Christopher Soghoian
Encyclopedia
Christopher Soghoian is a Washington, DC based researcher, activist, blogger
Blog
A blog is a type of website or part of a website supposed to be updated with new content from time to time. Blogs are usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in...

, and Ph.D. Candidate at Indiana University. He first gained notoriety in 2006 as the creator of a website that generated fake airline boarding pass
Boarding pass
A boarding pass is a document provided by an airline during check-in, giving a passenger permission to board the airplane for a particular flight. As a minimum, it identifies the passenger, the flight number, and the date and scheduled time for departure...

es. Since that incident, he has continued to engage in high-profile activism related to privacy and computer security. Between 2009 and 2010, he worked for the US Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...

 as the first ever in-house technical advisor to the Division of Privacy and Identity Protection.

Education

Soghoian received a B.S. from James Madison University
James Madison University
James Madison University is a public coeducational research university located in Harrisonburg, Virginia, U.S. Founded in 1908 as the State Normal and Industrial School for Women at Harrisonburg, the university has undergone four name changes before settling with James Madison University...

 (Computer Science) and a Masters from the Information Security Institute of Johns Hopkins University
Johns Hopkins University
The Johns Hopkins University, commonly referred to as Johns Hopkins, JHU, or simply Hopkins, is a private research university based in Baltimore, Maryland, United States...

 (Security Informatics; May 2005).

Boarding pass security

On October 26, 2006, Soghoian created a website that allowed visitors to generate fake boarding passes for Northwest Airlines
Northwest Airlines
Northwest Airlines, Inc. was a major United States airline founded in 1926 and absorbed into Delta Air Lines by a merger approved on October 29, 2008, making Delta the largest airline in the world...

. While users could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden
Osama bin Laden
Osama bin Mohammed bin Awad bin Laden was the founder of the militant Islamist organization Al-Qaeda, the jihadist organization responsible for the September 11 attacks on the United States and numerous other mass-casualty attacks against civilian and military targets...

.

Soghoian claimed that his motivation for the website was to focus national attention on the ease with which a passenger could evade the no-fly lists. Information describing the security vulnerabilities associated with boarding pass modification had been widely publicized by others before, including Senator Charles Schumer
Charles Schumer
Charles Ellis "Chuck" Schumer is the senior United States Senator from New York and a member of the Democratic Party. First elected in 1998, he defeated three-term Republican incumbent Al D'Amato by a margin of 55%–44%. He was easily re-elected in 2004 by a margin of 71%–24% and in 2010 by a...

 (D-NY)

and security expert Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...

, but Soghoian received media attention for posting a program on his website to enable the automatic production of modified boarding passes.

At 2 AM on October 28, 2006, his home was raided by agents of the FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...

 to seize computers and other materials. Soghoian's Internet Service Provider voluntarily shut down the website, after it received a letter from the FBI claiming that the site posed a national security threat. The FBI closed the criminal investigation in November 2006 without filing any charges. The TSA
Transportation Security Administration
The Transportation Security Administration is an agency of the U.S. Department of Homeland Security that exercises authority over the safety and security of the traveling public in the United States....

 also initiated a civil investigation in December 2006, which was closed without any charges being filed in June 2007.

Privacy research and activism

In May 2011, Soghoian was approached by public relations firm Burson-Marsteller
Burson-Marsteller
Burson-Marsteller is a global public relations and communications firm headquartered in the United States. Burson-Marsteller operates 67 wholly owned offices and 71 affiliate offices in 98 countries across six continents...

 and asked to write an anti-Google op-ed, criticizing the company for privacy issues associated with its social search product. Soghoian refused, and instead published the email conversation. A subsequent investigation by journalists revealed that the PR firm, which had refused to identify its client to Soghoian, had been retained by Facebook.

In May 2011, Soghoian filed a complaint with the FTC, in which he claimed that online backup service Dropbox was deceiving its customers about the security of its services. Soon after Soghoian first publicly voiced his concerns, Dropbox updated its terms of service and privacy policy to make it clear that the company does not in fact encrypt user data with a key only known to the user, and that the company can disclose users' private data if forced to by law enforcement agencies.

In December 2009, Soghoian released an audio recording he made at a closed-door surveillance industry conference. In the recording, an executive from Sprint Nextel
Sprint Nextel
Sprint Nextel Corporation is an American telecommunications company based in Overland Park, Kansas. The company owns and operates Sprint, the third largest wireless telecommunications network in the United States, with 53.4 million customers, behind Verizon Wireless and AT&T Mobility...

 revealed that the company had created a special website through which law enforcement agents can obtain GPS information on subscribers and that the website had been used to process 8 million requests during the previous year. A Sprint spokesperson later clarified that the number reflected the number of individual "pings" for location, not unique individuals under surveillance.

In December 2009, Soghoian released a letter written by lawyers for Yahoo!, objecting to the release of documents detailing how much the company charges for government requested surveillance activities. In the letter, Yahoo!'s attorneys argued that: "[T]he [pricing] information, if disclosed, would be used to 'shame' Yahoo! and other companies – and to 'shock' their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies." When a copy of the price list subsequently appeared on Cryptome
Cryptome
Cryptome is a website hosted in the United States since 1996 by independent scholars and architects John Young and Deborah Natsios that functions as a repository for information about freedom of speech, cryptography, spying, and surveillance...

, Yahoo! sent a DMCA takedown request to the website in an attempt to force the removal of the information.

In June 2009, Soghoian published an open letter to Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...

 that was signed by an additional 37 prominent security and privacy experts, urging the company to protect the privacy of its customers by enabling SSL encryption by default for Gmail and its other cloud based services. In January 2010, Google enabled SSL by default for users of Gmail, and in May 2010, the company announced that it would soon offer SSL encryption for search (although not enabled by default).
One month after Google started to encrypt Gmail traffic, the Iranian government blocked all domestic access to the service, an action motivated by the fact the government can no longer monitor Gmail communications.

Congressional investigation into TSA website flaws

In February 2007, Soghoian announced that a TSA
Transportation Security Administration
The Transportation Security Administration is an agency of the U.S. Department of Homeland Security that exercises authority over the safety and security of the traveling public in the United States....

 website was collecting private passenger information in a highly insecure manner. The website was intended to provide a way for passengers to file disputes in the event that they were incorrectly included on the No fly list
No Fly List
The No Fly List is a list, created and maintained by the United States government's Terrorist Screening Center , of people who are not permitted to board a commercial aircraft for travel in or out of the United States. The list has also been used to divert away from U.S. airspace aircraft not...

. Passengers who submitted their information through the website were at risk of identity theft. TSA shut down, fixed and then relaunched the website within days, after the press was tipped to the story by Soghoian.

In January 2008, The House Committee on Oversight and Government Reform issued a report on the incident, the result of investigation.

The report stated that the flawed website had operated insecurely for over four months during which over 247 people had submitted personal information using the insecure web-forms. According to the report, the TSA manager responsible for assigning the contract was a high-school friend and former employee of the owner of the firm that created the website. The report also noted that "neither [the private contractor] nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay [the private contractor] to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."

External links

  • Soghoian's homepage
  • Soghoian's blog
  • Soghoian's CNET Blog (2007–2009)
  • Press release from Congressman Ed Markey
    Ed Markey
    Edward John "Ed" Markey is the U.S. Representative for , serving since 1976. He is a member of the Democratic Party. The district includes most of Boston's northern and western suburbs, such as Medford and Framingham. Markey is the Dean of both the Massachusetts and New England House delegations...

     arguing against Soghoian's arrest
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK