The Ultimate Invasion of Privacy
How a Chinese hacker used my private nickname, personal emails, and sensitive documents to try to blackmail me.
The Times story of Jan. 30 reported that the newspaper had been hacked from Mainland China in an apparent attempt to stymie a Times investigation into the finances of Premier Wen Jiabao. The article quoted the newspaper’s executive editor, Jill Abramson, who sought to reassure readers and sources. “Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” she said. A few paragraphs later, however, the story went on to note: “Security experts found evidence that the hackers stole the corporate passwords for every Times employee and used those to gain access to the personal computers of 53 employees, most of them outside the Times’ newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family.”
That’s hardly consoling. You have to wonder how confident any future confidential Chinese source will feel about approaching a Times reporter. Every employee of the paper had his or her corporate password stolen, and 53 employees had their personal computers penetrated. Once that happens, the hackers have the ability to observe and record everything. And to keep it forever.
The Times article described how the hackers would normally begin their probing at 8 a.m. and knock off after eight hours. On the clock. Mundane. Banal. In my case, experts I consulted told me that the hacking probably came from government monitors who wanted extra cash. During office hours they did their monitoring, and after hours they sought to supplement their income with a little freelancing. I wonder how many Times staffers will be contacted by their own “Eric.” I wonder how many of those individuals are having to revisit, as I did, their belief that they have nothing to hide.
The whole process of being hacked and blackmailed was eerily akin to undergoing a diagnostic colonoscopy without any anesthetic, which, relying on dubious medical advice, I’ve also experienced. During that medical procedure, a seemingly endless stream of water entered my body from a hose in, well, you know where, and a steady flow of water exited. A nurse leaned into me and grabbed my stomach to help the hose make turns and find its way onward. A video monitor broadcast the journey in vivid color just above my head. The doctor was quite excited for me to see it. I found it humiliating. Not unlike having everything one has ever expressed on email exposed and probed.
Within a day of receiving the email from Eric, I contacted the U.S. Consulate, the FBI, and the security office of my financial partner (a publicly traded Wall Street bank). I was soon sitting in my office, reviewing the matter with representatives from each entity. They wanted to know everything. They wanted access to all of my files to see what the hackers could see. They wanted to conduct their own digital colonoscopy. Knowing the hacker was inside probing around was already awful. Having the “good guys” in there probing around didn’t feel much better. All privacy, all dignity, all control was lost.
Blackmail was a familiar story to the security experts. Their strategy was to treat the hacker like a bully. Don’t respond to the demands, and find a way to punch him in the nose. Easier said than done. Finally, a law firm representing the bank sent Eric an email. It said that the authorities had been notified, the partners had been notified, and there was nothing to be gained by trying to expose what had already been disclosed. It was a gamble, as I really didn’t want to have the documents or emails widely circulated. But it worked. After a few days, I received a message from Eric. He was friendly and warm. He said it was just business; nothing personal. He still used my nickname. It gave me the chills.
In retrospect, I should have known better. Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move. That is their normal. But relegating my experience to the China file—to the concerns of a faraway place—would also be a mistake. With China’s world and ours intersecting online, I expect we’ll eventually wonder how we could have been so naive to have assumed that privacy was normal—or that breaches of it were news. And Eric, if he’s reading this, probably agrees.
Future Tense is a partnership of Slate, the New America Foundation, and Arizona State University. This article originally appeared on Zócalo Public Square, which is a project of the New America Foundation and Arizona State University.
William Gerrity is chairman and CEO of the Gerrity Group, based in San Diego. He is on the board of Zócalo Public Square and the New America Foundation.