Every Christopher Soghoian production follows a similar pattern, a series of orchestrated events that lead to the public shaming of a large entity—Google, Facebook, the federal government—over transgressions that the 30-year-old technologist sees as unacceptable violations of privacy. Sometimes he discovers these security flaws by accident, other times because someone has pissed him off, but mostly because he’s parked at his computer all day looking for security flaws.
When he finds one, Soghoian, a PhD candidate in computer science at Indiana University Bloomington, learns everything he can about it and devises what he sees as a viable solution. Then he alerts the offending party and gives them a chance to fix things, explaining that if they don’t, he’ll go public with his discovery. (OK, sometimes he skips the give-them-a-chance step.) When the inevitable wave of media coverage starts breaking, Soghoian is often the first expert that reporters turn to for sound bites—about stories he has effectively handed them. In the end, the security holes get patched, and Soghoian gets more notoriety and more work. He’s vertically integrated.
“If Chris Soghoian points out a technology-related privacy problem, then it should probably be taken seriously,” says Marcia Hofmann, a senior staff attorney at San Francisco-based Electronic Frontier Foundation, which tackles free speech and privacy issues. “Nobody else is doing what Chris does—at least not at his level.”
Consider Gmail. Eve...