Web cams have long concerned computer pros

In 1993, Silicon Graphics Inc. manufactured a commercial workstation computer with a video camera built in for teleconferencing. The proto-Web cam had an ingenious technology for ensuring users would be safe from visual snooping: a lens cap.

Last week, allegations that a school-issue laptop computer had secretly snapped a photo in a Lower Merion teen's bedroom sparked a furor among many students, parents, and privacy experts in this region and nationwide.

But there was one group less surprised than others: computer professionals, who have long worried about increasingly common Web cams and their ability to intrude anywhere laptops go.

Experts in spyware and other malicious software ("malware") say much of the concern is theoretical, chiefly because there is little money for scammers to make by remotely activating a Web cam - especially in an era when people voluntarily post intimate videos online.

Benjamin Edelman, a Harvard Business School professor who studies spyware, says he has never encountered malware that activates a Web cam.

"It's easy to write such a program, and it's clear how it could be used. But I haven't seen such a program in active use," said Edelman, noting that most hackers were more interested in stealing financial data or turning your computer into a zombie drone to distribute spam e-mails.

There is, however, one niche where snooping software flourishes: among cyberstalkers and domestic abusers who want to spy on their victims, monitor their behavior, and use what they find to intimidate or control them.

"We've been seeing camera misuse in victims of domestic violence and stalking for over a decade," said Cindy Southworth of the National Network to End Domestic Violence. "It began as soon as the cameras were introduced."

Southworth, director of a safe-technology project called Safety Net, said the earliest cases typically involved abusive husbands who used tools developed for parents to keep a remote eye on children.

One victim told Southworth that her ex-husband had wired her entire house with cameras when they separated in 1994. Another reported that her husband had hidden a camera in a kitchen-based computer behind a fan vent.

"He knew when she had company over and knew when she was alone, and when she was alone he would call and threaten her," Southworth said.

Things took a disturbing turn as Web cams became common and remote-control software more sophisticated, several experts said.

Now, the same software that allows help-desk personnel to take over your computer to diagnose a malfunction can be used, at least in theory, to activate and control your Web cam. And software to turn a Web cam into a spy camera is available online.

Lauren Weinstein, a California computer consultant and founder of an online privacy forum, said the Lower Merion controversy reflected just a small corner of concerns about Web cams and privacy invasion.

In a lawsuit, a Lower Merion family says an administrator confronted the Harriton High School student with a photo allegedly taken by the laptop camera. District officials have acknowledged that the Apple laptops the school distributed came with a security feature that could snap pictures if the computers were reported lost or stolen.

If the family's claims are true, Weinstein said, "by not disclosing that the capability was there, the school made an enormous mistake." But he said a bigger issue was how such technology could be used by outsiders.

"With any security software that has this kind of capability, you don't have to worry so much about legitimate users," such as a help desk. "The problem is that you open it up to manipulation by untrusted third parties."

It is not clear how well smaller businesses and organizations limit the use of remote-control software. But large companies are aware of the risks of illegitimate use.

Dell, for instance, strictly limits staffers' capacity to take control of customers' computers through its Dell Connect service, which spokeswoman Jennifer Davis likened to having a technician "sitting next to you working on the computer."

Davis said customers must sign up online and agree to the service's terms. Then they are issued a temporary code to initiate the help session. If the session has not begun within 15 minutes, the authorization expires, she said. Every session requires a new code - even if a session ends because a connection is momentarily lost.

Even with all that, there are special restrictions for access to customers' Web cams. "The agent may not activate the Web camera during a Dell Connect help session unless they are troubleshooting the Web camera," she said. "The customer must agree, and it has to be documented in that session," either by a voice or text acknowledgment.

Sophisticated remote-control software is a double-edged sword, spyware experts say.

"The same technology that's used by help desks is used by hackers," said Ari Schwartz, associate director of the Center for Democracy and Technology. "Basically, once they have control of your computer, they can do whatever they want with it."

That means a hacker could execute any sort of command or software manipulation on your computer - including disabling the light that signals your Web cam is on, unless it is hard-wired.

Even if such software is rarely used to activate Web cams, computer experts are well aware of the risks. And the old Silicon Graphics solution, which bypasses the software, is a favored approach.

"You go to security conferences," Schwartz said, "and people have a piece of paper taped over the camera."