The US Department of Homeland Security is out to hack video game consoles, such as Xboxes, Wiis and PlayStations.
According to Foreign Policy, the US Navy has just awarded a $177,237 sole-source research contract to Obscure Technologies, a computer forensics company, to figure out how to hack the encryption that protects personal data on the consoles.
What the feds want from the deal, according to the contract with the US Navy: “hardware and software tools that can be used for extracting data from video game systems” and “a collection of data (disk images; flash memory dumps; configuration settings) extracted from new video game systems and used game systems purchased on the secondary market.”
According to Foreign Policy, law enforcement agencies contacted the Department of Homeland Security’s Science and Technology Directorate for help on a tool to examine gaming console data. DHS then asked the Naval Postgraduate School (NPS) to execute the contract and to lead the research.
It’s easy to dismiss these consoles as trivial games. But to law enforcement, they’re a potential treasure trove of forensic data.
As Foreign Policy points out, the government isn’t interested in the games themselves.
It’s the sophisticated platforms that could be a gold mine, given how they’ve evolved far beyond being simple entertainment purposes and now serve as all-purpose devices that can, for example, connect to Facebook or allow chatting with other players.
Once the DHS has cracked the encrypted devices, investigators will have access to data including when players were connected to the internet, the identity of those to whom they talked, the conversation logs of what was said, and the game that was played.
This data can help track down pedophiles, who often use online gaming communities as hunting grounds. A spokesman for DHS told Foreign Policy that there’s also a “suspicion” that terrorists are using online gaming to communicate.
Of course, on the flip side of catching pedophiles and terrorists lie privacy concerns.
Parker Higgins, a spokesman for the online privacy group the Electronic Freedom Foundation (EFF), told Foreign Policy that users might not realize the extent of the data that’s created and stored in their consoles:
"You wouldn't intentionally store sensitive data on a console. But I can think of things like connection logs and conversation logs that are incidentally stored data. And it's even more alarming because users might not know that the data is created."
"Taken in context, it could end up revealing more than you expect."
As Naked Security’s Lachlan Urquhart has pointed out, US police are already increasingly using online forums such as Xbox Live to communicate with suspected criminals and, reportedly, to record conversations.
And as Ars Technica reported in a January article on law enforcement’s use of online games to aid investigations, Microsoft has actually filed a patent on ways to intercept Internet calls, potentially including audio messages transmitted via gaming systems.
The US Privacy Act makes it illegal to poke at US citizens’ data in this manner, according to Simson Garfinkel, a computer science professor associated with the DHS project.
That’s why the government is pointing Obscure Technologies at gaming systems purchased outside the country.
Here’s what Garfinkel told Foreign Policy:
"This project requires the purchasing of used video game systems outside of the U.S. in a manner that is likely to result in their containing significant and sensitive information from previous users. We do not wish to work with data regarding US persons due to Privacy Act considerations. If we find data on US citizens in consoles purchased overseas, we remove the data from our corpus."
Getting data out of these systems is hard. A peek at the Ars Technica article reveals a host of quotes from frustrated investigators who’ve tried.
It’s certainly not impossible, though. As Foreign Policy points out, there have already been hacks that enable spying on users of the Xbox Kinect, a video-enabled add-on that reads body movement for interactive gaming.
Should law enforcement agents be given the rights to spy on gaming users? Given the allure of catching pedophiles and terrorists, it’s hard to imagine they won’t inevitably be granted such rights, Privacy Act or no.
Again, Privacy Act or no, it’s also naïve to think that law enforcement wouldn’t go ahead and use whatever spying technology they get out of the Obscure Technologies deal to hack into US citizens’ devices, given the rise of warrantless eavesdropping.
It’s time to stop thinking that what’s said and done on a game console doesn’t matter.
DHS’s move makes this clear: If you don’t want your conversations or activities monitored, don’t assume that a gaming console is going to keep them out of the increasingly watchful eye of the government.