Episode 548: Project Eavesdrop : Planet Money Planet Money's Steve Henn invited a couple computer guys to tap his internet connection for a week. He was shocked by how much they discovered.
NPR logo

Episode 548: Project Eavesdrop

  • Download
  • <iframe src="https://www.npr.org/player/embed/323343036/324029109" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Episode 548: Project Eavesdrop

Episode 548: Project Eavesdrop

  • Download
  • <iframe src="https://www.npr.org/player/embed/323343036/324029109" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

JACOB GOLDSTEIN, HOST:

Hello, PLANET MONEY listeners. NPR wants to know what you think about NPR. Go to nprlistens.org and tell us.

STEVE HENN, HOST:

I've always had this question. I've always wondered just how much information about me someone could find out by sitting back and watching my internet traffic online. I'm not talking about someone hacking into my computer or stealing my electronic address book or breaking into my files at work. Really, I've always just wondered how much information about me slides by on the internet, unprotected, unencrypted, for anyone out there to read.

So a couple of months ago, I asked these two computer experts to spy on me. For an entire week, they were going to watch all of my internet traffic - everything coming into and out of my home office, from my laptop, from my mobile phone. And this guy came to my house, and he actually attached this little box to my internet connection. We plugged it in, and we turned it on.

DAVE PORCELLO: Yeah.

HENN: OK, so now I'm going to turn on the Wi-Fi.

Literally, like, a half-second after we started, these guys had collected an amazing amount of information about me. Dave Porcello was part of the team, and he was sitting in his office in Vermont, all the way across the country. And you're going to hear him on a speaker phone, but he was watching as we connected to the net and my iPhone, my little phone, started reaching out to these services all over the world.

PORCELLO: Yahoo, NPR.

HENN: My phone sent Yahoo my location data, totally unprotected in the clear. Then it connected to NPR for my email. Then it pinged Apple, then Google.

PORCELLO: You're not, like, opening apps or anything, right?

HENN: No, it's - my phone is sitting on my desk with...

I had not touched my iPhone. I didn't search for anything. It was just sitting there all by itself, sending out a cascade of information.

PORCELLO: It's just thousands and thousands of pages of stuff.

HENN: It's easy to think that all of this stuff is anonymous, that no one cares or could tell anything from the data my weather app is giving up or the name of my iPhone. But each little, tiny bit is a clue, and these guys - these computer experts - started to put all these little clues together. Oliver Weis, part of this ad-hoc surveillance team, says when you combine it all, it becomes kind of a digital fingerprint. And my phone spilled this out onto the internet within seconds of connecting.

OLIVER WEIS: A lot of times, it's pretty easy to identify not only the type of device, but the person. You know, how many people's iPhones are named, you know, Steve's iPhone?

HENN: Right.

WEIS: Or, you know...

HENN: I mean, when you were talking about that, I was thinking, OK, so it sends out the name of my iPhone - Steve's iPhone. It sends out a ping to NPR Mail, so now you're limited to Steves who work at NPR. And then...

WEIS: Right.

HENN: And then it hits my weather app, and it's saying I'm in Menlo Park, Calif., and it's like - all right.

WEIS: Exactly.

HENN: We know exactly who you are. You are not Steve Inskeep. You are Steve Henn.

WEIS: (Laughter) Right. Exactly. Yeah, it's pretty wild.

HENN: Hello, and welcome to PLANET MONEY. As my iPhone already told you, I'm Steve Henn. And on our show today, we have the story of what happened when I let these guys follow me all over the internet. You know, these days it seems like your smartphone can do anything. It tracks airplanes through the sky above your head. It can give you turn-by-turn directions in Bangkok. It even makes phone calls. But why can't your smartphone keep your secrets?

(SOUNDBITE OF SONG, "HEARD IT THROUGH THE GRAPEVINE")

KAISER CHIEFS: (Singing) Mm-mm-mm-mm-mm-mm-mm-mm-mm-mm (ph).

HENN: Now, I should say that it actually does take a little bit of effort now to track someone's internet trail. Most big tech companies have started scrambling personal information they send back and forth. Google does it. Yahoo does it. It's called encryption. So I enlisted this entire team to search for stuff that these companies had missed - stuff that isn't encrypted, that anyone could read.

I worked with this guy Sean Gallagher from the tech website Ars Technica. And then there were the computer guys in Vermont, Dave and Oliver, who you already met. They founded a company called Pwnie Express, which consults on corporate security. And they were recording everything on my internet connection - everything going in and out - while I just went about my job as a reporter, googling, making calls, more googling. And most of it was really dull. I'm sure it was - a lot of meaningless numbers. And they couldn't see things that had basic security measures. They couldn't get into my bank account or my NPR email. And frankly, I did my best to be boring pretty much all the time.

But then one day about a week in - it's, like, 6:00 in the morning. I'm making coffee, looking at my email, and something has gotten these guys really, really excited. They're shooting emails back and forth, CC-ing me. You know, and the subject lines are like, holy crap, did you see that? And I'm thinking to myself, what did I just let them see? What did I do? So I called them. Turns out, Dave and Sean had just snatched a copy of a raw interview that I did for a story, a story for NPR that hadn't even aired yet.

SEAN GALLAGHER: OK, so this is the audio file that we captured out of your internet stream when you were downloading it from the NPR FTP server.

HENN: (Laughter) Oh.

GALLAGHER: I can replay it if you need me to.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED WOMAN #1: OK. OK. Awesome. Yep. Yep. OK. I'm passing the phone to you.

HENN: Holy cow.

(SOUNDBITE OF ARCHIVED RECORDING)

SCOTT BELL: Hello, this is Scott Bell (ph).

HENN: So this is a guy I interviewed in a field in Iowa.

GALLAGHER: Right.

HENN: I had a producer, actually, who had recorded that interview in Iowa. And then she had sent me the audio over the internet. Sean, Dave and Oliver had snatched it, and they were able to listen to every second. They had been waiting for big files like this - audio, video, pictures - and I unknowingly gave it up to them. Now, so one isolated interview - what could anybody do with that, right? Turns out, that wasn't the only thing I was giving away.

GALLAGHER: This was for your - that story you were doing on clean data centers.

HENN: (Laughter) Yeah.

They knew exactly what my story was about - clean data centers - before it aired, something only me and my editor knew. In fact, these guys actually knew more than my editor did. And how they figured it out tells you something about how anyone's trail can be pieced together online. They had this software that was specifically looking for telephone numbers on web pages I visited. Sean gave me a couple of numbers he had captured. I called them.

Let's see. I'm calling. I'm going to put it on speakerphone.

(SOUNDBITE OF PHONE RINGING)

UNIDENTIFIED WOMAN #2: Thank you for calling DuPont Fabros. Press zero at any time to reach the receptionist.

HENN: Did you hear that?

GALLAGHER: Yes, I did.

HENN: That's the number of one of my sources for that story (laughter).

GALLAGHER: Yes.

HENN: (Laughter) Hold on. Hold on just a second.

GALLAGHER: OK.

HENN: Let's call the second number.

(SOUNDBITE OF PHONE RINGING)

HENN: It was another person I'd reached out to and interviewed for this story on data centers.

GALLAGHER: (Laughter).

HENN: So, yeah, those are - those are - like, if you go back to that story, those are two interviews - right? - the guy you ended up recording, and DuPont Fabros gave me a tour of their big data center in Santa Clara. And you had Greenpeace. And you had Facebook. You had all my sources for that story.

They had tracked who I was reaching out to. They had an interview. They'd even managed to piece together my thoughts during that entire week. They had reconstructed my google searches. I had typed, who coined cloud computing? I'd searched for Facebook's data center in Sweden and looked up maps of where I wanted to send that producer.

GALLAGHER: I had all your sources. I could have written that story for you.

(LAUGHTER)

HENN: You know, that would have been nice. That would have saved me some time.

I should say here that the story I was working on wasn't a terribly secret one. It didn't have any unnamed sources or confidential information. But this process scared the hell out of me. I mean, Skype leaked my personal contact book.

Wow, that's like a sourcebook.

GALLAGHER: Yep.

HENN: Yeah, I'd appreciate it if you didn't make that public.

(LAUGHTER)

HENN: It turns out it was just my personal Skype account, so Sean got the contact information for my mom and my sister. But it was startling. Yahoo was leaking my location data. Google was giving up maps. Microsoft showed my full name and a picture. Whatsapp revealed my telephone number. And The New York Times, The Times - that site is unencrypted, so these guys could see what I was reading, including an article about personal bankruptcy. It was awkward.

And going in, I knew that my email and my phone calls were encrypted and walled off. Most people surfing the web researching medical issues or looking for divorce attorneys probably don't take these kinds of precautions. But I had asked for this. I had invited this team of guys into my house and asked them to bug my office. I had made it easy. But you don't have to go to these kinds of extremes for this to happen to you. A stranger could reconstruct your life this way. This is real.

It could be anyone with access to your internet connection. It could be the IT guys at work or your roommates or the guy who runs that coffee shop Wi-Fi. And it turns out that that device in your pocket, your beloved smartphone, chances are good that it is constantly relentlessly looking to betray you. It's set up to be on the hunt for open internet connections. And it's not exactly careful about who it hooks up with.

WEIS: Pretty much. Basically - yeah. So when you have wireless turned on, your phone or your laptop is sending out what are called probe requests out to the world, saying, hey, where's my network? Hey, where's my network? Is this network around? Where's this network?

HENN: Every AT&T phone is preprogrammed when you buy it, right out of the box, to connect to any network named AT&T Wi-Fi. And even though they call these things smartphones, your phone can't tell if that network is really run by AT&T or if it was set up by hackers. If the network is called AT&T Wi-Fi, that's good enough for your phone. That's it.

And hackers have actually built evil networks that just sit there, listening for your phone to ask, is this my network? Is this my network? And they wait. And they listen. And then they answer, yes. Yes, it is. And hackers actually don't even need to be that clever. You yourself, you could go to the local mall and set up a Wi-Fi router and name it AT&T Wi-Fi, and hundreds, maybe even thousands, of phones would start connecting to it.

WEIS: At that point, it's in the middle. And it can basically intercept all traffic going through it.

HENN: So at that point, this has recreated what we did by actually plugging something physically into my office wall.

WEIS: Exactly.

HENN: And then whoever runs that evil Wi-Fi network is in the position to capture your traffic. It can see everything. Well, at least, everything that's not encrypted. And so you have to wonder, why don't all companies encrypt your data? Why don't phone manufacturers and internet providers do more to keep all of our information safe?

You know, this isn't a hard computer-science problem. It's just math. And math is easy for these machines. Math is what they do. And encryption works really well if it's used correctly. But for years, big tech companies didn't bother to do this, at least not in a way that made it easy for average people to protect themselves.

And in the past, when I asked companies why, they'd say things like, it's expensive or it's a hassle, it slows my apps down. But, honestly, the real reason is they didn't see any evidence that their customers actually cared. You know, the graveyard of failed Silicon Valley startups is littered with companies that promised greater privacy protections.

And some of the industry's biggest successes, Facebook and Google, they were built on collecting information about you. Keeping personal information safe and private was never a top priority here. But then last year, something changed.

(SOUNDBITE OF ARCHIVED RECORDING)

BRIAN WILLIAMS: He is routinely called the most wanted man in the world.

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED MAN: Mr. Snowden, whom I regard as an American hero and a very great patriot...

(SOUNDBITE OF ARCHIVED RECORDING)

JOHN KERRY: The bottom line is this is a man who has betrayed his country...

(SOUNDBITE OF ARCHIVED RECORDING)

EDWARD SNOWDEN: My name's Ed Snowden. I'm 29 years old.

HENN: Ed Snowden and the documents he leaked painted this vivid, if kind of fragmented, picture of how the U.S. National Security Agency monitors internet traffic from all over the world. And it turns out they are really good at it. People globally freaked. Cisco saw sales drop overseas. Facebook and Google are now facing new regulations in South America and Europe about how they treat and protect customer data. And executives at these companies suddenly had a powerful new incentive. Nate Cardozo at the Electronic Frontier Foundation says Snowden changed everything.

NATE CARDOZO: Now more and more companies are not just encrypting data on the disk, not just encrypting data between you the end user and their server, but between their own servers. And this is because of a threat introduced honestly by our own government.

HENN: In the past year, Yahoo, Google, Facebook, Microsoft, Twitter and Apple all announced they're beefing up encryption on their networks. And during the week that Sean, Dave and Oliver were tracking me, and for more than a month after they finished, we tested all of these companies and their services. None of them were perfect. When I searched Google for Grundy County, Iowa, the guys tracking me could actually see the map Google sent me in response.

But here's the thing - when we called Google to let them know this had happened, they fixed it. The press guy called me back and said, yeah, that's a bug. And now when you search for a location, that map you get back will be private. It's encrypted now anywhere, any search anywhere in the world. That's millions and millions of searches. We called Yahoo, too. They're working now with Apple to fix that weather app that was leaking my location data so it won't broadcast that stuff anymore. We called Skype and they said we got it, problem solved. In the end, we called more than a dozen tech companies and no one blew us off. Even NPR - we fixed our bug, too.

If you want to reach us, you can email us at planetmoney@npr.org, or you can hit me at @HennsEggs on Twitter. Or if you're looking for an encrypted option, you can reach out on Wickr, a secure chat service. I'm at H-E-N-N-S-3-G-G-S, kind of like @HennsEggs but geekier.

I'd also like to say a huge thank you to Dave Porcello at Pwnie Express. Without him and his team, this wouldn't have been possible. Also Sean Gallagher at Ars Technica and my editor for the radio version of these stories, Bruce Auster.

(SOUNDBITE OF SONG, "HEARD IT THROUGH THE GRAPEVINE")

KAISER CHIEFS: (Singing) I bet you wondered how I knew about your plans to make me blue with some other guy...

HENN: And if you were looking for one other way to get in touch with us, go to nprlistens.org and tell us what you think. The producers for today's show were Thea Bennen (ph) and Viet Le (ph). I'm Steve Henn. Thanks for listening.

(SOUNDBITE OF SONG, "HEARD IT THROUGH THE GRAPEVINE")

KAISER CHIEFS: (Singing) Oh, I heard through the grapevine not much longer would you be mine. Oh, I heard through the grapevine, oh, I'm just about to lose my mind. Honey, honey, I heard it through the grapevine. How much longer would you be my baby?

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.