2013 was "no longer suited" to contemporary threats—courts have turned to a technologically unwieldy metaphor of "flight" to determine which interceptions occur “contemporaneously” with a message’s transmission and thus are covered by the statute. This definitional jig has meant webcam hacking victims are uncovered, with courts reluctant to take the sensible step of including webcam RAT spying under the act’s auspices.  

A leading case illustrating the problems with the “in-flight” ECPA approach is Byrd v. Aaron's, Inc., et al., still-pending federal litigation over RAT spying conducted by rent-to-own computer stores franchised by Aaron’s, Inc. At issue are privacy harms suffered by Colorado residents Crystal and Brian Byrd at the hands of a RAT called PC Rental Agent.

In 2010, the Byrds purchased a computer from Colorado Aaron’s, Inc. rent-to-own franchise Aspen Way. According to the suit, the store installed a brand-name RAT on the couple’s computer without telling them. Employees then used the software to take webcam photographs, log messages, and capture screenshots, wrongly thinking the couple was behind on payments. An Aspen Way employee came into the Byrd’s house, alleging delinquency, and, at his door, showed Brian a webcam photo of himself playing poker. The intrusion, he told the Associated Press in 2011, “[felt] like being invaded, like somebody else was in our house."

The Byrds sued a number of parties associated with the incident, including the store and the manufacturer of the trojan. Though ECPA, as the bedrock of U.S. electronic privacy legislation, would seem to apply naturally to the RAT-enabled capture of webcam photographs, keystrokes, and screenshots, a district court judge in their case adopted a pre-trial finding that the photographs were not "intercepted" for the purposes of the statute. The same judge expressed skepticism that the messages and screenshots could have been “intercepted,” either, but still allowed debate of the issue in the case.

The litigation is still underway, but for now, the court's unwillingness to treat webcam snooping as protected under ECPA is a troubling but easily correctable deficiency in the law. Courts, or the legislature, should abandon or retool the "in-flight" metaphor and understand snatched webcam photos as interceptions for the purposes of the statute. (A related suit alleging RAT-enabled interception of privileged and confidential attorney work product is unfolding in Georgia.)

* * *

Another law integral to electronic privacy is the Computer Fraud and Abuse Act (CFAA), and, like ECPA, RATs were not considered when it was written. The CFAA was initially passed, as the story goes, in 1983 when Ronald Reagan saw the hacking film War Games and got freaked out about computer viruses. The law has been updated since, and remains primarily concerned with "unauthorized access" to computers.

Of particular importance here is Section 1030(g), the act’s private right of action. Though the CFAA is foremost a criminal statute, meaning that prosecutors would have the power to decide when it is used, 1030(g) allows a private party to sue in a civil rather than a criminal proceeding, one that might conceivably offer refuge to victims of ratters. But civil suits aren’t a straightforward course of action for victims either.

As it currently stands, a ratting plaintiff must show damages of over $5,000 to be able to use the act's civil provisions. But even great privacy harms do not necessarily translate to dollars—what is the price of having your sex life mocked by strangers in your living room? Of having your home invaded virtually?—so the act ends up unable to protect many who might need it. Amending the CFAA’s damages requirement to take into account the type of harms suffered by ratting victims would offer more people the ability to gain relief under the act’s provisions.

Ratting also raises constitutional and judicial process concerns, relating both to public access to democracy and to the strict warrant requirements regarding searches by the government of private individuals. In this arena, multiple aspects of the legal system are implicated, the CFAA among them.

With law enforcement and intelligence agency hacking on the rise, another section of the CFAA takes on greater importance for victims of ratting. The act contains something of a get-out-of-jail-free provision that shields law enforcement from its reaches. Section 1030(f) explicitly approves of "lawfully authorized investigative, protective, or intelligence activity of a law enforcement [or intelligence] agency of the United States."

The problem, for the public, is that we know next to nothing about what is "lawfully authorized" law enforcement hacking. Agencies keep secret the details of their hacking operations, fighting public efforts to understand their operations. They rely on euphemism and institutional gravity in lieu of transparency when advocating their position, a phenomenon on display in DOJ efforts to loosen RAT spying warrant requirements.

Remotely activating a computer’s webcam means potentially invading the privacy of all those unlucky enough to be in front of the lens, which makes the practice of government ratting constitutionally fraught. The Fourth Amendment requires that spying warrants only be limited closely to a specific, stated target. But because webcams don’t care about warrant orders, it is difficult to foresee a situation where law enforcement could meaningfully ensure its operation would "'effectuate only the purposes for which the order is issued.'" In other words, it would be impossible to ensure that even arguably appropriate uses of surveillance malware would not equal inappropriate and unlawful access as well.

On a strictly practical level, it is debatable that the FBI would ever need to activate a computer's webcam when less invasive means of surveillance like GPS tracking are available. It’s also difficult to be comfortable authorizing more methods of potential constitutional violations to an agency whose history is riddled with them.

Ratting is a practice that is not limited to a branch of government, area of society, or political party—and unless laws are changed, many will continue to be at their mercy.