How a lone grad student scooped the government—and what it means for your online privacy

To defend against hackers, filtered computers are standard in the government, but they are problematic for officials who are trying to discover dishonest activity on the web; it’s a bit like telling a cop he can’t patrol in high-crime neighborhoods. A handful of unfiltered computers are available in restricted labs at the FTC’s headquarters on Pennsylvania Avenue and its satellite offices on New Jersey Avenue and M Street, but this is an ungainly setup. Rather than leaving their office, waiting for an elevator, swiping their ID badges across a sensor at the lab’s locked door and logging into a computer soaked with malware (because the lab computers are used to test suspicious applications and websites), the technologists have instead stayed in their office and tethered their personal laptops to their personal cell phones. The office does not have a window, and the cell signals are not strong; even by phone standards, their web connection is slow.

Soghoian and the current privacy technologist, Michael Brennan, tried to get an unfiltered desktop installed in their office. Each time—Soghoian in 2010, Brennan in 2011—they got tantalizingly close, with new machines delivered to them. But the computers were never connected to the internet. Someone at the agency—they don’t know who—got cold feet. “I basically had a two-thousand-dollar computer doing nothing,” Soghoian said. Brennan isn’t even at the office so much these days; he is a part-timer who lives in Philadelphia, where he is getting a Ph.D. in computer science at Drexel University. When he works in Washington, the FTC’s privacy gunslinger crashes at a friend’s house.

Only one FTC official has an unfiltered desktop: Felten, the chief technologist. He is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. Felten, hired mainly to provide policy advice to the FTC chairman, also conducts investigations of suspicious websites or apps—this is what he uses the unshackled computer for. During an interview, he pointed to it, a bit like a museum guide gesturing toward a priceless artwork, and said, “This is rare. I think this is the only one.”

He acknowledged the agency is hindered by a shortage of technical experts who can find the sorts of violations that Mayer stumbled on.

“We could for sure do more if we had more people,” he said while sitting in his office, which is nearly bare, with a few FTC posters on the walls, a small table and chairs, and a large desk for his two computers. “There are a lot of opportunities that we have to let go by because we don’t have the people to seize them … opportunities to measure and evaluate what’s happening every day in people’s computers and phones.”

Felten, who plans to resume full-time teaching at Princeton in the fall, was asked whether he has better technological resources there.

“Oh yes,” he replied. “That’s certainly the case.”

***

The mismatch between FTC aspirations and abilities is exemplified by its Mobile Technology Unit, created earlier this year to oversee the exploding mobile phone sector. The six-person unit consists of a paralegal, a program specialist, two attorneys, a technologist, and its director, Patricia Poss. For the FTC, the unit represents an important allocation of resources to protect the privacy rights of more than 100 million smart phone owners in America. For Silicon Valley, a six-person team is barely a garage startup. Earlier this year, the unit issued a highly publicized report on mobile apps for kids; its conclusion was reflected in the subtitle, “Current Privacy Disclosures Are Disappointing.” It was a thin report, however. Rather than actually checking the personal data accessed by the report’s sampling of 400 apps, the report just looked at whether the apps disclose, on the sites where they are sold, the types of personal data that would be accessed and what the data would be used for. The body of the report is just 17 pages. (The FTC says it will do deeper research in future reports.)

The mobile unit has an equipment problem, too. Like most government agencies, the FTC issues BlackBerries to key officials. Poss, the unit’s director, has one. The BlackBerry dominated when Al Gore ran for president, but today it’s barely an also-ran with just 12 percent of the smart phone market. That’s not a problem if you only use your BlackBerry for texts, emails, and calls. But it’s a problem if, like Poss, your job is to keep track of what’s happening in the smart phone market. Most consumers use Androids or iPhones, and most of the apps written for them are not available on the BlackBerry.