All Tech Considered
Tue June 10, 2014
Project Eavesdrop: An Experiment At Monitoring My Home Office
Originally published on Fri June 13, 2014 12:55 pm
If someone tapped your Internet connection, what would he find out about you?
It's been just over a year since Edward Snowden became a household name, and his disclosures about the reach and extent of the National Security Agency's online monitoring programs led to headlines around the world.
But one big, basic question remains more or less unanswered: What exactly does the NSA's surveillance reveal?
To try to answer that question, I had my home office bugged.
Working with Sean Gallagher, a reporter at the technology site Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express, I had the Internet traffic into and out of my home office in Menlo Park, Calif., tapped. We installed something called a Pwn Plug to monitor the data flowing to and from my computer and mobile phone.
The box is a little wireless router that basically captures and copies all the traffic into and out of any device that connects to it. That data were sifted and analyzed by software automatically.
So for a little more than a week, Porcello and Gallagher stepped into the role of NSA analysts and spied on my work.
Back in early April I ushered Gallagher into my office, and together we connected my own personal Pwn Plug to my home network.
When my iPhone connected to the network, suddenly a torrent of data began flowing over the line. Porcello was monitoring my traffic in his office across the country in Vermont.
"Oh, jeez," he said. "You are not opening apps or anything?"
The iPhone was just sitting on my desk — I wasn't touching it. We watched as my iPhone pinged servers all over the world.
"It's just thousands and thousands of pages of stuff," Porcello said.
My iPhone sent Yahoo my location data as unencrypted text. The phone connected to NPR for email. It pinged Apple, then Google. There was a cascade of bits.
Over the next couple of weeks, Porcello and his colleague Oliver Weis — who goes by the name Awk — dug through those thousands of packets.
"A lot of times it's pretty easy to identify not only the type of device but the person," Weis says. "How many people's iPhones are named Steve's iPhone?"
And it wasn't hard to narrow which Steve at NPR (deduced thanks to the ping to NPR's mail) because the weather app pinpointed my location to Menlo Park.
In seconds, anyone watching would know I am not Steve Inskeep. I am Steve Henn.
"That's really the mind-blowing thing about this," Weis said. "People are walking around every day with these mobile computers in their pockets, and they have no idea what they are sending to the world."
So my week of surveillance began. I set about to do my job and live my life. I knew I was being watched and I could unplug at any time. But for the most part, I spent the week doing research for a story, tracking down people to talk to. And thousands of miles away, Gallagher and Porcello quietly watched.
Just as our experiment was wrapping up, Gallagher called — nearly giddy — to say he'd intercepted some tape — an uncut interview with a person in Iowa. The Pwn Plug had caught it as I pulled it down from the NPR server. It was sent over the Internet using an old, insecure system that has now been patched.
Then Gallagher told me what he thought that story was about.
"This was for ... that story you were doing on clean data centers, which we figured out you were doing based on your search traffic," Gallagher said.
He was right. Parts of the interview he captured would air later that day on NPR.
Google's search traffic is supposed to be encrypted, but the subject of my searches seeped out. Links to the sites I visited provided strong hints about what I was searching for.
Phrases like "who coined the term 'cloud computing' " gave Gallagher a good idea of what I was after.
And over the course of the preceding week, Porcello and Gallagher tracked me from website to website. But the real payoff came when the software that was automatically analyzing my Web traffic got down to business. It scoured the sites I visited looking for email addresses and telephone numbers.
"I had all your sources. I could have written that story for you," Gallagher said.
Web searches weren't the only thing that tripped me up. Almost every business or computer has some old software. Think about how you do expenses at work or when you last updated your audio player. Old programs leak data, too. Everyone has them.
Porcello says one weak link can spill your personal information out onto the Internet — in plain text. That's how they got a copy of my interview in Iowa. And that is why so many firms hire people like Porcello to monitor their Web traffic.
One Vs. Millions
In many ways this wasn't a fair test. Porcello and Gallagher were following only me, while the NSA collects data on millions of people around the world. But the software that Porcello used to parse, sort and organize information about my life and to scour my data searching for clues about my connections and interests makes it possible to automate passive surveillance and monitor many people at once. This kind of computerized monitoring can be used on a massive scale.
Following only me was child's play.
"I could have this analysis on an Android phone," Porcello said. When you are applying large-scale computing power and software that's designed to deal with big data to the problem, monitoring millions becomes possible.
Could The NSA Do This Legally?
If the NSA were monitoring me this way, would it be legal? The short answer is, it depends.
"As a former national security lawyer, when you're evaluating a particular request from the intelligence community to conduct a certain type of operation, the facts matter," said Carrie Cordero, a professor at Georgetown Law School who previously worked on national security issues at the Justice Department for close to a decade.
She says because I am a U.S. citizen, the only way the intelligence community could collect my data is with an order from a FISA court. From the beginning of the Snowden affair, the NSA has insisted that all of this collection has been done from within a pre-existing legal framework. Roughly, it works this way:
If you're living abroad and you're not a citizen of the United States, the NSA has a great deal of freedom to try to collect and analyze your data. If you're doing business with a U.S. company or using a U.S.-based service, any kind of bulk collection program has to be approved by the U.S. attorney general. If you're in the U.S. or are a U.S. citizen, no matter where you are in the world, this kind of collection is supposed to be subject to a FISA court order.
DAVID GREENE, HOST:
Just about a year ago, Edward Snowden became a household name. His disclosures about the reach and extent of the NSA's online monitoring programs led to headlines around the world. And in the past 12 months all sorts of new terms have entered the lexicon.
We've learned about FISA courts and obscure parts of foreign surveillance law. Formally secret programs named PRISM, Turbulence, and XKeyscore have been made public. But there has been one big, basic question hanging out there, more or less unanswered - what exactly does this kind of surveillance reveal? What exactly could the NSA see about me, or you, assuming they care to look? NPR technology correspondent Steve Henn, in collaboration with the technology website, Ars Technica, and a computer expert, set out to answer exactly that, by tapping the Internet traffic into and out of Steve's home office. Steve's on the line with us. Hey, Steve.
STEVE HENN, BYLINE: Good morning.
GREENE: And we know you'll be reporting on this in the coming days but we wanted to sort of get a preview here. Tell us exactly what you did.
HENN: Well, working with Sean Gallagher, who's a reporter at Ars Technica, and Dave Porcello, a computer security expert at a company he founded called Pwnie Express, the three of us bugged my office.
HENN: We installed something called a Pwn Plug to monitor the inbound and outbound Internet traffic to my computer and mobile phone.
GREENE: So this is if you are on Facebook on your phone, if you are talking on Skype on your computer, anything on your Wi-Fi, I mean, it could be monitored.
HENN: That's exactly right.
GREENE: So in a way you became a proxy for all of us. I mean, people at their computers or on their phones, and this device that these guys, Sean and Dave, put in became a proxy for the NSA?
HENN: Yeah, in a sense, that's exactly it. So this spring, actually in April, Sean came to my office in Menlo Park, California and Dave was in his office across the country in Vermont. You'll hear his voice over a speakerphone in a second. So we plug this thing in - this Pwn Plug - and the moment my phone connected there was this torrent of data that began flowing over the line.
HENN: Immediately. And without me even touching the device. So this is Dave.
DAVE PORCELLO: You're not, like, opening apps or anything, right?
HENN: No. My phone is sitting on my desk with the settings thing open.
PORCELLO: Yeah, it's just thousands and thousands of pages of stuff.
SEAN GALLAGHER: Lines, yeah. Thousands of lines.
HENN: That's Sean Gallagher, the reporter from Ars Technica.
GALLAGHER: So there's a lot of content that's flowing back and forth, that you have no control over, that is in the open and can be sniffed by somebody sitting on the network.
GREENE: And you're saying that in seconds, I mean, your phone started sending all sorts of code about you and you had no control over it.
HENN: That's right. And, you know, every phone is going to do this and it has to for the services you depend on to work. So, without you doing anything, your phone contacts your e-mail service, your weather app, web pages that you have open and running in the background, maybe a maps program. But the key here, for people who are concerned about their privacy, is how those connections are established. If all of that data is encrypted, no one who's watching your Internet connections can see what you're doing. But if it's unencrypted, if it's sent in the clear, anyone who is on the line monitoring your traffic - whether it's, you know, the NSA or your network administrator at work, can go into that flow of packets and see exactly what you're up to.
GREENE: So if it's encrypted, as you say, does that mean the NSA can't do anything with whatever I'm sending?
HENN: Well, the NSA can break encryption but often to do that it takes a huge amount of computer power and time. And so that makes this kind of passive, large-scale, massive surveillance that we've been reading about over the last year much more difficult. So over the last year, lots of computer companies have begun adding encryption to basic consumer services.
GREENE: I want to be real careful here - this is not totally realistic, right? I mean, these two guys are focusing on just you. The NSA has to do with millions and millions and millions of people.
HENN: No, that's exactly true. And I think one of the real questions that we had to struggle with was is it possible for the NSA to disentangle say, your traffic from my traffic and everyone else's traffic, if they're tapping into an Internet connection somewhere overseas. And technically, it turns out, that actually this kind of thing is possible to get at when you're applying large-scale computer software that's designed to deal with big data to the problem. So when we were analyzing my traffic to analyze it and sort it, and it was hundreds of millions of packets of data, we didn't have to use a lot of computing power. Here's Dave Porcello.
PORCELLO: Oh no, yeah, I could've done this analysis on an Android phone.
HENN: The NSA though, has supercomputers - massive computering centers spread all over the world and one enormous one that's generated a lot of attention in Utah. And that kind of computing power makes disentangling all this data possible.
GREENE: Well, the other question is the law. I mean, is what they did to your office, could the NSA do that legally?
HENN: Well, that's a great question. And with me sitting here, in Menlo Park, California as a citizen of the United States, the only way that they could do this kind of collection is if they had a court order and that would have to come from the FISA court. Carrie Cordero has worked on national security issues at the Justice Department for close to a decade. She's now at Georgetown Law School.
CARRIE CORDERO: As a former national security lawyer, when you're evaluating a particular request from the intelligence community to conduct a certain type of operation, the facts matter.
HENN: You know, and from the beginning of the Snowden affair, the NSA's insisted that it has done all of this collection within a pre-existing legal framework. And roughly, it works this way - if you're living abroad, and you're not a citizen of the United States, they have a great deal of freedom to collect and try to analyze your data. If you're doing business with a U.S. company, any kind of bulk collection program has to be approved by the U.S. Attorney General. If you're in the United States or a U.S. citizen, no matter where you are in the world, this kind of collection is supposed to be subject to a court order.
GREENE: A court order being the FISA court, which is a special foreign intelligence surveillance court that deals with these questions.
HENN: That's right.
GREENE: OK Steve, so you're going to be reporting on what you learned here over the coming days. And I guess we're going to get a lot of insights, but one thing to keep reminding our listeners is this was an experiment that we designed here.
HENN: Right. And there were a couple ground rules. Sean and Dave didn't have access to any NPR systems, or actually, internal access to my computer or my phone. You know, this was set up to be passive monitoring designed to mimic what we know about how the NSA collects data from the public internet. So what they could see about you possibly searching for a divorce attorney or going to sites you might not want people to know you're going to, looking into your medical history or other things like that. I also had a kill switch. Basically, I could unplug from this project at any time. And I did whenever I was doing something that was really personal or working on something not related to this.
GREENE: I know we're going to be hearing a lot in the coming days from you, but sort of a 15, 20 second preview of what you learned?
HENN: Yeah, no, we learned a lot. I mean, even though many major online service providers and companies like Google and Facebook have taken steps to secure data and encrypt it. We found that a lot of it is still leaking around the edges. We also realize that most institutions and most people have old software running on their systems that don't keep your data safe. And we also found one large security vulnerability that's pretty well known within the industry and affects tens of millions of Americans, but has gone unaddressed for years. So we're going to have stories on all of that over the week.
GREENE: All right, Steve Henn, quite an experiment, look forward to hearing all the reporting. Thanks a lot.
HENN: Thanks so much.
GREENE: He's NPR's technology correspondent and tomorrow he will have the story of one week under surveillance.
GREENE: This is NPR News. Transcript provided by NPR, Copyright NPR.