On the Net, unseen eyes access private Webcams
Concerns are being raised about the ease with which images from unsecured cameras can be viewed by others online. Photos: Watched in the Windy City
The girls were wary at first, Chalos said, but ultimately didn't believe the camera would be recording them, so they continued changing their clothes. Later, one girl mentioned the camera to her coach, who confronted Livingston's principal. The coach was told that the camera was not positioned to observe dressing and undressing, the court papers contend. But after parents pressed the point, a school district official reviewed the video and reported that it showed the girls in "bras and panties."
 | ||
| | |
 For the latest breaking news, visit NYTimes.com Sign up to receive top headlines Get Dealbook, a daily corporate finance email briefing Search the jobs listings at NYTimes.com Search NYTimes.com: | ||
| ||
| ||
That was enough to enrage the parents. But what they learned as they questioned school authorities outraged them even more. Logs from the server holding the school's video show that the images were available, unsecured, over the Internet, Chalos said, and indicate several instances of access by unknown outsiders.
With the proliferation of surveillance cameras in everyday life and Webcams at home computers, the ease with which unsecured cameras can be detected on the Internet has become an increasing cause of concern. Last month, bloggers began reporting on the ability to tap into thousands of raw Webcam feeds with a few simple Google searches, and the Spanish police arrested a suspect on charges of developing a computer virus that can activate a Webcam without the owner's permission.
The Yankee Group, a market research company, estimates that as many as 13 percent of American households have a Webcam attached to one of their computers, often sitting on top of a monitor in a living room or a bedroom.
Like each Web page, each camera on the Internet has an address, and unless the cameras have been concealed behind software firewalls, their addresses make them specifically searchable and identifiable.
A Google search one day last week indicated more than 10,000 such Web cameras, showing everything from bedrooms and living rooms to coin-operated laundry businesses and shoe stores to plasma reactors and mountain ranges. (Some of the cameras required passwords for access to the video.)
Other video sources are mostly security cameras that have been fed onto the Net, either deliberately to make them available to the public, like traffic or weather cams, or simply because putting the camera online was the easiest way to get the video signal into the building's security office.
If a Webcam image is deliberately displayed as a part of a public Web site, then the image is obviously intended to be seen by whoever visits that site. But a search for specific video camera signatures allows users to skip the Web site and view the camera image outside its intended context.
It is illegal to gain access to a secured computer without the proper authorization, even if the computer's password is publicly known. But is it legal to look at unsecured Webcams discovered as a result of a Google search, through the back door, so to speak? "It's probably not illegal, but you never know," said Annalee Newitz, policy analyst at the Electronic Frontier Foundation, a digital rights advocacy group. "That would be the court case--would a reasonable person consider these cameras to be public?"
| ||||
| | | ||
| Related story stolen credit cards  The ubiquitous search engine makes it easy to find unprotected personal data, CNET News.com has learned. | | ||
| ||||
| ||||
Jennifer Stisa Granick, executive director of the Stanford Law School Center for Internet and Society, agrees that it is a gray area. "The law states you have to know that you're not authorized to look at this information," she said. "But if it's available through Google, most people would reasonably think that it was all right. But what if a person didn't realize that their Webcam image was going out over the Internet? Do they have an expectation of privacy?"
That, Chalos said, is the crux of the case that the Tennessee girls' families brought against the Overton County school board, which administers the Livingston school. "You should never, ever, ever put cameras in locker rooms, period," Chalos said. "Any student undressing in a locker room has the right to privacy. And the school has to protect that."
But not everyone understands the difference between installing a "secure" camera system and making it truly secure. Axis Communications of Sweden specializes in establishing and maintaining Internet-based surveillance camera systems around
the world. Fredrik Nilsson, Axis's general manager for the United States, points out that Axis cameras are installed with a default password, and it is up to the owners to make the cameras more or less secure."Just to give some perspective, we have delivered close to half a million cameras, and a Google search produces only a few hundred of them," Nilsson said. He acknowledges that default passwords to many camera systems, including those of Axis, are frequently traded over the Internet. Nevertheless, he maintains, Axis cameras are secure against accidental intrusion.
| ||||
| | | ||
| Photos Windy City As part of a new safety program, surveil- lance cameras in Chicago capture street activity and alert police to gunshots. | | ||
| ||||
| ||||
But protecting against accident is not the same as protecting against a deliberate invasion, Chalos said. "The images were protected only by the software's default username and password, which the school had never changed," he said. Lists of default passwords for many different types of computer systems are available on almost any "hacking" site on the Internet. "You've got to believe that pedophiles prowling the Internet, they're going to know that password," Chalos said.
The cameras at Livingston were installed over the summer of 2002 by EduTech of Dyersburg, Tenn., a company specializing in school security cameras. Twice every second, the cameras took high-resolution color images of the school's hallways, exits and, as it turned out, the changing area of the visitors' locker room. The school's lawyers maintain that their clients wanted the locker room camera to face the door and that the camera was mounted incorrectly. EduTech maintains that it put the camera where it was told.
Images from the system, including those of the locker room, were fed into a video server that sat in an assistant principal's office. That server was a part of the school's internal network, which was in turn plugged into the Internet.
A lawyer for the school acknowledged in court papers that school officials never changed the video server's password from its default setting. But the lawyer said school officials had "insufficient information either to admit or deny" whether there was access to the images over the Internet.
Chalos' complaint, originally filed in District Court in June 2003, five months after the initial incident, asserts that someone outside the school gained access to the video server over the Internet several times over a six-month period. There is no way to tell precisely which video images might have been viewed by outsiders, but Chalos appeals to common sense.
"In theory, whoever broke in could have gotten onto the server, looked at pictures of hallways and classrooms, and that's it," Chalos said. "But my suspicion is, if they kept coming back, they had a more directed purpose."
The Internet visits, through computers in Clarksville, Tenn., Gainesboro, Tenn., and Rock Hill, S.C., came late at night or early in the morning, Chalos said. But the server holds not only live video, but also archived files. The unknown viewers are named in the suit as John Does and are cited for having potentially violated federal law on sexual exploitation of minors, Chalos said.
The original complaint listed 17 students and their parents as plaintiffs. Since then, Chalos said, he has determined that at least two other visiting teams had been captured on the locker-room camera, which was dismantled within days after the initial complaint. He filed a modified complaint last week on behalf of 34 students, seeking millions of dollars in damages.
Whether or not the cameras' video had been made available on the Internet by negligence, it has long been understood that people in the workplace or schools have little or no expectation of privacy from their teachers or employers. Having a supervisor monitor one's workplace activities, sometimes by video, has become a way of life for many Americans. But can employers, either deliberately or through neglect, make those images accessible for the world to see?
"The real scandal is why these Webcams are insecure," Newitz of the Electronic Frontier Foundation said. "This is just really, really sloppy. It is one thing for an employer to place employees under surveillance, but to take no effort to keep the Webcam access limited just to the workplace is really reprehensible."
Entire contents, Copyright © 2005 The New York Times. All rights reserved.