Christopher Soghoian

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Christopher Soghoian
2013-12-29 30C3 - Christopher Soghoian 3145.JPG
Born 1981 (age 32–33)
San Francisco, California
Residence Washington, DC, United States
Alma mater
Occupation Researcher and activist
Known for Security and privacy activism

Christopher Soghoian is a Washington, DC based privacy researcher and activist. He first gained attention in 2006 as the creator of a website that generated fake airline boarding passes. Since that incident, he has continued to engage in high-profile activism related to privacy and computer security. He is currently the principal technologist and a senior policy analyst with the speech, privacy and technology project at the American Civil Liberties Union.

Between 2009 and 2010, he worked for the US Federal Trade Commission as the first ever in-house technical advisor to the Division of Privacy and Identity Protection.[1] While at the FTC, he assisted with investigations of Facebook, Twitter, MySpace and Netflix.


Soghoian, who holds British and US nationality,[2] received a B.S. from James Madison University (Computer Science; 2002), a Masters from Johns Hopkins University (Security Informatics; 2005), and a PhD from Indiana University (Informatics; 2012). His dissertation focused on the role that third party internet and telecommunications service providers play in facilitating law enforcement surveillance of their customers.[3]

He is currently a Visiting Fellow at Yale Law School's Information Society Project and a Fellow at the Center for Applied Cybersecurity Research at Indiana University. He was an Open Society Foundations Fellow between 2011 and 2012 and was a Student Fellow at the Berkman Center for Internet & Society at Harvard University between 2008 and 2009.

Boarding pass security[edit]

On October 26, 2006, Soghoian created a website that allowed visitors to generate fake boarding passes for Northwest Airlines. While users could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden.

Soghoian claimed that his motivation for the website was to focus national attention on the ease with which a passenger could evade the no-fly lists.[4] Information describing the security vulnerabilities associated with boarding pass modification had been widely publicized by others before, including Senator Charles Schumer (D-NY)[5][6] and security expert Bruce Schneier.[7] Soghoian received media attention for posting a program on his website to enable the automatic production of modified boarding passes.

On October 27, 2006, Senator Edward Markey called for Soghoian's arrest.[8] Two days later, he issued a revised statement stating that Soghoian should not go to jail, and that instead, the Department of Homeland Security should "put him to work" to fix the boarding pass security flaws.[9]

At 2 am on October 28, 2006, his home was raided by agents of the FBI to seize computers and other materials.[10] Soghoian's Internet Service Provider voluntarily shut down the website, after it received a letter from the FBI claiming that the site posed a national security threat.[11] The FBI closed the criminal investigation in November 2006 without filing any charges,[12] as did the TSA in June 2007.[13][14]

Consumer privacy research and activism[edit]

In May 2011, Soghoian was approached by public relations firm Burson-Marsteller and asked to write an anti-Google op-ed, criticizing the company for privacy issues associated with its social search product. Soghoian refused, and instead published the email conversation. A subsequent investigation by journalists revealed that the PR firm, which had refused to identify its client to Soghoian, had been retained by Facebook.[15]

In May 2011, Soghoian filed a complaint with the FTC, in which he claimed that online backup service Dropbox was deceiving its customers about the security of its services.[16] Soon after Soghoian first publicly voiced his concerns, Dropbox updated its terms of service and privacy policy to make it clear that the company does not in fact encrypt user data with a key only known to the user, and that the company can disclose users' private data if forced to by law enforcement agencies.

Soghoian is one of the three co-creators of the Do Not Track mechanism, along with security researchers Sid Stamm and Dan Kaminsky. In July 2009, Soghoian and Stamm created a prototype add-on for the Firefox web browser, implementing support for a new Do Not Track header.[17] In the three years that followed, all of the major web browsers added support for the header, which is currently being standardized by the W3C.[18]

In June 2009, Soghoian published an open letter[19] to Google that was signed by an additional 37 prominent security and privacy experts, urging the company to protect the privacy of its customers by enabling SSL encryption by default for Gmail and its other cloud based services.[20] In January 2010, Google enabled SSL by default for users of Gmail,[21] and subsequently for other products, including search (for signed in users).

Government surveillance research and activism[edit]

External video
Why Google won't protect you from big brother on YouTube, Christopher Soghoian, TED talks, May 21, 2012

In December 2009, Soghoian released an audio recording he made at a closed-door surveillance industry conference. In the recording, an executive from Sprint Nextel revealed that the company had created a special website through which law enforcement agents can obtain GPS information on subscribers and that the website had been used to process 8 million requests during the previous year.[22] That recording was subsequently cited by Alex Kozinski, Chief Judge of the Ninth Circuit Court of Appeals in U.S. v. Pineda-Moreno, in support of his view that "1984 may have come a bit later than predicted, but it's here at last."[23]

In December 2009, Soghoian released a letter written by lawyers for Yahoo!, objecting to the release of documents detailing how much the company charges for government requested surveillance activities. In the letter, Yahoo!'s attorneys argued that: "[T]he [pricing] information, if disclosed, would be used to 'shame' Yahoo! and other companies – and to 'shock' their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies."[24] When a copy of the price list subsequently appeared on Cryptome, Yahoo! sent a DMCA takedown request to the website in an attempt to force the removal of the information.[25]


  1. ^ Zetter, Kim (August 17, 2009). "Outspoken Privacy Advocate Joins FTC". Retrieved 2009-11-20. 
  2. ^ Brown, David. FBI foils student's air scam site The Times November 3, 2006
  3. ^ Soghoian, Christopher (August 1, 2012). "The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance". Retrieved 2012-12-23. 
  4. ^ Soghoian, Christopher (October 26, 2006). "Chris's NWA Boarding Pass Generator". Retrieved 2007-03-05. 
  5. ^ Schumer, Charles E. (February 13, 2005). "Schumer reveals new gaping hole in air security". Archived from the original on November 21, 2006. Retrieved 2006-11-30. 
  6. ^ Schumer, Charles E. (April 9, 2006). "Schumer Reveals: In Simple Steps Terrorists Can Forge Boarding Pass And Board Any Plane Without Breaking The Law!". Retrieved 2006-11-30. [dead link]
  7. ^ Schneier, Bruce (August 15, 2003). "Flying on Someone Else's Airplane Ticket". Crypto-Gram. Retrieved 2006-11-30. 
  8. ^ Singel, Ryan (October 27, 2006). "Congressman Ed Markey Wants Security Researcher Arrested". Wired News. Retrieved 2012-12-24. 
  9. ^ "Markey: Don't Arrest Student, Use Him To Fix Loopholes". Press Release. October 29, 2006. Retrieved 2012-12-24. 
  10. ^ Krebs, Brian (November 1, 2006). "Student Unleashes Uproar With Bogus Airline Boarding Passes". Washington Post. Retrieved 2006-11-30. 
  11. ^ Singel, Ryan (November 29, 2007). "Is A Gov Shutdown of a Website Without A Court Order Ilegal? Supreme Court Suggests Yes". Wired News. Retrieved 2008-03-05. 
  12. ^ "IU Student, Focus of FBI Probe, Speaks Out". Retrieved 2006-11-30. 
  13. ^ Kane, David (June 6, 2007). "Warning Notice, page 1". Transportation Security Administration. Retrieved 2007-07-23. 
  14. ^ Kane, David (June 6, 2007). "Warning Notice, page 2". Transportation Security Administration. Retrieved 2007-07-23. 
  15. ^ Helft, Miguel (May 13, 2011). "Facebook, Foe of Anonymity, Is Forced to Explain a Secret". The New York Times. Retrieved 2011-07-17. 
  16. ^ Singel, Ryan (May 13, 2011). "Dropbox Lied to Users About Data Security, Complaint to FTC Alleges". Wired News. Retrieved 2011-07-17. 
  17. ^ Soghoian, Christopher. "The History of the Do Not Track Header". Slight Paranoia. Retrieved February 22, 2012. 
  18. ^ "Tracking Protection Working Group". W3C. Retrieved February 22, 2012. 
  19. ^ Soghoian, Christopher (June 16, 2009). "An open letter to Google's CEO, Eric Schmidt". Retrieved 2009-06-20. 
  20. ^ Helft, Miguel (June 16, 2009). "Gmail to Get More Protection From Snoops". The New York Times – Bits Blog. Retrieved 2009-06-20. 
  21. ^ Schillace, Sam (January 12, 2010). "Default HTTPS Access For Gmail". The Official Gmail Blog. Retrieved 2010-05-15. 
  22. ^ Zetter, Kim (December 1, 2009). "Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year". Wired News. Retrieved 2010-05-15. 
  23. ^ United States v. Pineda-Moreno, 617 F.3d 1120 (9th Cir. 2010).
  24. ^ Zetter, Kim (December 1, 2009). "Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse’ Consumers". Wired News. Retrieved 2010-05-15. 
  25. ^ Zetter, Kim (December 4, 2009). "Yahoo Issues Takedown Notice for Spying Price List". Wired News. Retrieved 2010-05-15. 


External links[edit]