Why webcam indicator lights are lousy privacy safeguards

A recent academic study found that few computer users notice indicator lights and even fewer realize that the camera is always recording when the light is on. The lack of awareness, say researchers, makes people more vulnerable to webcam spying.

That tiny light next to your webcam is supposed to play a big role in protecting your privacy – it lets you know when the camera is recording. But, if you're like most people, you probably won’t notice when it’s on at all, which means you wouldn't know if someone is surreptitiously filming you. 

"Every time that the webcam indicator is on, the webcam is recording," says Rebecca Portnoff, a PhD candidate at the University of California at Berkeley. "Even if you think it’s impossible, that you haven’t Skyped anyone, that you’re not recording anything, that it must be some kind of glitch, the webcam’s recording."

The webcam light is a type of privacy indicator, which is a notification that a user’s data is being collected in some way. Other privacy indicators include the green Secure Socket Layer lock in the website address bar that indicates a secure connection or the pop-up on a smartphone asking for consent to share your location with an app.

"One of the big problems we see today is that it’s really hard to know how an application is using your data," says Serge Egelman, a research scientist at UC Berkeley’s Department of Electrical Engineering and Computer Science. "Once you’ve granted access to it, it’s essentially gone."

In a paper presented at conferences earlier this year, Ms. Portnoff and five of her Berkeley colleagues examined the effectiveness of webcam lights. At various points during the experiment, the webcam, along with the LED light, turned on and made a 10-second recording.

Fewer than half of the participants noticed that the light was on when they were doing computer tasks, while only five percent who were working on a paper-based task in front of the computer noticed the light turn on. Most people also didn’t understand that the light meant the camera was recording.

While webcam lights can save people from embarrassment in an unintended Skype or FaceTime call, not noticing the light can also open up people to a specific kind of malware that known as remote administration tool (RAT) that can be used to access victims' webcams, microphone, screen, and files.

Portnoff became interested in the topic while browsing Hack Forums, which hosts discussion boards for topics such as gaming and coding as well as more topics on hacking techniques such as “ratting,” a digital attack that involves infecting victims’ machines with a RAT.

“Given that people do things like changing their clothes in front of their computers and taking their computers into the shower with them so they can listen to music and all sorts of stuff,” Portnoff said, “we think it’s critical to pay attention to the problem of getting users to notice the webcam LED even when they’re not actively on their computer.”

It is difficult to get an accurate count for how many people are victims of this kind of spying because of a lack of reporting on an individual level, but Paul Shomo, a digital forensic specialist at the security firm Guidance Software, said ratting should be taken seriously despite the lack of concrete statistics.

“Where we’re seeing it a lot right now is against federal targets,” he said, “which is very likely state-sponsored cyberterrorism, but could also be cybercrime syndicates.”

The kind of ratting Mr. Shomo is referring to doesn’t always involve a webcam. Often times at the state level, Shomo said, the attackers are targeting information to steal. These attackers can be significantly more advanced than the amateur attackers seeking easy ratting solutions on Hack Forums, and RAT malware can be difficult to detect. Shomo has seen cases in federal agencies and companies where ratting malware was not discovered for over a year.

For the lower-end ratting involving webcam spying, Mr. Egelman, the Berkeley researcher, notes that it isn’t likely to happen on a particularly large scale because there needs to be a human on one end actively using the software to access the victim’s camera. Still, the consequences can be severe.

To help users become more aware of when the camera is in use, the second part of the study tested a new indicator. When the webcam turned on, an opaque red camera icon would fill the screen and shrink into the upper right hand corner, blinking for seven seconds before it went away.

Awareness of the light improved dramatically. More than 90 percent of participants noticed the camera turn on while doing computer-based tasks. It did not, however, substantially increase understanding that the light’s presence meant the camera was recording.

Until better indicators are developed for the webcam, Portnoff and Egelman recommend placing a sticker over the webcam and using antivirus software. For other applications, pay attention to what permissions they ask for.

“The biggest thing is to be cognizant of what data could be collected,” Egelman said, “and then trying to make informed choices about which services and applications actually use them.”