Projects

Investigative

At the time of publication, the videoconferencing service could access conversations on its platform.

I cowrote this story with Micah Lee.

This piece led to an FTC investigation, which resulted in Zoom implementing real encryption. Zoom also settled a class-action lawsuit for $86 million over lying to customers about end-to-end encryption and failing to prevent zoombombing. The lawsuit prominently cited this article. It is required reading in a required class for grad students at Berkeley’s School of Information. It also earned citations from 9to5, Ars Technica, Axios, BBC, Bleeping Computer, Bloomberg Quint, the Brookings Institute, BuzzFeed, CNBC, CNet, Coindesk, Cyberscoop, Dark Reading, Engadget, Fast Company, Fortune, Gizmodo, Independent, Insider, L.A. Times, MIT Tech Review, the Mozilla Foundation, New Republic, NY Mag, New York Times, OneZero, Politico, Popular Science, Protocol, QZ, Rapid7, Slate, Tech Crunch, Vice, Vox, Washington Post, Wikipedia, Wired, Yahoo!, and ZDNet. It was further cited in the Harvard Journal of Law & Technology, and in presentations by Clarkson University and the California Community Colleges Information Security Center.

I first began looking into online voting vendor Voatz for Slate’s Future Tense blog when an editor asked me whether its blockchain voting pilot experienced any of the issues security researchers had warned about. What was supposed to be a pithy blog post turned into months of research, due in large part to Voatz’s lack of transparency.

I continued my reporting for Cointelegraph after a student security researcher was referred to the FBI over what the company said was an intrusion attempt–even though the research appears to have been protected by the safe harbor statement in the company’s bug bounty program. The bug bounty program terms on HackerOne were updated soon after the FBI referral made headlines.

I further wrote about infosec company Trail of Bits’ independent audit of Voatz, which confirmed many of the same bugs MIT researchers had previously found.

I followed Voatz’ story as it was kicked off of the HackerOne bug bounty program platform.

For Coindesk, I wrote about an open letter the American Association for the Advancement of Science’s Center for Scientific Evidence in Public Issues sent to U.S. governors, secretaries of state and state election directors to express concern about the security of voting via the internet or mobile apps.

Most recently, I wrote a story for CyberScoop about online voting provider Democracy Live paying for academic research in an attempt to sway U.S. lawmakers.

My Slate piece was cited by 538, Bloomberg, Fast Company, IB TImes, IETT, QZ, Salon, and The Conversation, as well as a research paper in the Journal of Cybersecurity.

My Cointelegraph piece was cited in two amici briefs to the Supreme Court. It was also cited by Fortune, Mother Jones, The Verge, the Federal Communications Law Journal, a report prepared by the OECD Working Party on Security in the Digital Economy, and in a scathing analysis of Voatz’s security by MIT researchers, which was included in the Proceedings of the 29th USENIX Security Symposium. And it’s sometimes required reading in Stanford’s Hack Lab courses on CFAA.

My CyberScoop report was cited by Washington Post and Vermont Digger and in Zack Whittaker’s newsletter, This Week In Security. It was also mentioned in the Vermont Legislature’s Senate Committee on Government Operations.

I spent more than two years reporting on a leaked police database detailing massive surveillance of China’s Uyghur community.

Akil Harris assisted with research.

This piece was cited in the United Nations Human RIghts Office of the High Commissioner assessment of human rights concerns in the Xinjiang Uyghur Autonomous Region, People’s Republic of China. It was also cited by many news organizations, nonprofits, and academics, including Amnesty International, ASPI’s Xinjiang Data Project, Australian Institute of International Affairs, Centre for Inquiry Canada, China Digital Times, CyberScoop, Democracy Now!, Foreign Affairs, Freedom House, GQ, Genocide Watch, Human Rights Watch, Jacobin, WBUR, and Yahoo! News.

My journey reporting on VPNs started in 2016 when I was supposed to make a list of reliable VPNs for Ars Technica. Turned out the task was complicated, so I pivoted to writing about that.

After that, Wirecutter asked me to take my best shot at review VPNs. By then, the industry had matured a bit, and I did feel that I could make an assessment based on criteria I selected, while including a dizzying array of detail about what we don’t know, which I did for two years.

I continued researching and reporting on VPNs for Consumer Reports, which culminated in a 47-page white paper and three companion articles on whether you should use a VPN at all, where many of the VPNs we tested fell short, and the three VPNs that did best in our evaluation.

The Consumer Reports Digital Lab testing team was led by Steve Blair, and we conducted preliminary analysis using the VPNalyzer tool developed by the brilliant Professor Roya Ensafi and her amazing team.

The Ars Technica piece was cited by China Digital Times, Computerworld, Haaretz, Lifehacker, Marketwatch, Mental Floss, Techdirt, Sec News Weekly, Slate, Teen Vogue, Verge, Vice, and Yahoo. It has also been cited in trainings by the Freedom of the Press Foundation and in comments to the FTC.

While I held the sole byline in late 2019-2020, my “Best VPN Service” piece for Wirecutter was cited by nonprofit advocacy organizations and news sites alike: Access Now, Bleeping Computer, Center for Democracy and Technology, Daily Dot, EFF, Engadget, Fast Company, Gizmodo, Lifehacker, Malwarebytes, National Cybersecurity Alliance, Popular Science, Slate, Tech Crunch, twit.TV, QZ, Vox, Wikihow, Wired, and Yahoo! News, as well as training by the Freedom of the Press Foundation.

My VPN reporting for Consumer Reports was was cited in a letter by Rep. Eshoo and Senator Wyden urging the FTC to address deceptive data practices by VPN providers. It was also cited in Bloomberg, CSO Online, Engadget, Gizmodo, the International Association for Privacy Professionals (IAPP), Mashable, NBC, Tech Times, the Washington Post, and several academic papers. I also spoke about it on the CryptoHarlem Twitch stream, and gave a talk about our results at ShmooCon 2022 in Washington, D.C. The ShmooCon talk itself was covered on Tom’s Guide, Read.me, and a Medium post.

I wrote a story for the Atlantic on what big tech knows about your body: your most intimate details are just data points.

Prior to that, I spent more than a year digging into why the healthcare industry is so bad at cybersecurity, including analyzing which of the top 115 medical device manufacturers had coordinated vulnerability disclosure programs. That led to this story in Ars Technica.

The Ars Technica piece was cited in the BMC Medical Ethics journal.