Every Christopher Soghoian production follows a similar pattern, a series of orchestrated events that lead to the public shaming of a large entity—Google, Facebook, the federal government—over transgressions that the 30-year-old technologist sees as unacceptable violations of privacy. Sometimes he discovers these security flaws by accident, other times because someone has pissed him off, but mostly because he’s parked at his computer all day looking for security flaws.
When he finds one, Soghoian, a PhD candidate in computer science at Indiana University Bloomington, learns everything he can about it and devises what he sees as a viable solution. Then he alerts the offending party and gives them a chance to fix things, explaining that if they don’t, he’ll go public with his discovery. (OK, sometimes he skips the give-them-a-chance step.) When the inevitable wave of media coverage starts breaking, Soghoian is often the first expert that reporters turn to for sound bites—about stories he has effectively handed them. In the end, the security holes get patched, and Soghoian gets more notoriety and more work. He’s vertically integrated.
“If Chris Soghoian points out a technology-related privacy problem, then it should probably be taken seriously,” says Marcia Hofmann, a senior staff attorney at San Francisco-based Electronic Frontier Foundation, which tackles free speech and privacy issues. “Nobody else is doing what Chris does—at least not at his level.”
Consider Gmail. Everything you send and receive through Google’s email servers is automatically encrypted using secure sockets layer, or SSL, which is indicated by the letters https at the beginning of a Gmail URL. It wasn’t always so. Google used to keep SSL off by default; it can slow things down a bit. It was left to users to figure out how to opt in for extra security.
Soghoian is a Ralph Nader for the Internet age—rumpled, charming, and grumpy, as righteous as he is intelligent.
Soghoian interned at Google in the summer of 2006 and says that, like many Google employees, he was issued an encrypted laptop. He found it unacceptable that the company wasn’t offering the same level of protection to the public. So three years later, when a fellowship at Harvard’s Berkman Center for Internet & Society gave him access to free legal counsel and contacts to numerous tech-world leaders, he persuaded 36 of them, including Ronald Rivest (the R in RSA encryption algorithm) to sign an open letter urging Google to make SSL the default. He sent the letter to reporters and to then Google CEO Eric Schmidt.
Soghoian won’t claim direct credit, and Google won’t give it (or deny it). But hours after the letter was published, Google changed its position, claiming that it had been planning to make SSL the default for Gmail. Seven months later, it did so. “All of the privacy lawyers at the big Internet companies now have Chris on their radar,” says Caspar Bowden, a former Microsoft exec who recently moderated a panel on privacy organized by Soghoian. “He has a natural talent for bringing issues to a head, making real changes to corporate and government policies, and communicating the issues to the wider public. Organizations will probably feel bruised by the encounter but will realize in time they have been moved to a better place. Few people can do that, and Chris is a rare example of a genuinely strategic activist.”
The impression that Soghoian is trying to become a Ralph Nader for the Internet age is only strengthened by his personal style—rumpled, alternately charming and grumpy, as righteous as he is intelligent. He’s notoriously frugal; he bikes everywhere, and he lives in a basement room of a Washington, DC, house he shares with four roommates.
And he talks. A lot. With a slight British accent—the product of a childhood spent in London—he speaks in 1,000-word bursts with nary a like, y’know, or pause. Whether he’s talking to staffers on the Hill, presenting at conferences, or giving interviews, he’s direct, confident, focused, and unwavering. “I can walk into a room and explain how a cookie works or how geolocation tracking works or how encryption works or why data retention is a bad idea,” he says. “This is what I’m good at.”
Soghoian was born in San Francisco in 1981, his mother a social worker and his father a jazz musician and computer engineer. When Soghoian was a year old, the family moved to London, where his father had a job as a computer engineer.
He has been using computers for as long as he can remember. When Soghoian was 11, he persuaded his headmaster to sign paperwork that let him head over to King’s College London computer lab, where he used email, jumped into Usenet groups, and explored the nascent World Wide Web. As a teen, he took evening classes in computer science at a community college. He finished high school at 16 and went to James Madison University in Virginia to study computer science. There he talked his way into a few graduate-level security classes, which piqued his interest in the field.
In 2006, Soghoian enrolled in the PhD program at Indiana University Bloomington’s School of Informatics and Computing. During the late summer of that year, the 25-year-old was en route to Indianapolis from that most public of venues, the Burning Man festival in Nevada, when privacy became a much more personal issue. At the airport in Reno, Transportation Security Administration agents told him he couldn’t take his Middle Eastern lunch through security. He wrote about it on his security-themed blog, Slight Paranoia.
Them: You can’t take these on board. They’re liquids.
Me: No. They’re solid foods. The hummous is more of a paste than a liquid.
Them: You can’t take it through.
Me: I realize that hummous and Al Qaeda come from the same part of the world, but, well, so does algebra.
Soghoian was pulled aside for a thorough search.