10/9/2018 10AM: A Facebook spokesperson confirmed that the company does record the complete call history of communications made through Portal: "Portal calls are powered by Messenger – as such we collect the same info we as we do on other Messenger-enabled devices. This includes information about the quality of the call or to inform your call history, for example." With respect to the ability of law enforcement to utilize Portal devices for remote surveillance, the company confirmed this could occur: "We may access, preserve and share information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. You can read our guidelines for law enforcement officials seeking records from Facebook in the Facebook Safety Center."
Smart devices that feature cameras and microphones and relay our commands to remote servers are becoming a staple of the modern home, embedding listening devices everywhere from our living rooms to our bedrooms. While the first wave of “smart speakers” focused exclusively on audio commands, second generation devices such as Facebook’s newly announced Portal are increasingly turning to cameras and posing even greater privacy concerns, especially surrounding the risk of the devices being hacked or turned over to law enforcement for remote exploitation.
Last October Amazon rolled out its Amazon Key service, a combination smart door lock and remote video camera that could be used by homeowners to allow Amazon to remotely unlock their front door and deliver packages inside their home. In the year since it has debuted it has largely generated positive headlines with early adopters lauding it as a successful product to prevent package theft.
While Amazon’s extensive cybersecurity expertise means they have likely made their camera as secure as possible from remote hacking, the real question is not one of criminals compromising it, but rather of ways law enforcement and nation states could utilize it for mass scale remote surveillance. Armed with a court order, police and intelligence services could force Amazon to remotely activate a camera, recording who comes and goes from a given house. Even without the video footage itself, the metadata captured by the device regarding the residents’ daily patterns of life, when they typically leave for the day, how often people come and go from the residence and so on are all immensely useful. Yet, when asked what safeguards Amazon had built in to prevent law enforcement from remotely hijacking their devices, the company would not answer.
In similar fashion, Facebook’s new “Portal” hardware device appears on the surface to be a useful, if limited, smart device, bringing video conferencing to more users in a more seamless experience. Mindful of its battered privacy reputation, the company’s announcement of its new product went to great lengths to emphasize that it does not have access to the contents of calls.
Yet, missing from its extensive privacy documentation is the promise that it will not harvest call metadata from Portal devices. As the Snowden NSA disclosures documented, simply knowing who calls whom, how often and for how long is incredibly valuable information. Using Portal, even if Facebook does not have access the contents of calls themselves, it still knows every person you call, when you call them and how long you talk for. Over time this call archive gives it exquisitely valuable data about who you keep in closest touch with and based on the time of day you typically call them and length of time you speak, it can estimate the role that person may play in your life.
None of Facebook’s public statements nor its Portal privacy statement make any mention of such metadata and what the company’s rights are to use it. Though, its privacy policy does offer one possible clue that the Portal is more than a neutral video conferencing system. Under the section on advertising it clarifies that “Portal does not have Facebook ads at this time. Some third-party services on Portal (e.g., music partners) may embed ads in their content in the same way they do when providing their services on other devices.” That Facebook notes only that the device does not carry ads “at this time” and that “partners” may embed ads offers hints of Facebook’s future ambitions for the device.
When asked whether Facebook will record such call metadata and what purposes it might use it for and what other ways it may collect data from the device, a spokesperson initially promised a response, but had not done so by the end of the day.
Ironically for a company whose founder famously tapes over his webcam to prevent remote recording, Facebook both assures Portal users that they can physically disconnect its camera with a simple button press, but goes on to offer a physical camera cover as well for its more paranoid users as well as those who want audio service only. Unfortunately, while emphasizing that the camera button “physically disconnects the camera and microphone,” the interface for doing so is still in the form of a button that the user must trust is performing as promised and that there are no remote firmware bypasses that could turn it back on. For a company grappling with a massive security breach caused by its failure to spot a fundamental interaction failure, it is surprising that Facebook did not offer something more reassuring, such as physically separating the camera and microphone into their own unit and showing the user that the wires connecting them are physically disconnected, preventing even compromised firmware from reactivating them.
Similar to the Amazon Key, Facebook’s Portal system raises serious concerns about how easily law enforcement and intelligence services might repurpose them for mass surveillance from inside people’s houses. This raises the question of what safeguards the company has built into its system to prevent its misuse. If law enforcement, armed with a court order, demanded that Facebook remotely activate one of its Portal devices and allow police to live stream the inside of a person’s home, does the Portal have any hardware or software safeguards that would prevent this? What hardware protections are there against a skilled nation state adversary such as Russia remotely compromising the devices or using law enforcement cooperative agreements to spy on an American citizen? As with call metadata, the company did not respond with comment by the end of the day.
As smart devices increasingly invade our homes, we must simply blindly trust that the companies building the products have not made any security missteps and have built adequate safeguards to prevent them from being misused as surveillance devices. Moreover, given their reliance on remote cloud services, we must further trust that even if the device today has impeccable security, that the company does not inadvertently introduce a complex bug a year from now during an update. After all, Facebook’s recent breach reminds us that even the biggest Silicon Valley companies with unimaginable security teams and budgets can still introduce bugs to their most secure systems that render all their other safeguards moot.
One way of regaining this trust would be for companies to build the camera and microphone components of their smart devices into physically separate packaging that features real wires being actually unplugged, with visual confirmation that the devices are entirely disconnected. While this wouldn’t fully assuage concerns that the units are operating on battery (though having transparent covers and minimizing the amount of hardware in the sensor pod could help), being able to see the devices physically unplugged would help reassure jittery consumers.
Putting this all together, we are increasingly inviting Orwellian surveillance devices into our homes, filling our most intimate spaces with internet-connected cameras and microphones and simply blindly trusting that those who built them didn’t make any security mistakes and won’t misuse the information they collect from them. Orwell’s telescreens seem quaint by comparison.
