Project Eavesdrop: An Experiment At Monitoring My Home Office
If someone tapped your Internet connection, what would they find out about you?
It's been just over a year since Edward Snowden became a household name, and his disclosures about the reach and extent of the National Security Agency's online monitoring programs led to headlines around the world.
But one big, basic question remains more or less unanswered: What exactly does the NSA's surveillance reveal?
To try to answer that question, I had my home office bugged.
Working with Sean Gallagher, a reporter at the technology site Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express, I had the Internet traffic into and out of my home office in Menlo Park, Calif., tapped. We installed something called a Pwn Plug to monitor the data flowing to and from my computer and mobile phone.
The box is a little wireless router that basically captures and copies all the traffic into and out of any device that connects to it. That data were sifted and analyzed by software automatically.
So for a little more than a week, Porcello and Gallagher stepped into the role of NSA analysts and spied on my work.
Back in early April I ushered Gallagher into my office, and together we connected my own personal Pwn Plug to my home network.
When my iPhone connected to the network, suddenly a torrent of data began flowing over the line. Porcello was monitoring my traffic in his office across the country in Vermont.
"Oh, jeez," he said. "You are not opening apps or anything?"
The iPhone was just sitting on my desk — I wasn't touching it. We watched as my iPhone pinged servers all over the world.
"It's just thousands and thousands of pages of stuff," Porcello said.
My iPhone sent Yahoo my location data as unencrypted text. The phone connected to NPR for email. It pinged Apple, then Google. There was a cascade of bits.
Over the next couple of weeks, Porcello and his colleague Oliver Weis — who goes by the name Awk — dug through those thousands of packets.
"A lot of times it's pretty easy to identify not only the type of device but the person," Weis says. "How many people's iPhones are named Steve's iPhone?"
And it wasn't hard to narrow which Steve at NPR (deduced thanks to the ping to NPR's mail) because the weather app pinpointed my location to Menlo Park.
In seconds, anyone watching would know I am not Steve Inskeep. I am Steve Henn.
"That's really the mind-blowing thing about this," Weis said. "People are walking around every day with these mobile computers in their pockets, and they have no idea what they are sending to the world."
So my week of surveillance began. I set about to do my job and live my life. I knew I was being watched and I could unplug at any time. But for the most part, I spent the week doing research for a story, tracking down people to talk to. And thousands of miles away, Gallagher and Porcello quietly watched.
Just as our experiment was wrapping up, Gallagher called — nearly giddy — to say he'd intercepted some tape — an uncut interview with a person in Iowa. The Pwn Plug had caught it as I pulled it down from the NPR server. It was sent over the Internet using an old, insecure system that has now been patched.
Then Gallagher told me what he thought that story was about.
"This was for ... that story you were doing on clean data centers, which we figured out you were doing based on your search traffic," Gallagher said.
He was right. Parts of the interview he captured would air later that day on NPR.
Google's search traffic is supposed to be encrypted, but the subject of my searches seeped out. Links to the sites I visited provided strong hints about what I was searching for.
Phrases like "who coined the term 'cloud computing' " gave Gallagher a good idea of what I was after.
And over the course of the preceding week, Porcello and Gallagher tracked me from website to website. But the real payoff came when the software that was automatically analyzing my Web traffic got down to business. It scoured the sites I visited looking for email addresses and telephone numbers.
"I had all your sources. I could have written that story for you," Gallagher said.
Web searches weren't the only thing that tripped me up. Almost every business or computer has some old software. Think about how you do expenses at work or when you last updated your audio player. Old programs leak data, too. Everyone has them.
Porcello says one weak link can spill your personal information out onto the Internet — in plain text. That's how they got a copy of my interview in Iowa. And that is why so many firms hire people like Porcello to monitor their Web traffic.
One Vs. Millions
In many ways this wasn't a fair test. Porcello and Gallagher were following only me, while the NSA collects data on millions of people around the world. But the software that Porcello used to parse, sort and organize information about my life and to scour my data searching for clues about my connections and interests makes it possible to automate passive surveillance and monitor many people at once. This kind of computerized monitoring can be used on a massive scale.
Following only me was child's play.
"I could have this analysis on an Android phone," Porcello said. When you are applying large-scale computing power and software that's designed to deal with big data to the problem, monitoring millions becomes possible.
Could The NSA Do This Legally?
If the NSA were monitoring me this way, would it be legal? The short answer is, it depends.
"As a former national security lawyer, when you're evaluating a particular request from the intelligence community to conduct a certain type of operation, the facts matter," said Carrie Cordero, a professor at Georgetown Law School who previously worked on national security issues at the Justice Department for close to a decade.
She says because I am a U.S. citizen, the only way the intelligence community could collect my data is with an order from the Foreign Intelligence Surveillance Court, known as FISA. From the beginning of the Snowden affair, the NSA has insisted that all of this collection has been done from within a pre-existing legal framework. Roughly, it works this way:
If you're living abroad and you're not a citizen of the United States, the NSA has a great deal of freedom to try to collect and analyze your data. If you're doing business with a U.S. company or using a U.S.-based service, any kind of bulk collection program has to be approved by the U.S. attorney general. If you're in the U.S. or are a U.S. citizen, no matter where you are in the world, this kind of collection is supposed to be subject to a FISA court order.