Yes, Someone Could Be Watching Your Every Move Through Your MacBook's Camera Right Now

Not to freak you out or anything, but you should probably be more paranoid when you're online.

Drew Millard

Drew Millard

If you're reading this it's too late—it means you're on the internet, and therefore you're totally screwed. Whether or not you realize it, your personal data is often being collected by third parties who, through shady and often confusing user agreements, have suckered you into consenting to give up more than you bargain for.

Even if you haven't tried to work for the federal government or registered with Ashley Madison to cheat on your spouse, it's totally possible that someone out there has a veritable portrait of who you are based off your personal data. It's not because any one site is leaking your private details, either—instead little bits of information about you are being aggregated by companies known as data brokers, who then turn around and sell that intel to advertisers.

As cyber-crime expert Ron Moritz put it, these data brokers "have more data than the CIA or NSA has ever been able to accumulate." If an Ashley Madison-level hack were to occur of one of these data brokers, Moritz told me, it would be a "primary risk to Western civilization."

Despite his admittedly dark thoughts about online safety, Moritz is a pretty sunny guy. An industry vet who has been in the information security game since the early 90s (I like to imagine him as a non-evil version of that guy "The Plague" from Hackers), he currently heads up the biometric cybersecurity firm BioCatch, and has seen the field go from a cubicle curio to a primary source of headaches for the human race.

In a phone interview, he explained that internet users are sharing their personal data without even realizing it. These days, he told me, you should be less concerned with your password strength, and more deeply paranoid about the ways that you have inadvertently consented to the erosion of your privacy. He also confirmed that you should, in fact, be worried that someone will hack your MacBook's camera to watch your every move.

VICE: What sort of information should people be worried about leaking?
Ron Moritz: Anything and everything.

[Laughs] It's not so much the concern that, "Hey, I stored all my stuff over here"—it's that we've stored a bunch of little things all over the place. It's actions we take, our behaviors, and the privacy we give up through them. These days, anything you do leaves behind little trinkets of information. Someone's out there looking for those nuggets of data and assembling it into something that could allow them to pretend to be you.

How often are people inadvertently giving away their personal information online?
I think it's more common than anybody realizes. People should be thinking about what they agree to give up, especially when they download fun stuff. Often, people accept the release of information when they download an app and just hope that it takes good care of their data. But often, packets of people's data is being sold to these companies called data brokers—they're the people who aggregate a variety of data behind the scenes. They then sell that data to advertisers to be able to target specific users.

These data brokers are sitting on what's believed to be richer sets of information about people than what's in the wildest dreams of the CIA and NSA. They have more data than the US government. That's a scary idea—that there's all of this data owned by companies we don't really know about.

When you put it like that, it sounds like people should hide their data in a cave and never do anything online again.
It's all about awareness, the same that you'd use in the physical world—what you're doing, where you're going, the types of information trails you're leaving, what type of privacy agreements you've consented to, who you're actually releasing that information to.

What's the single worst thing for a person to have leak?
Healthcare information. Your health insurance card now has a street value of $50. Your credit card has a street value of about five bucks. People will perpetrate fraud and steal people's healthcare services—I've heard of fraudulent liver transplants happening. The mechanisms to prevent fraud lag in healthcare, because classically fraud has been not as prevalent in that field as it's been in finance.

What's another common way people give this stuff up that they might not realize?
If someone ever registers for something and automatically fills out an online form with information from their LinkedIn or Facebook page or "connects" to something through Facebook, they're creating these natural connections. It's allowing this new company to leverage the relationships you have on Facebook, the things you've done, your history, your pictures. The more bonds you create, the more you allow your private data to expand into the far reaches of the internet. Even if people abandon that service, the link they've made still continues. You're still feeding that company data. Those are risks that are very hard to communicate to people.

So it's almost like by linking something to a social media profile, you're creating a roadmap of your activities, that leads to this hub of data.
One popular thing when you sign up for a website is having some sort of secondary, knowledge-based question [to back up a password]. People say, "That's pretty cool! Who would know my grandmother's maiden name or what I named my first pet other than me?" But in reality, we've now shared a lot of that information on Facebook. We have a link to our grandmother! There might be a picture of our first pet!

Do incognito tabs actually work?
I'd love to believe so [laughs]. I don't launch them often enough, but I do launch them in certain environments where I just don't want to be known. They don't really do much of anything. It's a way to not have to go back and clean up your activities online. It doesn't stop any of the information you're sending from being shared—what it's doing is providing you with extra privacy locally. So if your wife got on your computer and looked at your browser history, there wouldn't be any. It doesn't stop anything on the other end of the transaction—the website or service you're connected to can still see who you are.

Is it possible to hack someone's computer so that you can look through their front-facing camera?
I'll take you back into the 1990s. In the 90s, I was involved with a start-up called Finjan. One of the things we were concerned about was the fact that malicious code could be introduced on to pretty much any machine through a user going to certain websites. Today this is regarded as common sense, but in the 90s, this was a novel idea. The code itself could convince your computer to trust it, and then be given access to services.

We created a demo just to show how easy this was: [that with] someone making a single click on a website, we could turn on the microphone of their laptop. We basically said, "Look—we've created a bug. People don't have to bug a room anymore; we can just turn on the microphone of their computer and record it all." We showed how easy it would be to turn on the microphone of a CEO's computer with the CEO being none the wiser. This was kind of a cool thing.

This was 18 years ago—if we could turn the microphone on back then, you can certainly imagine that it's possible to turn on someone's camera, or any other sensor they have, on any of their devices.

Is there any point in making a hard-to-guess password anymore?
Generally speaking, no. Not today, and not in the future. A password is, today, pretty much fully compromised. Nobody's gonna tell you that's still a relevant form of security. It's like the basic Kwikset Lock you buy at the hardware store that you put on the outside of your door. For the most part, anybody who wants to break in is not going to be able to, but for the guys who know what they're doing, it's not a barrier.

On Motherboard: Why You Can't Put Cybersecurity in a Box

So it's like the difference between someone trying to crack a safe by guessing the code, and someone else just stealing the safe and breaking it open with power tools.
The truth of the matter is most users do not want any more hoops to jump through—they don't want to put the password in and scan their finger, they don't want to use some two-step verification SMS code, all the other stuff you can think about.

Last question—if someone stole all the data held by Facebook or Google, would humanity be totally screwed?
I'd call it more of an inconvenience than a total screwing. Not because those services aren't primary to our lives—they're valuable and provide services we love—but they're not critical. If an ATM network goes down, that could create a run on the banks because it would stop cash from being able to be distributed throughout society. Besides, Facebook and Google aren't the only data brokers out there. The ones people should be concerned about are the ones that don't have the big names—they're hidden, way in the background. That's the scary part.

Follow Drew on Twitter.