Modern field guide to security and privacy

Why webcam indicator lights are lousy privacy safeguards

A recent academic study found that few computer users notice indicator lights and even fewer realize that the camera is always recording when the light is on. The lack of awareness, say researchers, makes people more vulnerable to webcam spying.

Devon Carlson/The Christian Science Monitor

That tiny light next to your webcam is supposed to play a big role in protecting your privacy – it lets you know when the camera is recording. But, if you're like most people, you probably won’t notice when it’s on at all, which means you wouldn't know if someone is surreptitiously filming you. 

"Every time that the webcam indicator is on, the webcam is recording," says Rebecca Portnoff, a PhD candidate at the University of California at Berkeley. "Even if you think it’s impossible, that you haven’t Skyped anyone, that you’re not recording anything, that it must be some kind of glitch, the webcam’s recording."

The webcam light is a type of privacy indicator, which is a notification that a user’s data is being collected in some way. Other privacy indicators include the green Secure Socket Layer lock in the website address bar that indicates a secure connection or the pop-up on a smartphone asking for consent to share your location with an app.

"One of the big problems we see today is that it’s really hard to know how an application is using your data," says Serge Egelman, a research scientist at UC Berkeley’s Department of Electrical Engineering and Computer Science. "Once you’ve granted access to it, it’s essentially gone."

In a paper presented at conferences earlier this year, Ms. Portnoff and five of her Berkeley colleagues examined the effectiveness of webcam lights. At various points during the experiment, the webcam, along with the LED light, turned on and made a 10-second recording.

Fewer than half of the participants noticed that the light was on when they were doing computer tasks, while only five percent who were working on a paper-based task in front of the computer noticed the light turn on. Most people also didn’t understand that the light meant the camera was recording.

While webcam lights can save people from embarrassment in an unintended Skype or FaceTime call, not noticing the light can also open up people to a specific kind of malware that known as remote administration tool (RAT) that can be used to access victims' webcams, microphone, screen, and files.

Portnoff became interested in the topic while browsing Hack Forums, which hosts discussion boards for topics such as gaming and coding as well as more topics on hacking techniques such as “ratting,” a digital attack that involves infecting victims’ machines with a RAT.

“Given that people do things like changing their clothes in front of their computers and taking their computers into the shower with them so they can listen to music and all sorts of stuff,” Portnoff said, “we think it’s critical to pay attention to the problem of getting users to notice the webcam LED even when they’re not actively on their computer.”

It is difficult to get an accurate count for how many people are victims of this kind of spying because of a lack of reporting on an individual level, but Paul Shomo, a digital forensic specialist at the security firm Guidance Software, said ratting should be taken seriously despite the lack of concrete statistics.

“Where we’re seeing it a lot right now is against federal targets,” he said, “which is very likely state-sponsored cyberterrorism, but could also be cybercrime syndicates.”

The kind of ratting Mr. Shomo is referring to doesn’t always involve a webcam. Often times at the state level, Shomo said, the attackers are targeting information to steal. These attackers can be significantly more advanced than the amateur attackers seeking easy ratting solutions on Hack Forums, and RAT malware can be difficult to detect. Shomo has seen cases in federal agencies and companies where ratting malware was not discovered for over a year.

For the lower-end ratting involving webcam spying, Mr. Egelman, the Berkeley researcher, notes that it isn’t likely to happen on a particularly large scale because there needs to be a human on one end actively using the software to access the victim’s camera. Still, the consequences can be severe.

To help users become more aware of when the camera is in use, the second part of the study tested a new indicator. When the webcam turned on, an opaque red camera icon would fill the screen and shrink into the upper right hand corner, blinking for seven seconds before it went away.

Awareness of the light improved dramatically. More than 90 percent of participants noticed the camera turn on while doing computer-based tasks. It did not, however, substantially increase understanding that the light’s presence meant the camera was recording.

Until better indicators are developed for the webcam, Portnoff and Egelman recommend placing a sticker over the webcam and using antivirus software. For other applications, pay attention to what permissions they ask for.

“The biggest thing is to be cognizant of what data could be collected,” Egelman said, “and then trying to make informed choices about which services and applications actually use them.”

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.