The Department of Homeland Security is trying to hack into your Xbox. Should gamers be worried?
Recent years have brought reports of the U.S. government eavesdropping on phone conversations, e-mails, even tweets — all in the name of fighting terrorism. But surely your Xbox must be safe from the prying eyes of Big Brother?
Not for long. You might not immediately think that slaying dragons or driving like a maniac through virtual streets is all that interesting to intelligence agents, but the U.S. government believes there might be law enforcement gold on your Xbox. Government researchers say that hacking into consoles will allow police to catch pedophiles and terrorists. Meanwhile, privacy advocates worry that gamers may leave sensitive data — and not just credit card information — on their Nintendos without knowing it.
At the cutting edge of this development is Obscure Technologies, a small San Francisco-based company that performs computer forensics and which has just been awarded a $177,237 sole-source research contract to develop "hardware and software tools that can be used for extracting data from video game systems," and "a collection of data (disk images; flash memory dumps; configuration settings) extracted from new video game systems and used game systems purchased on the secondary market," according to the contract award from the U.S. Navy. (Law enforcement agencies contacted the Department of Homeland Security’s Science and Technology Directorate for help on a tool to examine gaming console data. The Department of Homeland Security (DHS) then asked the Naval Postgraduate School (NPS) to execute the contract and spearhead the research because of the expertise of Simson Garfinkel, a computer science professor at the NPS in Monterrey, Calif. — hence the U.S. Navy contract.)
The project, called the "Gaming Systems Monitoring and Analysis Project," originated in 2008, when law enforcement authorities were concerned about pedophiles using video game consoles to find victims. "Today’s gaming systems are increasingly being used by criminals as a primary tool in exploiting children and, as a result, are being recovered by U.S. law enforcement organizations during court-authorized searches," says Garfinkel, a computer forensics expert. Indeed, the FBI warns that pedophiles often use online gaming forums as their hunting grounds. However, "there is a suspicion" that terrorists are also using online games to communicate, says John Verrico, spokesman for DHS’s Science and Technology Directorate. While homeland security is the primary DHS mission, it also supports domestic law enforcement and first responders, Verrico says.
The ultimate goal is to "improve the current state-of-the-art of computer forensics by developing new tools for extracting information from popular game systems, and by building a corpus of data from second-hand game system that can be used to further the development of computer forensic tools," Garfinkel said in an email to Foreign Policy. Though the research is being overseen by NPS, the contract award states that the tools developed by Obscure will be delivered to DHS.
Monitoring gaming consoles is harder than you might think. Consoles such as the Microsoft Xbox 360, Sony Playstation 3, and Nintendo Wii encrypt their devices to prevent piracy and tampering. Indeed, the contract states that "analysis of the game systems requires specific knowledge of working with the hardware of embedded systems that have significant anti-tampering technology." But this is more than hacking; the government wants tools that can apply computer forensics, which look for legally admissible evidence, to consoles.
While there have been some attempts to use computer forensics on consoles, researchers say this is relatively new ground. The DHS project is "exploratory research and development," said Obscure Technologies president Greg May. "It will be interesting to see, because it’s new to us as well. A lot of this stuff hasn’t been done. We’re not sure how complicated it is."
Of course, what the government is interested in is not the game itself, but the platform — and the way you use it. Video game consoles have evolved beyond simple entertainment machines into powerful all-purpose devices that are used to watch movies, post on Facebook, or — more important to an FBI or CIA agent — chat with other players. "You wouldn’t intentionally store sensitive data on a console," says Parker Higgins, a spokesman for the online privacy group, the Electronic Freedom Foundation (EFF). "But I can think of things like connection logs and conversation logs that are incidentally stored data. And it’s even more alarming because users might not know that the data is created."
"These consoles are being used as general purpose computers," Higgins adds. "And they’re used for all kinds of communications. The Xbox has a very active online community where people communicate. It stands to reason that you could get sensitive and private information stored on the console."
Thing about it: Your Nintendo Wii might tell government investigators when you were connected to the Internet, who you were talking to, what you were saying, and what you were playing. "Taken in context, it could end up revealing more than you expect," Higgins warns. There have already been hacks that could allow for spying on users of the Xbox Kinect, a video-enabled add-on that reads body movement for interactive gaming.
DHS is aware of the domestic privacy issues, which is why it says it intends to target consoles from overseas. "This project requires the purchasing of used video game systems outside the U.S. in a manner that is likely to result in their containing significant and sensitive information from previous users," states the contract. Why go abroad? "We do not wish to work with data regarding U.S. persons due to Privacy Act considerations," says Garfinkel. "If we find data on U.S. citizens in consoles purchased overseas, we remove the data from our corpus."
So will console game manufacturers cooperate with government efforts to break into their devices or will they construct bigger and better firewalls? Neither Microsoft, Sony, Nintendo nor the Entertainment Software Association responded to questions from FP, but the Electronic Freedom Foundation’s Higgins believes that the issue of console privacy and security has been neglected because consoles are dismissed as gaming toys. "I’ve spoken with privacy people at Microsoft, and they’re aware that it’s something that can be personal and sensitive. If you don’t use Xbox, you might think it’s just a frivolous video game. But a lot of real communication happens between people in this form. Just because it’s a form associated with games doesn’t mean it deserves less privacy protection."
Gamers may not have much choice in the matter. Unlike regular computers, whose users can install security software, gamers can’t just install an anti-virus program like McAfee or spyware monitoring software. And jailbreaking (modifying) a console runs afoul of the Digital Millennium Copyright Act, which bars circumvention of copyright protection technology. The EFF is lobbying the U.S. Copyright Office for an exemption that would allow users to add essential software such as security programs to their game consoles, smartphones, and tablets.
With pedophiles using consoles as a means to lure victims, or terrorists possibly using them to communicate, it was probably inevitable that video game consoles would be targeted by law enforcement. Indeed, in an era when the National Security Agency can conduct warrantless electronic searches of your email, it is naive to assume that video games would be exempt. There is a powerful case to be made for giving the government the technical means to collect evidence from consoles.
There is also good reason to worry. Numerous cases of illegal wiretaps, as well as surveillance of various political and ethnic groups for dubious reasons, are grounds for suspicion. The issue here may not be just one of privacy, but also of alertness. Those who are concerned about eavesdropping on their voice and email communications may be surprised to discover that their video games are no less secure. And who knows whether some violent trash talk by a teenage video gamer will trigger an alarm in a government surveillance computer?
The sad truth is: When it comes to crime and punishment, even video games aren’t games anymore.