We documented earlier today that - if you are near your smart phone – the NSA or private parties could remotely activate your microphone and camera and spy on you.
This post shows that the same is true for our computer.
And a government expert told the Washington Post that the government “quite literally can watch your ideas form as you type” (confirmed). Even that is just “the tip of the iceberg”, according to a congress member briefed on the NSA’s spying program.
The New York Times reported in 2011 that German police were using spyware to turn on the webcam and microphone on peoples’ computers:
A group that calls itself the Chaos Computer Club prompted a public outcry here recently when it discovered that German state investigators were using spying software capable of turning a computer’s webcam and microphone into a sophisticated surveillance device.
The club …announced last Saturday it had analyzed the hard drives of people who had been investigated and discovered that they were infected with a Trojan horse program that gave the police the ability to log keystrokes, capture screenshots and activate cameras and microphones.
Reuters documented last year that the U.S. and Israeli governments can remotely turn on a computer’s microphone:
Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran’s nuclear program in 2010 [i.e. the U.S. and Israel], according to Kaspersky Lab, the Russian cyber security software maker that took credit for discovering the infections.
Kaspersky researchers said they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.
Cyber security experts said the discovery publicly demonstrates what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.
The virus contains about 20 times as much code as Stuxnet, which caused centrifuges to fail at the Iranian enrichment facility it attacked. It has about 100 times as much code as a typical virus designed to steal financial information, said Kaspersky Lab senior researcher Roel Schouwenberg.
Flame can gather data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats.
Kaspersky Lab said Flame and Stuxnet appear to infect machines by exploiting the same flaw in the Windows operating system and that both viruses employ a similar way of spreading.
“The scary thing for me is: if this is what they were capable of five years ago, I can only think what they are developing now,” Mohan Koo, managing director of British-based Dtex Systems cyber security company.
From what we know the NSA has back door access into Apple, Microsoft, and Google. What kind of access we don’t know, but let us assume it is similar to what they did about 7 years ago to AT&T. They had a secret room at Fulsom St. in San Francisco and the AT&T engineers had no control and no access to a room full of NSA equipment that had direct access to everything AT&T could do.
Microsoft is the source of the operating system for Windows and Windows cell phones. Apple controls the OS for Macs, iPhones, and iPads. Google controls the Chrome OS, Chrome Browser, and Android cell phones. The companies regularly push operating system upgrades and security updates to users on a regular basis.
Imagine however that the NSA has access to these updates at the source and has the ability to alter these update in order to install some sort of spyware on your phone, tablet, or computer. The software could turn on your camera or microphone remotely, read all your private data, or erase everything and brick your phone or computer.
A high-level NSA insider confirmed to us that any computer's microphone can be remotely accessed.
Cracked noted in 2010:
All sorts of programs are available to let you remotely commandeer a webcam, and many of them are free. Simple versions will just take photos or videos when they detect movement, but more complex software will send you an e-mail when the computer you’ve installed the program on is in use, so you can immediately login and control the webcam without the hassle of having to stare at an empty room until the person you’re stalking shows up.
The bottom line is that – as with your phone, OnStar type system or other car microphone, Xbox, and other digital recording devices – you shouldn’t say or do anything near your computer that you don’t want shared with the world.
Postscript: You could obviously try to cover your webcam and microphone when you don’t want to use them.
But if you really want privacy, take a lesson from spy movies: Go swimming with the person you want to speak with … since electronics can’t operate in water.
NBC News reports:
Researchers examining the privacy implications of smart-meter technology found that one German provider’s devices contained vulnerabilities that allowed them to snoop on unencrypted data to determine whether or not the homeowners were home.
After signing up with the German smart-meter firm Discovergy, the researchers detected that the company’s devices transmitted unencrypted data from the home devices back to the company’s servers over an insecure link. The researchers, Dario Carluccio and Stephan Brinkhaus, intercepted the supposedly confidential and sensitive information, and, based on the fingerprint of power usage, were able to tell not only whether or not the homeowners were home, away or even sleeping, but also what movie they were watching on TV.
The New York Times points out:
Writing in Friday’s issue of the journal Science, the environmental scientist Jan Beyea foresees a world in which epidemiologists could harvest data on how people live from day to day — their use of electric blankets or microwave ovens, for example — and correlate such activities with the likelihood of developing certain health conditions. The meter data could serve as a check on information obtained from the questionnaires that are used in such studies, he said.
With data from thousands or millions of smart meters, researchers could design tools to measure how many times a day a refrigerator door was opened, relevant to dietary and obesity research, or sleep patterns, relevant to a wide range of health research, he wrote.
Network World notes:
Smart meters provide highly detailed energy-use data. The info can be used by police to find and to bust indoor pot farms, by insurance companies to determine health care premiums, and by criminals to determine if you own high-dollar appliances and when is the best time to steal them. And that’s only the tip of the potential privacy invasion iceberg.
In central Ohio, police file at least 60 subpoenas each month for energy-use records of people suspected in indoor marijuana growing operations, reported the Columbus Dispatch. Most of the houses with indoor pot growing operations are reportedly in quiet neighborhoods without much traffic. DEA agent Anthony Marotta said the subpoena is only one tool used to catch “grow house” operators. Police get a tip about suspicious activity, but if undercover officers don’t discover anything illegal during a stake out, then utility consumption records can be sought. “How else can I get an indicator to get probable cause if I can’t see anything?” Marotta said to reporter Dean Narciso.
The U.S. Department of Energy warned [PDF] that smart grid technology can provide a highly detailed household profile of energy consumption and said policies are needed to restrict utilities from sharing consumer usage data with third parties. The National Institute of Standards and Technology (NIST) outlined Potential Privacy Impacts that Arise from the Collection and Use of Smart Grid Data [PDF].
From reading it, a person might wonder if smart meters will be real-time surveillance spies. It suggests that insurance companies might use the smart meter data to determine health care premiums, such as if there is high usage at night which would indicate sleep behavior problems. Besides looking to bust pot farmers, law enforcement might use the data as “real-time surveillance to determine if residents are present and current activities inside the home.” The press might wish to see the smart meter data of celebrities. Criminals may want to see the data to determine the best time for a burglary and what high dollar appliances you might have to steal. Marketers might want the data for profiling and targeting advertisements. Creditors might want the data to determine if behavior indicates creditworthiness.
Lockheed Martin general manager of Energy and Cyber Services said the smart grid could include as many as 440 million new hackable points by the end of 2015, reported Computerworld.
National Geographic notes:
”It’s not hard to imagine a divorce lawyer subpoenaing this information, an insurance company interpreting the data in a way that allows it to penalize customers, or criminals intercepting the information to plan a burglary,” the private nonprofit Electronic Frontier Foundation noted in a blog post about smart meters.
The European Union’s data protection watchdog warned earlier this year that smart meters, while bringing significant potential benefits, also could be used track whether families “are away on holiday or at work, if someone uses a specific medical device or a baby-monitor, how they like to spend their free time and so on.” The European Data Protection Supervisor urged that member states provide the public with more information on how the data is being handled.
The California Public Utilities Commission (CPUC) … was involved in producing a comprehensive report on privacy with the
National Institute of Standards and Technology (NIST) that summarizes, often in chilling detail, the many ways in which privacy breaches could occur on the smart grid, and recommends best practices for preventing those breaches. “As Smart Grid implementations collect more granular, detailed, and potentially personal information, this information may reveal business activities, manufacturing procedures, and personal activities in a given location,” the NIST report said.
The San Francisco Chronicle reports:
Critics of “smart meters” have often warned that the advanced electricity and gas meters can invade privacy by revealing when someone is and isn’t home.
According to the American Civil Liberties Union, they have reason to worry.
The civil rights group on Wednesday reported that California’s three big, investor-owned utilities had disclosed individual account information on thousands of their customers last year, usually to government agencies armed with subpoenas.
Last year, the United States Congressional Research Service addressed some of the issues involved:
Data recorded by smart meters must be highly detailed, and, consequently, it may show what individual appliances a consumer is using. The data must also be transmitted to electric utilities—and possibly to third parties outside of the smart grid—subjecting it to potential interception or theft as it travels over communications networks and is stored in a variety of physical locations.
These characteristics of smart meter data present privacy and security concerns that are likely to become more prevalent as government-backed initiatives expand deployment of the meters to millions of homes across the country. In the American Recovery and Reinvestment Act of 2009 (ARRA), Congress appropriated funds for the implementation of the Smart Grid Investment Grant (SGIG) program administered by the Department of Energy. This program now permits the federal government to reimburse up to 50% of eligible smart grid investments, which include the cost to electric utilities of buying and installing smart meters. In its annual report on smart meter deployment, the Federal Energy Regulatory Commission cited statistics showing that the SGIG program has helped fund the deployment of about 7.2 million meters as of September 2011.15 At completion, the program will have partially funded the installation of 15.5 million meters. By 2015, the Institute for Electric Efficiency expects that a total of 65 million smart meters will be in operation throughout the United States.
The CRS discussed some of the laws which may govern smart meter data:
If smart meter data and transmissions fall outside of the protection of the Fourth Amendment, they may still be protected from unauthorized disclosure or access under the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and the Electronic Communications Privacy Act (ECPA). These statutes, however, would appear to permit law enforcement to access smart meter data for investigative purposes under procedures provided in the SCA, ECPA, and the Foreign Intelligence Surveillance Act (FISA), subject to certain conditions. Additionally, an electric utility’s privacy and security practices with regard to consumer data may be subject to Section 5 of the Federal Trade Commission Act (FTC Act). The Federal Trade Commission (FTC) has recently focused its consumer protection enforcement on entities that violate their privacy policies or fail to protect data from unauthorized access. This authority could apply to electric utilities in possession of smart meter data, provided that the FTC has statutory jurisdiction over them. General federal privacy safeguards provided under the Federal Privacy Act of 1974 (FPA) protect smart meter data maintained by federal agencies, including data held by federally owned electric utilities.
The CRS report notes the incompleteness of the laws applying to smart meters. And – given that the FISA court has recently been shown to rubber-stamp mass surveillance on millions of Americans without any protection – we’re not sure that the current legal protections regarding smart meter data are worth the paper they’re written on.
England is just as bad. As the Telegraph writes:
The devices, which the government plans to install in every home by 2020, will also tell energy firms what sort of appliances are being used, allowing companies to target customers who do not reduce their energy consumption.
Privacy campaigners have expressed horror at the proposals, which come as two million homes have ‘spy’ devices fitted to their rubbish bins by councils who record how much residents are recycling.
In its impact assessment, however, the Department for Energy and Climate Change (DECC) says there “is theoretically scope… for using the smart metering communications infrastructure to enable a variety of other services, such as monitoring of vulnerable householders by health authorities or social services departments.”
It adds: “Information from smart meters could also make it possible for a supplier to determine when electricity or gas was being used in a property and, to a degree, the types of technology that were being used within the property. This could be used to target energy efficiency advice and offers of measures, social programmes etc to householders.”
Doretta Cocks, founder of the Campaign for Weekly Waste Collection, said: “This is Orwellian. We’re already under surveillance for what we put outside the home in bins and now we could be watched for what we’re doing inside as well.
Guy Herbert, general secretary of NO2ID, said: “Information from smart meters might be useful to energy providers and perhaps even their customers, but there’s no reason for any public authority to have access to it – unless they’ve a warrant to do so.
“This document is a prime example of government efforts to shoehorn data sharing and feature creep into every new policy.
The DECC document adds households could even have their power to some appliances turned off remotely to help the national grid if there is too much demand.
Consumer Focus, the watchdog, has also expressed concern about the privacy implications of the meters, saying consumers are “at risk of unfair, excessive, inequitable and inefficient charging” because energy companies could use the new data to introduce more complex tariffs to maximise profits at peak times.
And the Age reports that smart meter data from Australian homeowners is shared with random companies:
Detailed information about electricity customers’ power usage, which gives insights into when a house is occupied, is being shared with third parties including mail houses, debt collectors, data processing analysts and government agencies.
Customers with smart meters who sign up for Origin Energy’s online portal must consent to their data being shared with a string of third parties. The data is stored in Australia but shared with US company Tendril, which is described by Origin as a smart energy technology provider.
Australia’s privacy watchdog said the technology could threaten people’s privacy. ”We are starting to see people voicing concern about the level of data that these meters can collect,” federal Privacy Commissioner Timothy Pilgrim said.
Mr Pilgrim said electricity companies had a legal responsibility to delete or ”de-identify” personal information that was no longer needed. However, an Origin spokesman said the company kept former customers’ data for retrospective queries and ”tax and compliance purposes”.
The state government aims to install smart meters – which log electricity use every half-hour – in all Victorian homes by the end of next year.
Customer information can only be accessed by staff involved in billing. He said the electricity retailer only shared information with third parties when they had a ”legitimate business need to do so in order to meet our service obligations to our customers”.
In the ultimate irony, one of the biggest proponents of smart meters – Northern California’s main utility, Pacific Gas & Electric – was busted in April for spying on anti-smart meter groups:
On Thursday 4th April 2013, the California Public Utilities Commission (CPUC) approved a settlement in its investigation into Pacific Gas and Electric Company (PG&E) for spying on anti-Smart Meter groups. PG&E will be required to pay $390,000 to the state’s General Fund.
This infiltration by PG&E was part of an on-going surveillance program conducted by PG&E and Edelman, a public relations firm PG&E hired in January of 2010 in response to escalating Smart Meter complaints and problems.
As part of this program, the director of the PG&E Smart Meter program, William “Ralph” Devereaux, other PG&E employees
and third parties spied on groups with the knowledge of senior PG&E staff. PG&E employees and senior management exchanged emails insulting and demeaning the members of the anti-SmartMeter groups. For example, these PG&E customers were referred to “insurgents.”
PG&E coordinated moving an entire Smart Meter deployment yard to derail a non-violent protest and sent an employee to surreptitiously observe and report on the reactions of the protestors, who also transmitted pictures of them to PG&E. This “spy” expressed his pleasure in observing and taking photos of anti-SmartMeter activists.
Note: Several utilities – including Pacific Gas & Electric – allow you to opt out of the smart meter program. If you insist, they will remove the smart meter from your home.