Christopher Soghoian

Early Life and Education

Christopher Soghoian was born in 1981 and holds both British and American nationality. He earned a B.S. in Computer Science from James Madison University in 2002, followed by a Master's degree in Security Informatics from Johns Hopkins University in 2005. He completed his PhD in Informatics at Indiana University Bloomington in 2012. His doctoral dissertation examined the role that third-party internet and telecommunications service providers play in facilitating law enforcement surveillance of their customers.

Soghoian has held academic fellowships at several institutions, including a visiting fellowship at Yale Law School's Information Society Project and a Student Fellowship at the Berkman Center for Internet & Society at Harvard University. He is also a TED Senior Fellow and was previously an Open Society Foundations Fellow.

Career

Between 2009 and 2010, Soghoian served as the first in-house technical advisor to the Division of Privacy and Identity Protection at the US Federal Trade Commission, where he assisted with investigations involving Facebook, Twitter, MySpace, and Netflix. From 2012 to 2016, he was the principal technologist at the American Civil Liberties Union. He subsequently joined the office of Senator Ron Wyden as Senior Advisor for Privacy & Cybersecurity.

Notable Work and Research

Soghoian first attracted widespread public attention in October 2006 when he created a website that allowed users to generate fake airline boarding passes for Northwest Airlines. His stated intent was to highlight vulnerabilities in the No Fly List system. The site prompted then-Congressman Edward Markey to call for his arrest, and on October 28, 2006, FBI agents raided his home and seized computers. The FBI closed its criminal investigation in November 2006 without filing charges, and the Transportation Security Administration followed suit in June 2007.

In June 2009, Soghoian co-authored an open letter to Google alongside 37 security and privacy experts, urging the company to enable HTTPS encryption by default for Gmail and other cloud services. Google enabled HTTPS by default for Gmail in January 2010.

In December 2009, while employed at the FTC, Soghoian secretly recorded a closed-door surveillance industry conference. The recording revealed that Sprint Nextel had built a dedicated website through which law enforcement could obtain GPS data on subscribers, and that the site had processed approximately 8 million requests in the preceding year. The recording was later cited by Alex Kozinski, Chief Judge of the Ninth Circuit Court of Appeals, in his opinion in U.S. v. Pineda-Moreno. Soghoian was subsequently let go from the FTC following an inspector general investigation into his conduct.

In October 2010, he filed an FTC complaint alleging that Google was leaking user search queries to third-party websites. A class action lawsuit followed, extensively citing his complaint. Google halted the practice in October 2011 and settled the lawsuit in 2015 for $8.5 million.

In May 2011, Soghoian filed a separate FTC complaint alleging that Dropbox was misleading customers about the security of their stored data. Shortly after he raised the issue publicly, Dropbox updated its terms of service and privacy policy to clarify that it does not encrypt user data with a user-only key and that it can disclose data to law enforcement.

Also in May 2011, Soghoian was approached by public relations firm Burson-Marsteller and asked to write an op-ed critical of Google. He declined and published the email exchange instead. Subsequent reporting revealed that the firm had been retained by Facebook.

In a February 2012 public speech, Soghoian drew attention to the commercial market for zero-day security vulnerabilities, describing vendors of software exploits as "the modern-day merchants of death" selling "the bullets of cyberwar." His commentary contributed to broader mainstream coverage of the zero-day industry in subsequent years.

At DEF CON in August 2013, Soghoian presented findings about a dedicated FBI team responsible for delivering malware to surveillance targets, which he said he identified through redacted government documents and LinkedIn profiles of former FBI contractors. In October 2014, he highlighted the FBI's 2007 impersonation of the Associated Press to deliver malware to a teenager in Washington state, an action that drew condemnation from major news organizations.

Recognition

Soghoian's work has been covered by outlets including The Economist, Wired, and Forbes. His research has contributed to public and legislative debate on surveillance technologies, encryption standards, and corporate data practices.