The first thing I noticed about Christopher Soghoian was the seal of the National Security Agency that’s emblazoned on his T-shirt. He wore it like a trophy of war.
“It’s an arms race, but it’s not fair,” he complained, while sipping tea in our Manhattan office. “The NSA has a US $10 billion-a-year budget. Those of us trying to resist them have a pathetic budget.”
Google, Facebook, and AT&T are just a few of the other mighty foes he’s challenged in the name of protecting the privacy of ordinary citizens. Soghoian is a technologist at the American Civil Liberties Union. The job was created just for him, a computer scientist with a well-deserved reputation for investigating digital invasions of privacy.
At the ACLU, Soghoian combines his investigative skills with public advocacy. His research often focuses on how telecommunications companies facilitate government surveillance [PDF], while his advocacy focuses on changing government policies and getting private companies to do a better job of guarding the interests of their customers.
This past year he revealed that an agent for the Federal Bureau of Investigation gathered information by pretending to be a reporter for the Associated Press (a charge the FBI defends as being legal). And in a recent Wall Street Journal account, he criticized a program in which U.S. federal marshals were flying small airplanes equipped with devices that mimic cell towers. When mobile phones in the vicinity “pinged” these devices, they thus gave away the identity and location of their users.
“He has as many opinions as a small village, most of them about privacy and freedom from surveillance,” says Markus Jakobsson, a computer security expert at Qualcomm who supervised Soghoian’s Ph.D. work at Indiana University Bloomington. “You can’t win every battle, but he’s won a great many of them. He has the ability to speak both with technical people and with policymakers, and this allows him to have much greater impact than many other researchers.”
“Half my day is spent in front of a computer,” says Soghoian. “Ten to 20 percent’s talking to reporters,” he adds, referring to his ongoing media campaigns against alleged violators of privacy. He says his campaigns sometimes work. In recent years, for example, major social networking companies have finally begun encrypting customers’ data. He reckons that his own role in that change was “10 percent.”
“I play the bad cop,” he says. “I tell them they have a problem, and I let them know that unless they fix it, I’ll make something of it. I show them these articles that have been written about me and let them draw their conclusions.”
Soghoian doesn’t restrict himself to U.S. transgressions. He sees plenty of privacy problems in Europe, too. And although Europeans are known for being more attuned to privacy, he rejects that notion. “Europeans are big into talking, but the debate over there on security and privacy is five years behind us.” For instance, he says, in October 2013 German chancellor Angela Merkel expressed outrage at the NSA for listening in on her telephone conversations. “I testified before the German parliament, told them to protect themselves,” he says. “More than a year after Merkelgate, the Germans have done nothing. It’s frustrating.”
Soghoian, 33, started out as a standard-issue computer nerd. After college he veered into computer security, getting a master’s degree in the subject at Johns Hopkins University in 2005. He was even offered (but did not accept) a fellowship from the U.S. government. “Then I found that the field was getting crowded, so I did a pivot into privacy.”
He went on to earn a doctorate in informatics at Indiana University. “I didn’t do theoretical work, didn’t do experimentation. My research methodology was to get lawyers drunk and tell me stories,” he says, most of them involving the illicit infringement of privacy. “My dissertation [pdf] is filled with footnotes to anonymous sources—not your typical thing in computer science!”
In 2009, while finishing his dissertation, he took a job watching over consumer privacy for the Federal Trade Commission. “They are the good side of the government,” he says. “They don't kick down doors, they don’t kill people—they protect people.”
A few months after joining the FTC, he used his government affiliation to get into a closed conference run by Intelligence Support Systems, a conference known as “the wiretappers’ ball.” The annual gathering attracts police, intelligence agents, Department of Homeland Security staff, and the representatives of the companies that sell to them.
There he tapped the tappers with a hidden recorder, catching one executive from Sprint Corp. saying that his company was so inundated with government requests to perform surveillance on customers that it had set up a self-service site for the police. The executive said the website got 8 million hits in the first year.
“I got back to my office and told my boss at the FTC, ‘You’ll never believe what I just learned,’ ” Soghoian recalls. Because his mandate was to investigate corporate invasions of privacy, not governmental ones, he couldn’t publish his discoveries. But later, when he wanted to include the scoop in his dissertation, the FTC gave its approval on the condition that he note it was his opinion, not the agency’s.
The story reverberated, reaching as far as Stephen Colbert, who featured it on his satirical television show. Later, Soghoian, along with Sid Stamm, a privacy engineer at Mozilla Corp., wrote up what he’d learned at the wiretappers’ ball in an article titled “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL.” [pdf]
Exploits such as these led him, in 2012, to join the ACLU, a nonprofit organization that offers legal and other resistance to governmental intrusions on personal liberty. Meanwhile, Soghoian continues to write papers, mostly for law journals, to leave open the possibility of an academic career. “I have one coming out on the technology used to intercept telephone calls.”
What does Soghoian do to protect his own privacy? For one thing, he never buys a product that automatically connects directly to the Internet of Things. Instead he connects his devices with a dongle—an accessory that can be removed and, if necessary, replaced by a new, hack-resistant version. That’s what he did when he had a smart meter installed that lets him remotely adjust the air-conditioning in his Washington, D.C. home. “Otherwise, maybe years go by with no updates to [the product’s] security, and someone hacks in and uses the built-in minicam to snoop on you,” he says.
For another thing, he has chosen his employer carefully, reasoning that it would be “pretty stupid of the FBI to target someone at the ACLU.”
Surveillance by the state on anyone shouldn’t be an easy option, he adds. “I am sure that surveillance works, that it’s helpful—but efficiency isn’t an argument,” Soghoian says. “I get out of bed in the morning to make life more difficult for the FBI.”
This article was edited on 2 March 2015. Christopher Soghoian was offered a graduate fellowship from the U.S. government, not the National Security Agency. He turned down the fellowship.