35 Innovators Under 35
Christopher Soghoian, 30
On a tear against bad privacy practices online, he urges companies to change the way they operate—and sounds alarms if they don’t.
American Civil Liberties Union
Christopher Soghoian sniffs out security holes and privacy shortcomings on the Web. Then he urges companies that are responsible—Google, AT&T, and Dropbox have been among them—to halt practices that put consumers’ personal information at risk. If they don’t, he’ll write about the flaws publicly and try to get regulators to crack down. “I see myself as a combination horse whisperer and Paul Revere–type character,” he says.
Soghoian’s credentials as a computer scientist are substantial—he helped develop the Do Not Track mechanism that lets people prevent websites from following their online activity—but most of his work relies on techniques that suggest Woodward and Bernstein more than a basement hacker: he seeks information by filing Freedom of Information Act requests or cajoling corporate lawyers and congressional aides over late-night beers in Washington, D.C.
Insinuating himself into the world of Washington as a privacy gadfly didn’t come easily to Soghoian, 30, an earnest geek with a beard and a ponytail. “I didn’t own a suit until 2009,” he says. Wearing one to face executives and lawyers is “not pleasant,” he adds. But he has learned that his impact as a security researcher is much greater if he steps into power corridors and directly addresses the people there.
That lesson began in 2006. Soghoian, then a grad student at Indiana University, wrote a blog post about how easily someone could gin up a legitimate-appearing boarding pass to get past airport security checkpoints. To prove the point, he put a widget on his blog that made it possible for people to create their own. That inflamed the Homeland Security apparatus, and the FBI seized his computers for a month. When the furor subsided, a few rational officials in Washington pointed out that Soghoian was actually helping the Transportation Security Administration by identifying a flaw in its defenses. The episode taught him that if he framed his message in the right way, he could get people to listen.
In 2009, while working as a student fellow at Harvard’s Berkman Center for Internet and Society, Soghoian led an effort to get Google to turn on SSL encryption in Gmail by default. SSL, the technique used to secure banking and e-commerce websites, essentially ensures that people using Gmail in a public Wi-Fi café aren’t vulnerable to having their accounts plundered by criminals. After Soghoian and 36 cosigners wrote an open letter to then-CEO Eric Schmidt, Google eventually said it would indeed turn on SSL by default. This doesn’t make Gmail totally private: law enforcement can still subpoena Google for an unencrypted look at the contents. But it does ensure that political dissidents’ e-mail is out of the reach of repressive governments with which Google doesn’t coöperate. Because of that, “if I’m 5 percent responsible for Google turning on SSL, it’s the most important thing I’ve done in my life,” Soghoian says. Today he’s lobbying for SSL to become the default setting on other online services, notably Facebook. (Facebook spokesman Frederic Wolens says the company is working on it; in the meantime, SSL is available to Facebook users who activate it themselves.)
In 2009, Soghoian stepped a bit too far into the establishment for his comfort: he became a staff technologist for the U.S. Federal Trade Commission. In October of that year, he went to a telecom-industry event and recorded a Sprint Nextel executive explaining how often the company fed data about subscribers to law enforcement. To him, this is a crucial subject—his recently completed PhD dissertation is all about the ways that police get around outdated wiretapping laws by having telecommunications and Web companies do surveillance for them. He argues that these companies, without sufficient public recognition, have effectively replaced judges as arbiters of whether the authorities are acting appropriately. But that’s not entirely in the FTC’s purview—and in any case, Soghoian had made the secret recording after using his FTC badge to get into the closed event. He ultimately lost his job.
Now he’s probably found a more natural outlet for his work: in September he will become a principal technologist and senior policy analyst for the American Civil Liberties Union, where he plans to keep raising alarms about how easily law enforcement, spies, and criminals can delve into our ever-growing storehouses of personal data. “My goal,” he says, “is to move to a world where everybody has access to secure communication.”