Episode 548: Project Eavesdrop : Planet Money The computer or phone that you use knows a lot about you. It knows your secrets — and it might be giving them away.

Episode 548: Project Eavesdrop

  • Download
  • <iframe src="https://www.npr.org/player/embed/487970769/487977650" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Hey, it's Alex Goldmark here, and today, we are replaying a PLANET MONEY classic from Steve Henn about what secrets your computer may be revealing about you. After the episode, we've got a little update. OK. Here's the show.


I've always had this question. I've always wondered just how much information about me someone could find out by sitting back and watching my internet traffic online. I'm not talking about someone hacking into my computer or stealing my electronic address book or breaking into my files at work. Really, I've always just wondered how much information about me slides by on the internet unprotected, unencrypted for anyone out there to read.

So a couple months ago, I asked these two computer experts to spy on me. For an entire week, they were going to watch all of my internet traffic, everything coming into and out of my home office from my laptop, from my mobile phone. And this guy came to my house, and he actually attached this little box to my internet connection. We plugged it in, and we turned it on.


HENN: OK. So now I'm going to turn on the Wi-Fi.

Literally, like, a half-second after we started, these guys had collected an amazing amount of information about me. Dave Porcello was part of the team, and he was sitting in his office in Vermont all the way across the country. And you're going to hear him on a speaker phone, but he was watching as we connected to the net and my iPhone, my little phone, started reaching out to these services all over the world.


HENN: My phone sent Yahoo my location data - totally unprotected in the clear. Then it connected to NPR for my email. Then it pinged Apple. Then Google.

PORCELLO: You're not, like, opening apps or anything, right?

HENN: No, it's - my phone is sitting on my desk.

I had not touched my iPhone. I didn't search for anything. It was just sitting there all by itself sending out a cascade of information.

PORCELLO: It's just thousands and thousands of pages of stuff.

HENN: It's easy to think that all of this stuff is anonymous, that no one cares or could tell anything from the data my weather app is giving up or the name of my iPhone. But each little tiny bit is a clue. And these guys, these computer experts, started to put all these little clues together. Oliver Weis, part of this ad hoc surveillance team, says when you combine it all, it becomes kind of a digital fingerprint. And my phone spilled this out onto the internet within seconds of connecting.

OLIVER WEIS: A lot of times it's pretty easy to identify not only the type of device but the person. You know, how many people's iPhones are named, you know, Steve's iPhone?

HENN: Right.

WEIS: Or, you know...

HENN: Well, I mean, when you were talking about that, I was thinking, OK, so it sends out the name of my iPhone, Steve's iPhone. It sends out a ping to NPR mail, so now you're limited to Steve's who work at NPR.

WEIS: Right.

HENN: And then - and then it hits my weather app, and it's saying I'm in Menlo Park, Calif. And it's like, all right.

WEIS: Exactly.

HENN: We know exactly who you are. You are not Steve Inskeep. You are Steve Henn.

WEIS: (Laughter) Right, exactly. Yeah, it's pretty wild.


HENN: Hello, and welcome to PLANET MONEY. As my iPhone already told you, I'm Steve Henn. And on our show today, we have the story of what happened when I let these guys follow me all over the internet. You know, these days, it seems like your smartphone can do anything. It tracks airplanes through the sky above your head. It can give you turn-by-turn directions in Bangkok. It even makes phone calls. But why can't your smartphone keep your secrets?


HENN: Now, I should say that it actually does take a little bit of effort now to track someone's internet trail. Most big tech companies have started scrambling personal information they send back and forth. Google does it. Yahoo does it. It's called encryption. So I enlisted this entire team to search for stuff that these companies had missed, stuff that isn't encrypted, that anyone could read.

I worked with this guy Sean Gallagher from the tech website Ars Technica. And then there were the computer guys in Vermont, Dave and Oliver who you already met. They founded a company called Pwnie Express, which consults on corporate security. And they were recording everything on my internet connection, everything going in and out while I just went about my job as a reporter, googling, making calls, more googling, and most of it was really dull. I'm sure it was - a lot of meaningless numbers.

And they couldn't see things that had basic security measures. They couldn't get into my bank account or my NPR email. And frankly, I did my best to be boring pretty much all the time. But then one day about a week in, it's, like, 6 in the morning. I'm making coffee, looking at my email, and something has gotten these guys really, really excited.

They're shooting emails back and forth, cc'ing me, you know, and the subject lines are like, holy crap, did you see that? And I'm thinking to myself what did I just let them see? What did I do? So I called them. It turns out Dave and Sean had just snatched a copy of a raw interview that I did for a story, a story for NPR that hadn't even aired yet.

SEAN GALLAGHER: OK. So this is the audio file that we captured out of your internet stream when you were downloading it from the NPR FTP server. I can replay it if you need me to.

UNIDENTIFIED WOMAN #1: OK, OK, awesome, yep, yep. OK, I'm passing the phone to you.

HENN: Holy cow.

SCOTT BELL: Hello. This is Scott Bell (ph).

HENN: So this is a guy I interviewed in a field in Iowa.


HENN: I had a producer, actually, who had recorded that interview in Iowa. And then she had sent me the audio over the internet. Sean, Dave and Oliver had snatched it, and they were able to listen to every second. They had been waiting for big files like this - audio, video, pictures. And I unknowingly gave it up to them. Now, so one isolated interview. What could anybody do with that, right? It turns out that wasn't the only thing I was giving away.

GALLAGHER: This was for your - that story you were doing on clean data centers.

HENN: (Laughter) Yeah.

They knew exactly what my story was about, clean data centers, before it aired, something only me and my editor knew. In fact, these guys actually knew more than my editor did. And how they figured it out tells you something about how anyone's trail can be pieced together online. They had the software that was specifically looking for telephone numbers on web pages I visited. Sean gave me a couple of numbers he had captured. I called them.

Let's see. I'm calling - I'm going to put it on speakerphone.


UNIDENTIFIED WOMAN #2: Thank you for calling DuPont Fabros. Press zero at any time to reach the receptionist.

HENN: Did you hear that?

GALLAGHER: Yes, I did.

HENN: That's the number - one of my sources for that story (laughter).


HENN: Hold on (laughter) hold on just a second.


HENN: Let's call the second number.


HENN: It was another person I had reached out to and interviewed for this story on data centers.

GALLAGHER: (Laughter).

HENN: So yeah, those - like, if you go back to that story, those are two interviews, right, the guy you ended up recording and DuPont Fabros gave me a tour of their big data center in Santa Clara. And you had Greenpeace and you had Facebook. You had all my sources for that story.

They had tracked who I was reaching out to. They had an interview. They'd even managed to piece together my thoughts during that entire week. They had reconstructed in my Google searches. I had typed who coined cloud computing. I had searched for Facebook's data center in Sweden and looked up maps of where I wanted to send that producer.

GALLAGHER: I had all your sources. I could have written that story for you.

HENN: You know, that would've been nice. That would've saved me some time.

I should say here that the story I was working on wasn't a terribly secret one. It didn't have any unnamed sources or confidential information. But this process scared the hell out of me. I mean, Skype leaked my personal contact book.

Wow. That's like a sourcebook.


HENN: Yeah, I'd appreciate it if you didn't make that public.

GALLAGHER: (Laughter).

HENN: It turns out it was just my personal Skype account, so Sean got the contact information for my mom and my sister. But it was startling. Yahoo was leaking my location data. Google was giving up maps. Microsoft showed my full name and a picture. Whatsapp revealed my telephone number. And The New York Times - The Times - that site is unencrypted, so these guys could see what I was reading, including an article about personal bankruptcy. It was awkward.

And going in, I knew that my email and my phone calls were encrypted and walled off. Most people surfing the web, researching medical issues or looking for divorce attorneys probably don't take these kinds of precautions. But I had asked for this. I had invited this team of guys into my house and asked them to bug my office. I had made it easy, but you don't have to go to these kinds of extremes for this to happen to you. A stranger could reconstruct your life this way.

This is real. It could be anyone with access to your internet connection. It could be the I.T. guys at work or your roommates or the guy who runs that coffee shop Wi-Fi. And it turns out that that device in your pocket, your beloved smartphone, chances are good that it is constantly, relentlessly, looking to betray you. It's set up to be on the hunt for open internet connections. And it's not exactly careful about who it hooks up with.

WEIS: Pretty much, basically, yeah. So when you have wireless turned on, your phone or your laptop is sending out what are called probe requests out to the world saying, hey, where's my network? Hey, where's my network? Is this network around? Where's this network?

HENN: Every AT&T phone is preprogrammed when you buy it right out of the box to connect to any network named AT&T Wi-Fi. And even though they call these things smartphones, your phone can't tell if that network is really run by AT&T or if it was set up by hackers. If the network is called AT&T Wi-Fi, that's good enough for your phone. That's it. And hackers have actually built evil networks that just sit there listening for your phone to ask is this my network? Is this network? And they wait and they listen and then they answer, yes, yes, it is.

And hackers actually don't even need to be that clever. You yourself, you could go to the local mall and set up a Wi-Fi router and name it AT&T Wi-Fi and hundreds, maybe even thousands, of phones would start connecting to it.

WEIS: And at that point, it's in the middle and it can basically intercept all traffic going through it.

HENN: So at that point, this has recreated what we did by actually plugging something physically into my office wall.

WEIS: Exactly.

HENN: And then, whoever runs that evil Wi-Fi network is in the position to capture your traffic. It can see everything. Well, at least everything that's not encrypted. And so you have to wonder, why don't all companies encrypt your data? Why don't phone manufacturers and internet providers do more to keep all of our information safe? You know, this isn't a hard computer science problem. It's just math, and math is easy for these machines. Math is what they do. And encryption works really well if it's used correctly.

But for years, big tech companies didn't bother to do this, at least not in a way that made it easy for average people to protect themselves. And in the past, when I asked companies why, they'd say things like it's expensive or it's a hassle. It slows my apps down. But honestly, the real reason is they didn't see any evidence that their customers actually cared.

You know, the graveyard of failed Silicon Valley startups is littered with companies that promised greater privacy protections. And some of the industry's biggest successes, Facebook and Google, they were built on collecting information about you. Keeping personal information safe and private was never a top priority here. But then, last year, something changed.


UNIDENTIFIED MAN #2: He is routinely called the most wanted man in the world.


UNIDENTIFIED MAN #3: Mr. Snowden, whom I regard as an American hero and a very great patriot.


UNIDENTIFIED MAN #4: The bottom line is this is a man who has betrayed his country.


ED SNOWDEN: My name's Ed Snowden. I'm 29 years old.

HENN: Ed Snowden and the documents he leaked painted this vivid if kind of fragmented picture of how the U.S. National Security Agency monitors internet traffic from all over the world. And it turns out they are really good at it. People globally freaked. Cisco saw sales drop overseas. Facebook and Google are now facing new regulations in South America and Europe about how they treat and protect customer data. And executives at these companies suddenly had a powerful new incentive. Nate Cardozo at the Electronic Frontier Foundation says Snowden changed everything.

NATE CARDOZO: Now, more and more companies are not just encrypting data on the disk, not just encrypting data between you, the end user and their server, but between their own servers. And this is because of a threat introduced honestly by our own government.

HENN: In the past year, Yahoo, Google, Facebook, Microsoft, Twitter and Apple all announced they're beefing up encryption on their networks. And during the week that Sean, Dave and Oliver were tracking me, and for more than a month after they finished, we tested all of these companies and their services. None of them were perfect. When I searched Google for Grundy County, Iowa, the guys tracking me could actually see the map. Google sent me in response.

But here's the thing - when we called Google to let them know this had happened, they fixed it. The press guy called me back and said, yeah, that's a bug. And now when you search for a location, that map you get back will be private. It's encrypted now, anywhere, any search, anywhere in the world. That's millions and millions of searches.

We called Yahoo, too. They're working now with Apple to fix that weather app that was leaking my location data so it won't broadcast that stuff anymore. We called Skype, and they said we got it, problem solved. In the end, we called more than a dozen tech companies and no one blew us off. Even NPR - we fixed our bug, too.


GOLDMARK: Alex here again, back in the present. And there have been some changes since Steve's story ran in 2014 but not all that much to be honest. When we called up Steve Gallagher of Ars Technica who helped Steve on this story, he said a lot of the big tech companies have tightened up their security, but a lot of other kinds of websites still haven't. Most media organizations, including The New York Times, are still unencrypted. Same thing with dating sites, he said. And that ATT Wi-Fi thing is still an issue. Sean's advice...

GALLAGHER: People just have to be aware of what they're connecting to. That's half the battle. So, you know, if you're someplace and you're looking for a Wi-Fi connection to get your Facebook fix and you see something that says free Wi-Fi here, don't connect to it.

GOLDMARK: Noted - thanks to Dave Porcello at Pwnie Express and his team there and of course to Sean Gallagher at Ars Technica. Today's show was produced by Thea Bennen (ph) and Viet Le (ph). And today's rerun was produced by our intern Mark Bramhale (ph).

If you're looking for a new podcast to try, check out the NPR POLITICS PODCAST. It is fun with lively recaps of the latest campaign news. They've got tons of audio clips. They've got context, even some humor. You can find it on any podcasting app or find it on NPR One. Search for the NPR POLITICS PODCAST on NPR One. I'm Alex Goldmark. Thanks for listening.

Copyright © 2016 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.