Chris Soghoian began his recently published dissertation with a quote from George Orwell. It was a natural introduction, as perhaps no other privacy researcher so closely follows Big Brother.
So much so that the American Civil Liberties Union (ACLU) recently hired the 31-year-old as its principal technologist and a senior policy analyst with its Speech, Privacy and Technology Project. The organization has never had a technologist on staff before. For years a provocative figure in the security community, Soghoian now has the ACLU's legal muscle behind his particular brand of activism.
Since his early twenties, Soghoian has highlighted the misdeeds of large companies and the federal government in violating the privacy of their consumers and citizens. Wired called him a Ralph Nader for the internet age – which is to say, the age of the Patriot Act, the NSA's illegal wiretap program and the unprecedented spying on American citizens. This year, Soghoian earned his Ph.D. at Indiana University – his dissertation analyzed how telecom companies assist law enforcement surveillance of their customers – and held fellowships with TEDGlobal and the Open Society Foundation.
Occupation: principal technologist, Speech Privacy & Technology Project, American Civil Liberties Union
College: Indiana University, Ph.D.;
Accomplishments: TR35 2012 (MIT Tech Review 35 Innovators under 35), TEDGlobal 2012 Fellow, Open Society Foundations Fellow (2011-2012)
The ACLU offers Soghoian something of a crossover platform, and at the same time, he will push the organization into joining court cases involving privacy.
“You'll see a theme to my work,” Soghoian says. “I take things that are widely known to computer scientists, but not known outside the community, and I take them to the public.”
Soghoian's muckraking has come out in his high-wire productions over the years – publicly shaming companies which abuse their consumers' privacy. Among his targets have been Google, Facebook, Dropbox, Mozilla Firefox, Twitter, Sprint Nextel and, most famously, the Transportation Security Administration (TSA).
“The pressure has to go on the big boys,” he says. “Consumers don't really know how their data is handled. And these security practices are usually indefensible. Once you bring that into the sunlight, the company cannot defend that. It's the threat of embarrassment that makes these companies change.”
However, Soghoian's activism has become more strategic in nature too. “He's matured,” says Markus Jakobsson, Soghoian's adviser at Indiana and the principal scientist of computer security for PayPal. “You could say he's found ways that are more effective. Sometimes direct confrontation isn't always good.”
“I'm not gonna lie,” Soghoian admits, “I love shaming people. I love throwing fire at companies. Changing company behavior by myself or with a group of activists is very rewarding.” But the “shame route,” he adds, “is sometimes not the most effective method either. You can sometimes be more effective talking over cocktails.”
Soghoian lives in Washington D.C., and can be found working back channels – for example, meeting with Congressional staffers or employees at technology companies – to inform his work and target his activism. Parts of his dissertation, because of the sensitivity of government surveillance, were based on anonymous sources, which is unprecedented in computer science academia, according to Jakobsson.
Soghoian was born in San Francisco in 1981. When he was a year old, his family – his mother was a social worker and his father a jazz musician and computer engineer – moved to London. At 11, he was using the King's College London computer lab, and in his early teens attending evening classes in computer science at a community college. He finished high school at 16 and enrolled at James Madison University in Virginia to study computer science, where he navigated his way into graduate-level security classes.
In 2006, after he enrolled in the Ph.D. program at Indiana University Bloomington's School of Informatics and Computing, he had what he calls his formative experience. Returning from the Burning Man festival in Nevada, TSA agents at the airport in Reno told him he couldn't take his Middle Eastern lunch through security, and a terse exchange followed.
Back in Bloomington, he set out to expose what he saw as the ridiculousness of TSA protocols. He realized he could doctor a recent Northwest Airlines e-ticket he had saved on his PC. In a blog post, “Paging Osama, please meet your party at the information desk,” he listed 10 easy steps to bypass the FBI's no-fly list.
Soghoian alerted the media and the stunt became a sensation. At two in the morning the next day, the FBI smashed in his door and seized his computer and personal documents. Soghoian was never charged. Jakobsson had encouraged Soghoian to take law courses at Indiana, and after this incident he did so in haste. His academic focus fixed on monitoring government surveillance.
He accepted a fellowship at Harvard's Berkman Center and learned the art of Freedom of Information Act requests. In 2009, he was hired as the first staff technologist at the Federal Trade Commission's Division of Privacy and Identity Protection, a first. During this time, at a security conference informally known as the Wiretapper's Ball, Soghoian secretly recorded a Sprint Nextel executive boasting about handing over user location data to law enforcement agencies some eight million times. The Colbert Report, among others, ran with the tape.
Continuing in this vein, his dissertation detailed how government surveillance is outsourced to the private sector. In June, disclosures from a wireless communications carrier revealed that it received about 1.5 million requests per year from U.S. law enforcement agencies. Unknown are the number of requests to internet companies, grocery stores, pharmacies, transit companies, banks, etc.
Already well aware of the scope of surveillance, Soghoian admits that this revelation caused his jaw to drop. “It's shocking and disgusting and should give everyone cause for concern,” he says.
However, for Soghoian, this is not a technical issue, but one with political and business significance. The same goes for his other current causes – the black market for software security exploits, or government's use of “stingray” devices to track a suspect's location. Or why, for instance, internet companies took years to roll out existing SSL for its email services.“These are business and policy issues wrapped in a thin layer of technology,” he says, “and my role is piercing that thin layer.”