Projects

Investigative

At the time of publication, the videoconferencing service could access conversations on its platform.

I cowrote this story with Micah Lee.

This piece led to an FTC investigation, which resulted in Zoom implementing real encryption. Zoom also settled a class-action lawsuit for $86 million over lying to customers about end-to-end encryption and failing to prevent zoombombing. The lawsuit prominently cited this article. It’s required reading in a required class for grad students at Berkeley’s School of Information. It also earned links from 9to5, Ars Technica, Axios, BBC, Bleeping Computer, Bloomberg Quint, the Brookings Institute, BuzzFeed, CNBC, CNet, Coindesk, Cyberscoop, Dark Reading, Engadget, Fast Company, Fortune, Gizmodo, Independent, Insider, L.A. Times, MIT Tech Review, the Mozilla Foundation, New Republic, NY Mag, New York Times, OneZero, Politico, Popular Science, Protocol, QZ, Rapid7, Slate, Tech Crunch, Vice, Vox, Washington Post, Wikipedia, Wired, Yahoo!, and ZDNet. Harvard Journal of Law & Technology, and in presentations by Clarkson University and the California Community Colleges Information Security Center.

I first began looking into Voatz for Slate’s Future Tense blog when an editor asked me to look into whether their blockchain voting pilot experienced any of the issues security researchers had warned about. What was supposed to be a pithy blog post turned into months of research, due in large part to Voatz’s lack of transparency.

I continued my reporting for Cointelegraph after a student security researcher was referred to the FBI over what the company said was an intrusion attempt–even though the research appears to have been protected by the safe harbor statement in the company’s bug bounty program. The bug bounty program terms on HackerOne were updated soon after the FBI referral made headlines.

I further wrote about infosec company Trail of Bits’ independent audit of Voatz, which confirmed many of the same bugs MIT researchers had previously found.

I followed Voatz’ story as it was kicked off of the HackerOne bug bounty program platform.

And, for Coindesk, I wrote about an open letter the American Association for the Advancement of Science’s Center for Scientific Evidence in Public Issues sent to U.S. governors, secretaries of state and state election directors to express concern about the security of voting via the internet or mobile apps.

My Slate piece was linked to by 538, Bloomberg, Fast Company, IB TImes, IETT, QZ, Salon, and the Conversation. It was also cited in a research paper in the Journal of Cybersecurity.

My Cointelegraph piece was cited in two amici briefs to the Supreme Court and linked to by Fortune, Mother Jones, and The Verge. It was also cited in the Federal Communications Law Journal, a report prepared by the OECD Working Party on Security in the Digital Economy, and in a scathing analysis of Voatz’s security by MIT researchers, which was included in the Proceedings of the 29th USENIX Security Symposium. And it’s sometimes required reading in Stanford’s Hack Lab courses on CFAA.

I spent more than two years reporting on a leaked police database detailing massive surveillance of China’s Uyghur community.

Akil Harris assisted with research.

This piece was linked to or cited by many news organizations, nonprofits, and academics, including Amnesty International, ASPI’s Xinjiang Data Project, Australian Institute of International Affairs, Centre for Inquiry Canada, China Digital Times, Cyberscoop, Democracy Now!, Foreign Affairs, Freedom House, GQ, Genocide Watch, Jacobin, WBUR, and Yahoo.

My journey reporting on VPNs started in 2016 when I was supposed to make a list of reliable VPNs for Ars Technica. Turned out the task was complicated, so I pivoted to writing about that.

https://arstechnica.com/information-technology/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/

After that, Wirecutter asked me to take my best shot at review VPNs. By then, the industry had matured a bit, and I did feel that I could make an assessment based on criteria I selected, while including a dizzying array of detail about what we don’t know, which I did for two years.

I continued researching and reporting on VPNs for Consumer Reports’ Digital Lab, which culminated in a 47-page white paper and three companion articles on whether you should use a VPN at all, where many of the VPNs we tested fell short, and the three VPNs that did best in our evaluation.

The Consumer Reports Digital Lab testing team was led by Steve Blair, and we conducted preliminary analysis using the VPNalyzer tool developed by the brilliant Professor Roya Ensafi and her amazing team.

The Ars Technica piece was quoted in China Digital Times, Computerworld, Haaretz, Lifehacker, Marketwatch, Mental Floss, Techdirt, Sec News Weekly, Slate, Teen Vogue, Verge, Vice, and Yahoo—and has been cited in trainings by the Freedom of the Press Foundation and in comments to the FTC.

While I held the sole byline in late 2019-2020, my “Best VPN Service” piece for Wirecutter was linked to by nonprofit advocacy organizations and news sites alike: Access Now, Bleeping Computer, Center for Democracy and Technology, Daily Dot, EFF, Engadget, Fast Company, Gizmodo, Lifehacker, Malwarebytes, National Cybersecurity Alliance, Popular Science, Slate, Tech Crunch, twit.TV, QZ, Vox, Wikihow, Wired, and Yahoo!, as well as training by the Freedom of the Press Foundation.

My VPN reporting for Consumer Reports was covered by Gizmodo, Tech Times, and the International Association for Privacy Professionals (IAPP), and linked to by NBC. I also spoke about it on the CryptoHarlem Twitch stream, and will be giving a talk abour our results at ShmooCon 2022 in Washington, D.C.

I spent more than a year digging into why the healthcare industry is so bad at cybersecurity, including analyzing which of the top 115 medical device manufacturers had coordinated vulnerability disclosure programs. That led to this story in Ars Technica.

This piece was cited in the BMC Medical Ethics journal.