Govt abusing Bill of Rights with digital surveillance loopholes, lawyers allege

24 Dec, 2014 17:30 / Updated 10 years ago

Government and corporate entities have far too much leeway to hack into webcams in order to conduct surveillance, and laws supposedly designed to protect victims of such an intrusion are inadequate, according to a new report.

The report, titled 'Digital Peepholes,' highlights how easy it is for law enforcement and other government agencies, as well as corporations, to violate Americans’ Third and Fourth Amendment rights.

Constitutional “guarantees should preclude the government from remotely activating webcams, given that webcams are frequently located in the home, where privacy rights are at their strongest,” wrote the report’s authors, all of the Institute for Science, Law and Technology at the IIT Chicago-Kent College of Law.

“Yet because the existing laws on government electronic surveillance allow secret proceedings and provide few opportunities for public oversight, there is no way of knowing how many times remote webcam activation has been approved by a judge, or been used without any judicial authorization.”

As underscored by The District Sentinel, there is no outright ban on the federal government hacking into a webcam. The capabilities are often exploited, as exhibited by the classified National Security Agency documents released by former intelligence contractor Edward Snowden.

The NSA has developed mass surveillance operations via malware “implants” used to infect computers worldwide. One malware implant, known as 'GUMFISH,' can reportedlycovertly take over a computer’s webcam and snap photographs.”

Yet judges have often denied law enforcement the right to infiltrate devices for purposes of webcam surveillance.

The report pointed out one such case in 2013, in which the FBI called on a judge to authorize the agency to infiltrate “software on an unspecified computer in an unknown location, and to perform remote electronic surveillance, including by activating its webcam.” The computer was believed to be part of a hacking attempt into another computer in order to conduct a “sizeable transfer” to an overseas bank account.

The FBI’s request was blocked by Judge Stephen W. Smith.

“What if the Target Computer is located in a public library, an internet café, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme?” the judge said about the possible ramifications of granting the FBI permission.

The report’s authors wrote that based on “its questionable effectiveness and high level of intrusiveness, remotely activating webcams should be clearly prohibited as a law enforcement investigative technique, and the rules of criminal procedure should not be modified to encourage its uses.”

Meanwhile, private businesses also find ways to hack into webcams, oftentimes exploiting loopholes in existing laws.

“Private businesses should similarly be banned from employing remote webcam activation, as its supposed benefits for theft prevention and recovery do not justify the flagrant violations of privacy that inevitably occur when the technology is activated,” the report states.

One case detailed in the report involved the manager of a rent-to-own store, Aaron’s, who remotely accessed a customer’s webcam well over 300 times in one month. The manager gathered screenshots of the customer’s wife in her underwear, later claiming – inaccurately – that the customer was late in paying for the device.

The customer filed a lawsuit against Aaron’s and other companies associated with the hack, alleging that the companies intercepted his communications, violating the Electronic Communications Privacy Act (ECPA). He also alleged the companies accessed his hard drive, violating the Computer Fraud and Abuse Act (CFAA).

A court, though, rejected most of the customer’s claims, exposing loopholes in the two laws. The court said the screenshots taken from the compromised webcam were not considered interceptions of communications that the ECPA is designed to protect. And since the customer could not prove damages of at least $5,000, the company was not ultimately in violation of the CFAA.

“When a technology is available, it is available for abuse, and corporations and law enforcement don’t have any great history of restraint here,” one of the report’s authors, Dan Massoglia, told The District Sentinel.

“The overwhelming majority of lawmakers are not paying enough–or any–attention to webcam hacking,” Massoglia added about attempts to rectify the loopholes.

While calling for explicit prohibitions on government and private infiltration of webcams, the report’s authors also recommended new efforts to strengthen laws that aim to protect Americans from intrusion by individual “ratters” looking to lift data from devices.

The problems lie, the authors said, in “insufficient disclosure and a lack of opportunity for public oversight in the case of government use; incentives for private companies to perform intrusive surveillance in place of the police; and existing laws’ failure to adequately protect victims of surreptitious remote activation.”