Project Eavesdrop: What Passive Surveillance Collects
RENEE MONTAGNE, HOST:
For many, Edward Snowden's disclosures about the NSA's massive phone and data collection program were an eye-opener - major tech companies race to add digital encryption to their services. But even with that, we wondered what exactly could the NSA still see about us, assuming for a second that they still care to look? To find out, NPR technology correspondent Steve Henn teamed up with Sean Gallagher, a reporter at Ars Technica and Dave Porcello, a computer security expert at a company called Pwnie Express. Together, they tapped Steve's smart phone and laptop. He's the guinea pig here. For little more than a week, Sean and Dave stepped into the role of a security or even a criminal organization and they spied on Steve Henn's life. This is what happened.
STEVE HENN, BYLINE: A little over a week into this project, I got a call from Sean Gallagher at Ars. At first I wasn't sure what he had found but he sounded giddy. Turns out, Sean had intercepted some of my tape - an uncut interview, parts of which would air later that day at NPR.
SEAN GALLAGHER: What happened was the Pwn Plug that was in your office caught it as you were pulling it down from the NPR server.
HENN: He played me the recording.
UNIDENTIFIED WOMAN 1: OK, awesome. Yep, yep. OK I'm passing the phone to you. I'm going to record...
HENN: Holy cow.
SCOTT BELL: Hello, this is Scott Bell.
HENN: So this is a guy I interviewed in a field in Iowa.
GALLAGHER: Right. Right. This was for your story you were doing on clean data centers.
HENN: (Laughing) Yeah.
GALLAGHER: Which we figured out based on your search traffic.
HENN: Like anyone doing research on anything, I'd hit Google. Sean Gallagher and Dave Porcello had seen that. Like the NSA monitoring traffic, they were monitoring me. A few weeks earlier, we had installed something called a Pwn Plug in my office. It's this little wireless router that basically catches and copies all the traffic into and out of any device that connects to it - in my case, my computer and mobile phone. That data, including my interview, was sifted and analyzed and sorted by software, automatically.
GALLAGHER: So it re-created the file and extracted it out. And that's very similar to the sort of content mining that the NSA's surveillance technology is capable of.
HENN: Who you are and where you are, whether you're a U.S. citizen or in this country or abroad, all this matters in the eyes of the law. But bulk collection - this kind of mass collection of Internet data - this is what happens to people who are not targets, who are not suspected terrorists but just regular people whose traffic is sucked up into this mesh. Our goal was to try and figure out exactly what this kind of passive surveillance can discover. And there were some ground rules. Dave and Sean didn't have access to NPR's systems. They couldn't hack into anything. They were just collecting the data flowing between me and the net - the way data about millions of people around the world is collected every day. They tracked me this way for one week.
HENN: Right, and so in fairness, like I chose a story in a week where I wasn't working on anything particularly sensitive. There were no, like, off the record sources here. When I did do that, I disengaged from the experiment. You know, on other work.
GALLAGHER: (Laughing) Right.
HENN: Another ground rule, was I wasn't going to try go dark or cover my tracks. I'd just do my job like any other week. But going in, I knew that my e-mail and my phone calls were encrypted and walled off from their prying eyes. Most people surfing the web, doing research on a medical issue or looking for a divorce attorney probably don't take these kinds of precautions. Actually, I thought that my standard operating procedures might make tracking me kind of hard. It turns out I was wrong - completely and totally wrong.
HENN: You know, earlier you said that you knew what the story was about.
HENN: Walk me through how you figured that out.
GALLAGHER: OK, so I started looking at the search terms that were coming up for what you were working on and there was a web referral that was for who coined the term cloud computing.
HENN: Right. Cloud computing - that's what my story was about. Google search traffic is supposed to be encrypted but that data leaked. Sean and Dave tracked me from website to website. And then the real payoff came when the software that was automatically analyzing my web traffic got down to business. It scoured the sites I visited, looking for e-mail addresses and telephone numbers. Sean gave me a list of people he thought I was reaching out to.
HENN: And you had Greenpeace and you had Facebook. You had all my sources for that story.
GALLAGHER: I had all your sources. I could've written that story for you. (Laughing)
HENN: But the web wasn't the only thing that tripped me up. Almost every business or computer has some old software inside. Think about how you do your expenses at work or when you last updated your audio player. Old programs leak data too and pretty much everyone has them.
DAVE PORCELLO: Yeah, I mean we use hundreds of services for our business.
HENN: Dave Porcello says one weak link can spill your personal information onto the net in plain text. And that's how they got that copy of the interview in Iowa.
BELL: We are at the large water tower near Wellsburg...
HENN: It was sent using an old, insecure system that's now been patched. But actually the biggest surprise for me, the thing that kind of blew me away, came right at the beginning of this, when I first connected my phone to that little router monitoring my traffic. Dave was across the country on a speakerphone watching as my iPhone pinged servers all over the world.
PORCELLO: Yahoo, NPR...
HENN: My phone sent Yahoo my location data in the clear. It connected to NPR from my e-mail. It pinged Apple, Google.
GALLAGHER: You're not, like, opening apps or anything right?
HENN: No my phone is sitting on my desk.
HENN: There was this cascade of bits.
GALLAGHER: There's just thousands and thousands of pages of stuff.
HENN: And all of this was going down without me even touching the phone. Over the next couple of weeks, David and a colleague at Pwnie Express - a guy named Awk - dug through those thousands of packets.
OLIVER WIES: A lot of times it's pretty easy to identify not only the type of device, but the person.
HENN: Awk's real name is Oliver Wies.
WIES: How many people's iPhones are named, you know, Steve's iPhone?
HENN: Right. Well, I mean, when you were talking about that I was thinking, OK so it sounds out the name of my iPhone - Steve's iPhone - it sends out a ping to NPR mail, so now you are limited to Steve's who work at NPR.
HENN: And then it hits my weather app and it's saying I'm in Menlo Park, California. >>WIES: Exactly.
HENN: And it's like, all right, we know exactly who you are. You are not Steven Inskeep, you know, you are Steve Henn.
WIES: (Laughing) Right, exactly. Yeah, it's pretty wild.
HENN: This happened without me touching the phone or doing anything. And in fact, for millions of phones there is no easy way to stop this.
WIES: You know, I mean, that's really the mind blowing thing about all this is that, you know, people are walking around every day with these, you know, mobile computers in their pockets and they have no idea what they're sending to the world.
HENN: Over the rest of the week we are going to dig into the kind of information that leaks out from your phone and apps and websites that claim to be safe. And we'll look at what a hacker or a spy agency could do with this stuff. It turns out, you don't have to be as big or sophisticated as the NSA to capture these bits of information we leave trailing behind us. And you don't have to let someone plant a bug in your office either. Steve Henn, NPR News, Silicon Valley.