Skip to main content

Could the NSA use Microsoft's Xbox One to spy on you?

Could the NSA use Microsoft's Xbox One to spy on you?

/

Skype swore wiretaps weren't possible before recent reports. Is Kinect next?

Share this story

You close a laptop when you're not using it. Your phone faces the inside of a pocket, a purse, or lies flat on a table. But the Microsoft Kinect, a camera that will come connected to every new Xbox One game console, gets a perfect view of your living room. It's always listening for voice commands, even when you turn the Xbox off. It can even read your heartbeat with the right software.

"We aren't using Kinect to snoop on anybody at all."

Microsoft says it doesn't plan to abuse that power, and claims it couldn't even if it tried. The company told us that the Kinect's cameras and microphones aren't actually recording or transmitting any audio or video data back to Microsoft's servers without the user's explicit consent, and all ambiently collected data is anonymized. While some voice commands are processed at Microsoft’s servers, they’re converted to text before they ever leave the machine, and biometric data is translated into numerical values that simply indicate, say, where a player’s limbs are during online multiplayer games. While Microsoft says the Kinect is an "integral part" of the new Xbox, it also claims that sensing can be paused.

"We aren't using Kinect to snoop on anybody at all," said Microsoft's Phil Harrison.

But would Microsoft be willing to help the government snoop? We set out to answer that question.

Last week, a report in The Guardian alleged that Microsoft gave government agencies access to private Skype video and audio calls, perhaps even going so far as to integrate Skype into the NSA's controversial PRISM surveillance system.

Not unlike Kinect, Skype had assured its users that wiretaps were technically impossible. "Because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request,"Skype had assured its users that wiretaps were technically impossible the company told CNET in 2008. And four years later, when hackers accused Skype owner Microsoft of changing the service's backend to facilitate government eavesdropping, the company categorically denied the accusations. Now, it seems like the company could have been lying, or at least had quietly changed its mind. Mind you, Microsoft is also denying last Thursday's Guardian report, but the denial is a lot less clear-cut. The company disavows having providing "blanket or direct access" to Skype, but doesn't deny that it provides Skype video or audio to the government upon request.

In fact, Microsoft's statement seems to suggest that it did update Skype to comply with the law. "When we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request," reads a portion of Microsoft’s response.

So even if we take Microsoft's word that the Kinect doesn't currently upload your private conversations to remote servers, can we trust that Microsoft won't change that in a future software update?

US citizens, at least, could theoretically trust in the courts. "The Fourth Amendment has been found to be really protective of everything that’s inside a person’s home," said Faiza Patel, co-director of the Liberty and National Security program at the Brennan Center for Justice.

Patel told The Verge that though the government might be able to argue that it can collect telephone call records because they’re simply metadata, or argue that it can collect Skype video chats between people who aren’t citizens of the US, it would be a different story with Kinect. "If you were collecting information through this Xbox device, then clearly it's in the United States at the very least, and then the fact that it’s inside your home also makes it more difficult for them," she said.

Xbox-one-kinect-560

Scott Greenwood, a civil rights lawyer, agrees. "It would be a flat violation of what little remains of the Fourth Amendment if the government had the ability to spy on you inside your house via a game system to which it had a backdoor," he told us. "If you're going to be invading someone's personal space, their residential space, you're going to need a warrant unless certain exceptions are met ... and I think having an always-on video camera would never, ever be able to meet the Fourth Amendment standard," he said.

But neither Greenwood nor Patel seemed to think the idea was completely far-fetched. "What we don’t know is whether there are either secret executive orders or regulations that would permit this to happen," said Greenwood, referring to PRISM and other forms of secret data collection greenlit by the FISA court system.

That’s the fear of Christopher Soghoian, a senior policy analyst with the American Civil Liberties Union (ACLU). After tweeting about how untrustworthy Microsoft appears in light of the PRISM allegations, he spoke to us briefly about his concerns.

Onstar-250 Soghoian pointed out that there is indeed something of a legal precedent for law enforcement to co-opt consumer technology for surveillance purposes. In 2002, a federal appeals court ruled against the FBI for tapping into a microphone that was part of the emergency call and navigation system (a la OnStar) inside a person’s car. The interesting part is that though two of three judges ruled against the government’s wiretap, their reasoning was simply that it kept emergency calls from functioning properly. You couldn’t dial 911 if the FBI was already on the line, they argued.

"The 9th Circuit reasoning there was delicate ... it's not clear that the Kinect camera serves as critical a function. Conceivably, the NSA could quietly record what's going in your living room without disrupting your ability to play video games," Soghoian told us.

While the 9th Circuit's decision relied on standard federal wiretap law, it might not be the only law to suggest that the government could tap into such data. A 1994 law known as the Communications Assistance for Law Enforcement Act (CALEA) requires that telecommunications equipment, facilities, and services are built with mechanisms to allow the government to legally intercept communications. "Conceivably, the NSA could quietly record what's going in your living room without disrupting your ability to play video games."While the Xbox One isn’t a router, Patel thinks the same concept could theoretically be applied to open devices like the Kinect to wiretapping. "If you have a technology that the government doesn't have access to, and the government is basically requiring the provider to build in access — whether the technology is encryption or something like the Kinect, it's the same principle," she told us.

Of course, if the FBI could wiretap a car or a Kinect, why not a smartphone? A leaked video shows that Google’s new flagship Moto X handset will be passively listening for voice commands, much like the Kinect itself — only where Microsoft scrapped its plans to require internet connectivity with the new Xbox, Google’s smartphone will always be connected via cellular. Moreover, the Moto X will use those commands to control Google Now, a service which also pokes through your email and calendar to anticipate your needs before you speak a word. It just goes to show that there are all kinds of data that you might not want others to see on your personal device. And, as we’ve seen before, it might be easier for the government to collect that data than video from a Kinect aimed at your living room.

Moto-x-560-tinhte-vn

Soghoian did point out, though, that cameras like the Kinect bring a unique and potentially worrying new angle. "The difference is the phone camera isn’t pointing at you when you’re sitting on the sofa talking to your friends, or kissing your wife," he said. "We also have to acknowledge that people have TVs that they can view from their beds."

On that note, there are other TV-mounted cameras to consider. In 2012, security researchers discovered a vulnerability in Samsung Smart TVs that allowed hackers to remotely access their cameras. We also reached out to Sony about its PlayStation Camera, an optional add-on for the upcoming PlayStation 4 game console, but have yet to hear back about any potential privacy concerns there.

"I think the important thing here," said Soghoian, "is when companies say ‘Don’t worry, we’re not recording,’ it doesn’t matter as much as whether they could record. Governments can twist the arms of companies and force them to do things, and in some cases the companies may just go along with it and even volunteer to help."

For its part, Microsoft insists that it wouldn’t help the government turn Kinect into an eavesdropping device. Quite the opposite, in fact. "Absent a new law, we don’t believe the government has the legal authority to compel us or any other company that makes products with cameras and microphones to start collecting voice and video data, and we’d aggressively challenge in court any attempts to try and force us to do so," the company told The Verge by email. Microsoft also confirmed that the new Kinect, like the original, has an activity light when it’s turned on.

Microsoft says it would take the government to court

All in all, it seems unlikely that the Microsoft Kinect would become a spying tool, especially given the backlash if anyone ever found out. It sounds like it would be particularly difficult to justify wide PRISM-style surveillance, given the Kinect’s role in the home. But as devices begin to learn more and more about us, and as intelligence agencies rely on secrecy to block lawsuits that might reveal just how far they’ve gone, we might want to consider which companies we trust to stand up to the government when we invite these incredibly convenient new tools into our lives, and our homes.

Read next: Phone spying and PRISM internet surveillance: what's the difference?

And: Our full government surveillance StoryStream