Christopher Soghoian | |
---|---|
Born | 1981 (age 30–31) San Francisco, California |
Residence | Washington, DC, United States |
Alma mater | |
Occupation | Researcher, activist, and blogger |
Known for | Security and privacy activism |
Website | |
www.dubfire.net/ |
Christopher Soghoian is a Washington, DC based researcher, activist, blogger, and Ph.D. Candidate at Indiana University. He first gained notoriety in 2006 as the creator of a website that generated fake airline boarding passes. Since that incident, he has continued to engage in high-profile activism related to privacy and computer security. Between 2009 and 2010, he worked for the US Federal Trade Commission as the first ever in-house technical advisor to the Division of Privacy and Identity Protection.[1] Soghoian is a Open Society Foundation fellow [2]
Contents |
Soghoian received a B.S. from James Madison University (Computer Science) and a Masters from the Information Security Institute of Johns Hopkins University (Security Informatics; May 2005).[3]
On October 26, 2006, Soghoian created a website that allowed visitors to generate fake boarding passes for Northwest Airlines. While users could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden.
Soghoian claimed that his motivation for the website was to focus national attention on the ease with which a passenger could evade the no-fly lists.[4] Information describing the security vulnerabilities associated with boarding pass modification had been widely publicized by others before, including Senator Charles Schumer (D-NY)[5] [6] and security expert Bruce Schneier, [7] but Soghoian received media attention for posting a program on his website to enable the automatic production of modified boarding passes.
At 2 AM on October 28, 2006, his home was raided by agents of the FBI to seize computers and other materials. [8] Soghoian's Internet Service Provider voluntarily shut down the website, after it received a letter from the FBI claiming that the site posed a national security threat.[9] The FBI closed the criminal investigation in November 2006 without filing any charges. [10] The TSA also initiated a civil investigation in December 2006, [11][12] which was closed without any charges being filed in June 2007. [13][14]
In May 2011, Soghoian was approached by public relations firm Burson-Marsteller and asked to write an anti-Google op-ed, criticizing the company for privacy issues associated with its social search product. Soghoian refused, and instead published the email conversation. A subsequent investigation by journalists revealed that the PR firm, which had refused to identify its client to Soghoian, had been retained by Facebook.[15]
In May 2011, Soghoian filed a complaint with the FTC, in which he claimed that online backup service Dropbox was deceiving its customers about the security of its services.[16] Soon after Soghoian first publicly voiced his concerns, Dropbox updated its terms of service and privacy policy to make it clear that the company does not in fact encrypt user data with a key only known to the user, and that the company can disclose users' private data if forced to by law enforcement agencies.
In December 2009, Soghoian released an audio recording he made at a closed-door surveillance industry conference. In the recording, an executive from Sprint Nextel revealed that the company had created a special website through which law enforcement agents can obtain GPS information on subscribers and that the website had been used to process 8 million requests during the previous year. A Sprint spokesperson later clarified that the number reflected the number of individual "pings" for location, not unique individuals under surveillance.[17]
In December 2009, Soghoian released a letter written by lawyers for Yahoo!, objecting to the release of documents detailing how much the company charges for government requested surveillance activities. In the letter, Yahoo!'s attorneys argued that: "[T]he [pricing] information, if disclosed, would be used to 'shame' Yahoo! and other companies – and to 'shock' their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies." [18] When a copy of the price list subsequently appeared on Cryptome, Yahoo! sent a DMCA takedown request to the website in an attempt to force the removal of the information.[19]
In June 2009, Soghoian published an open letter [20] to Google that was signed by an additional 37 prominent security and privacy experts, urging the company to protect the privacy of its customers by enabling SSL encryption by default for Gmail and its other cloud based services.[21] In January 2010, Google enabled SSL by default for users of Gmail,[22] and in May 2010, the company announced that it would soon offer SSL encryption for search (although not enabled by default).[23] One month after Google started to encrypt Gmail traffic, the Iranian government blocked all domestic access to the service, an action motivated by the fact the government can no longer monitor Gmail communications.[24]
In February 2007, Soghoian announced that a TSA website was collecting private passenger information in a highly insecure manner.[25] The website was intended to provide a way for passengers to file disputes in the event that they were incorrectly included on the No fly list. Passengers who submitted their information through the website were at risk of identity theft. TSA shut down, fixed and then relaunched the website within days, after the press was tipped to the story by Soghoian. [26]
In January 2008, The House Committee on Oversight and Government Reform issued a report on the incident, the result of investigation.[27]
The report stated that the flawed website had operated insecurely for over four months during which over 247 people had submitted personal information using the insecure web-forms.[28] According to the report, the TSA manager responsible for assigning the contract was a high-school friend and former employee of the owner of the firm that created the website.[29] The report also noted that "neither [the private contractor] nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay [the private contractor] to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."[30]