The American Wikileaks Hacker

Jacob Appelbaum fights repressive regimes around the world - including his own.

Photograph by Peter Yang
By |

On July 29th, returning from a trip to Europe, Jacob Appelbaum, a lanky, unassuming 27-year-old wearing a black T-shirt with the slogan "Be the trouble you want to see in the world," was detained at customs by a posse of federal agents. In an interrogation room at Newark Liberty airport, he was grilled about his role in Wikileaks, the whistle-blower group that has exposed the government's most closely guarded intelligence reports about the war in Afghanistan. The agents photocopied his receipts, seized three of his cellphones — he owns more than a dozen — and confiscated his computer. They informed him that he was under government surveillance. They questioned him about the trove of 91,000 classified military documents that Wikileaks had released the week before, a leak that Vietnam-era activist Daniel Ellsberg called "the largest unauthorized disclosure since the Pentagon Papers." They demanded to know where Julian Assange, the founder of Wikileaks, was hiding. They pressed him on his opinions about the wars in Afghanistan and Iraq. Appelbaum refused to answer. Finally, after three hours, he was released.

Sex, Drugs, and the Biggest Cybercrime of All Time

Appelbaum is the only known American member of Wikileaks and the leading evangelist for the software program that helped make the leak possible. In a sense, he's a bizarro version of Mark Zuckerberg: If Facebook's ambition is to "make the world more open and connected," Appelbaum has dedicated his life to fighting for anonymity and privacy. An anarchist street kid raised by a heroin- addict father, he dropped out of high school, taught himself the intricacies of code and developed a healthy paranoia along the way. "I don't want to live in a world where everyone is watched all the time," he says. "I want to be left alone as much as possible. I don't want a data trail to tell a story that isn't true." We have transferred our most intimate and personal information — our bank accounts, e-mails, photographs, phone conversations, medical records — to digital networks, trusting that it's all locked away in some secret crypt. But Appelbaum knows that this information is not safe. He knows, because he can find it.

He demonstrates this to me when I meet him, this past spring, two weeks before Wikileaks made headlines around the world by releasing a video showing U.S. soldiers killing civilians in Iraq. I visit him at his cavernous duplex in San Francisco. The only furniture is a black couch, a black chair and a low black table; a Guy Fawkes mask hangs on a wall in the kitchen. The floor is littered with Ziploc bags containing bundles of foreign cash: Argentine pesos, Swiss francs, Romanian lei, old Iraqi dinars bearing Saddam Hussein's face. The bag marked "Zimbabwe" contains a single $50 billion bill. Photographs, most of them taken by Appelbaum, cover the wall above his desk: punk girls in seductive poses and a portrait of his deceased father, an actor, in drag.

The Rise and Fall of Legendary Hacker Jeremy Hammond

Appelbaum tells me about one of his less impressive hacking achievements, a software program he invented called Blockfinder. It was not, he says, particularly difficult to write. In fact, the word he uses to describe the program's complexity is "trivial," a withering adjective that he and his hacker friends frequently deploy, as in, "Triggering the Chinese firewall is trivial" or "It's trivial to access any Yahoo account by using password-request attacks." All that Blockfinder does is allow you to identify, contact and potentially hack into every computer network in the world.

He beckons me over to one of his eight computers and presses several keys, activating Blockfinder. In less than 30 seconds, the program lists all of the Internet Protocol address allocations in the world — potentially giving him access to every computer connected to the Internet. Appelbaum decides to home in on Burma, a small country with one of the world's most repressive regimes. He types in Burma's two-letter country code: "mm," for Myanmar. Blockfinder instantly starts to spit out every IP address in Burma.
Blockfinder informs Appelbaum that there are 12,284 IP addresses allocated to Burma, all of them distributed by government-run Internet-service providers. In Burma, as in many countries outside the United States, Internet access runs through the state. Appelbaum taps some keys and attempts to connect to every computer system in Burma. Only 118 of them respond. "That means almost every network in Burma is blocked from the outside world," he says. "All but 118 of them."

These 118 unfiltered computer systems could only belong to organizations and people to whom the government grants unfettered Internet access: trusted politicians, the upper echelons of state-run corporations, intelligence agencies.

"Now this," Appelbaum says, "is the good part."

He selects one of the 118 networks at random and tries to enter it. A window pops up asking for a password. Appelbaum throws back his head and screams with laughter — a gleeful, almost manic trill. The network runs on a router made by Cisco Systems and is riddled with vulnerabilities. Hacking into it will be trivial.

It's impossible to know what's on the other side of the password. The prime minister's personal e-mail account? The network server of the secret police? The military junta's central command? Whatever it is, it could soon be at Appelbaum's fingertips.

So will he do it?

"I could," Appelbaum says, with a smile. "But that would be illegal, wouldn't it?"

No one has done more to spread the gospel of anonymity than Appelbaum, whose day job is to serve as the public face of the Tor Project, a group that promotes Internet privacy through a software program invented 15 years ago by the U.S. Naval Research Laboratory. He travels the world teaching spooks, political dissidents and human rights activists how to use Tor to prevent some of the world's most repressive regimes from tracking their movements online. He considers himself a freedom-of-speech absolutist. "The only way we'll make progress in the human race is if we have dialogue," he says. "Everyone should honor the United Nations human rights charter that says access to freedom of speech is a universal right. Anonymous communication is a good way for this to happen. Tor is just an implementation that helps spread that idea."

In the past year alone, Tor has been downloaded more than 36 million times. A suspected high-level member of the Iranian military used Tor to leak information about Tehran's censorship apparatus. An exiled Tunisian blogger living in the Netherlands relies on Tor to get past state censors. During the Beijing Olympics, Chinese protesters used Tor to hide their identities from the government.

The Tor Project has received funding not only from major corporations like Google and activist groups like Human Rights Watch but also from the U.S. military, which sees Tor as an important tool in intelligence work. The Pentagon was not particularly pleased, however, when Tor was used to reveal its secrets. Wikileaks runs on Tor, which helps to preserve the anonymity of its informants. Though Appelbaum is a Tor employee, he volunteers for Wikileaks and works closely with Julian Assange, the group's founder. "Tor's importance to Wikileaks cannot be understated," Assange says. "Jake has been a tireless promoter behind the scenes of our cause."

In July, shortly before Wikileaks released the classified Afghanistan war documents, Assange had been scheduled to give the keynote speech at Hackers on Planet Earth (HOPE), a major conference held at a hotel in New York. Federal agents were spotted in the audience, presumably waiting for Assange to appear. Yet as the lights darkened in the auditorium, it was not Assange who took the stage but Appelbaum.

"Hello to all my friends and fans in domestic and international surveillance," Appelbaum began. "I am here today because I believe we can make a better world. Julian, unfortunately, can't make it, because we don't live in that better world right now, because we haven't yet made it. I wanted to make a little declaration for the federal agents that are standing in the back of the room and the ones that are standing in the front of the room, and to be very clear about this: I have, on me, in my pocket, some money, the Bill of Rights and a driver's license, and that's it. I have no computer system, I have no telephone, I have no keys, no access to anything. There's absolutely no reason that you should arrest me or bother me. And just in case you were wondering, I'm an American, born and raised, who's unhappy. I'm unhappy with how things are going." He paused, interrupted by raucous applause. "To quote from Tron," he added, "'I fight for the user.'"

For the next 75 minutes, Appelbaum spoke about Wikileaks, urging the hackers in the audience to volunteer for the cause. Then the lights went out, and Appelbaum, his black hoodie pulled down over his face, appeared to be escorted out of the auditorium by a group of volunteers. In the lobby, however, the hood was lifted, revealing a young man who was not, in fact, Appelbaum. The real Appelbaum had slipped away backstage and left the hotel through a security door. Two hours later, he was on a flight to Berlin

By the time Appelbaum returned to America 12 days later and was detained at Newark, newspapers were reporting that the war documents identified dozens of Afghan informants and potential defectors who were cooperating with American troops. (When asked why Wikileaks didn't redact these documents before releasing them, a spokesman for the organization blamed the sheer volume of information: "I just can't imagine that someone could go through 76,000 documents.") Marc Thiessen, a former Bush speechwriter, called the group "a criminal enterprise" and urged the U.S. military to hunt them down like Al Qaeda. Rep. Mike Rogers, a Republican from Michigan, said that the soldier who allegedly provided the documents to Wikileaks should be executed.

Two days later, after speaking at a hackers conference in Las Vegas, Appelbaum was approached by a pair of undercover FBI agents. "We'd like to chat for a few minutes," one of them said. "We thought you might not want to. But sometimes it's nice to have a conversation to flesh things out."

Appelbaum has been off the grid ever since — avoiding airports, friends, strangers and unsecure locations, traveling through the country by car. He's spent the past five years of his life working to protect activists around the world from repressive governments. Now he is on the run from his own.
Appelbaum's obsession with privacy might be explained by the fact that, for his entire childhood, he had absolutely none of it. "I come from a family of lunatics," he says. "Actual, raving lunatics." His parents, who never married, began a 10-year custody battle before he was even born. He spent the first five years of his life with his mother, whom he says is a paranoid schizophrenic. She insisted that Jake had somehow been molested by his father while he was still in the womb. His aunt took custody of him when he was six; two years later she dropped him off at a Sonoma County children's home. It was there, at age eight, that he hacked his first security system. An older kid taught him how to lift the PIN code from a security keypad: You wipe it clean, and the next time a guard enters the code, you blow chalk on the pad and lift the fingerprints. One night, after everyone had gone to sleep, the boys disabled the system and broke out of the facility. They didn't do anything special — just walked around a softball field across the street for half an hour — but Appelbaum remembers the evening vividly: "It was really nice, for a single moment, to be completely free."

When he was 10, he was assigned by the courts to live with his father, with whom he had remained close. But his dad soon started using heroin, and Appelbaum spent his teens traveling with his father around Northern California on Greyhound buses, living in Christian group homes and homeless shelters. From time to time, his father would rent a house and turn it into a heroin den, subletting every room to fellow addicts. All the spoons in the kitchen had burn stains. One morning, when Appelbaum went to brush his teeth, he found a woman convulsing in the bathtub with a syringe hanging out of her arm. Another afternoon, when he came home from school, he found a suicide note signed by his father. (Appelbaum saved him from an overdose that day, but his father died several years later under mysterious circumstances.) It got so that he couldn't even sit on a couch for fear that he'd be pierced by a stray needle.

An outsider in his own home, Appelbaum embraced outsider culture. He haunted the Santa Rosa mall, begging for change. He dressed in drag and "I ♥ Satan" T-shirts, dyed his hair purple, picked fights with Christian fundamentalists and made out with boys in front of school. (Appelbaum identifies himself as "queer," though he refers to at least a dozen female lovers in nearly as many countries.) When a friend's father encouraged his interest in computers and taught him basic programming tools, something opened up for Appelbaum. Programming and hacking allowed him "to feel like the world was not a lost place. The Internet is the only reason I'm alive today."

At 20, he moved to Oakland and eventually began providing tech security for the Rainforest Action Network and Greenpeace. In 2005, a few months after his father died, he traveled alone to Iraq — crossing the border by foot — and set up satellite Internet connections in Kurdistan. In the aftermath of Hurricane Katrina, he drove to New Orleans, using falsified press documents to get past the National Guard, and set up wireless hot spots in one of the city's poorest neighborhoods to enable refugees to register for housing with FEMA.

Upon returning home, he started experimenting with the fare cards used by the Bay Area Rapid Transit system and discovered it was possible to rig a card with an unlimited fare. Instead of taking advantage, he alerted BART officials to their vulnerabilities. But during this conversation, Appelbaum learned that BART permanently stored the information encoded on every transit card — the credit-card number used, where and when they were swiped — on a private database. Appelbaum was outraged. "Keeping that information around is irresponsible," he says. "I'm a taxpayer, and I was given no choice how they store that data. It's not democratically decided — it's a bureaucratic directive."

Given his concerns about privacy, it's easy to see why Appelbaum gravitated toward the Tor Project. He volunteered as a programmer, but it soon became clear that his greatest ability lay in proselytizing: He projects the perfect mix of boosterism and dread. "Jake can do advocacy better than most," says Roger Dingledine, one of Tor's founders. "He says, 'If someone were looking for you, this is what they'd do,' and he shows them. It freaks people out."

The Internet, once hailed as an implacable force of liberalization and democratization, has become the ultimate tool for surveillance and repression. "You can never take information back once it's out there," Appelbaum says, "and it takes very little information to ruin a person's life." The dangers of the Web may remain abstract for most Americans, but for much of the world, visiting restricted websites or saying something controversial in an e-mail can lead to imprisonment, torture or death.

Last year, some 60 governments prevented their citizens from freely accessing the Internet. China is rumored to have a staff of more than 30,000 censors who have deleted hundreds of millions of websites and blocked an eccentric range of terms — not only "Falungong," "oppression" and "Tiananmen," but also "temperature," "warm," "study" and "carrot."

On a bright afternoon in San Francisco, before Wikileaks dominated the headlines, Appelbaum is dressed in his usual hacker uniform: black boots, black socks, black slacks, black thick-rimmed glasses and a T-shirt bearing an archslogan. (Today it's "Fuck politics — I just want to burn shit down.") Though his work requires him to sit at his desk for most of the day, he is rarely stationary. He frequently jumps up and executes a series of brief, acrobatic stretches.He kicks a leg up against the wall, cracks his neck violently, tugs one arm across his chest and, just as abruptly, sits back down again.

He explains that we have to take a cab to pick up his mail. Like being a strict vegan or a Mormon, a life of total anonymity requires great sacrifice. You cannot, for instance, have mail delivered to your home. Nor can you list your name in your building's directory. Appelbaum has all of his mail sent to a private mail drop, where a clerk signs for it. That allows Appelbaum — and the dissidents and hackers he deals with — to use the postal system anonymously. Person One can send a package to Appelbaum, who can repackage it and send it on to Person Two. That way Person One and Person Two never have direct contact — or even learn each other's identities.

Tor works in a similar way. When you use the Internet, your computer makes a connection to the Web server you wish to contact. The server recognizes your computer, notes its IP address and sends back the page you've requested. It's not difficult, however, for a government agency or a malicious hacker to observe this whole transaction: They can monitor the server and see who is contacting it, or they can monitor your computer and see whom you're trying to contact. Tor prevents such online spying by introducing intermediaries between your computer and the system you're trying to reach. Say, for example, that you live in San Francisco and you want to send an e-mail to your friend, a high-level mole in the Iranian Revolutionary Guard. If you e-mail your friend directly, the Guard's network could easily see your computer's IP address, and discover your name and personal information. But if you've installed Tor, your e-mail gets routed to one of 2,000 relays — computers running Tor — scattered across the world. So your message bounces to a relay in Paris, which forwards it to a second relay in Tokyo, which sends it on to a third relay in Amsterdam, where it is finally transmitted to your friend in Tehran. The Iranian Guard can only see that an e-mail has been sent from Amsterdam. Anyone spying on your computer would only see that you sent an e-mail to someone in Paris. There is no direct connection between San Francisco and Tehran. The content of your e-mail is not hidden — for that, you need encryption technology — but your location is secure.

Appelbaum spends much of each year leading Tor training sessions around the world, often conducted in secrecy to protect activists whose lives are in danger. Some, like the sex-worker advocates from Southeast Asia he tutored, had limited knowledge of computers. Others, like a group of students Appelbaum trained at a seminar in Qatar, are highly sophisticated: One worked on the government's censorship network, another works for a national oil company, and a third created an Al-Jazeera message board that allows citizens to post comments anonymously. In Mauritania, the country's military regime was forced to abandon its efforts to censor the Internet after a dissident named Nasser Weddady wrote a guide to Tor in Arabic and distributed it to opposition groups. "Tor rendered the government's efforts completely futile," Weddady says. "They simply didn't have the know-how to counter that move."

In distributing Tor, Appelbaum doesn't distinguish between good guys and bad guys. "I don't know the difference between one theocracy or another in Iran," he says. "What's important to me is that people have communication free from surveillance. Tor shouldn't be thought of as subversive. It should be thought of as a necessity. Everyone everywhere should be able to speak and read and form their own beliefs without being monitored. It should get to a point where Tor is not a threat but is relied upon by all levels of society. When that happens, we win."

As the public face of an organization devoted to anonymity, Appelbaum finds himself in a precarious position. It is in Tor's interest to gain as much publicity as possible — the more people who allow their computers to serve as relays, the better. But he also lives in a state of constant vigilance, worried that his enemies — envious hackers, repressive foreign regimes, his own government — are trying to attack him. His compromise is to employ a two-tiered system. He maintains a Twitter account and has posted thousands of photos on Flickr. Yet he takes extensive measures to prevent any private information — phone numbers, e-mail addresses, names of friends — from appearing.

"There are degrees of privacy," he says. "The normal thing nowadays is to conspicuously report on one another in a way that the Stasi couldn't even dream of. I don't do that. I do not enter my home address into any computer. I pay rent in cash. For every online account, I generate random passwords and create new e-mail addresses. I never write checks, because they're insecure — your routing number and account number are all that are required to empty your bank account. I don't understand why anyone still uses checks. Checks are crazy."

When he travels, if his laptop is out of his sight for any period of time, he destroys it and then throws it away; the concern is that someone might have bugged it. He is often driven to extreme measures to get copies of Tor through customs in foreign countries. "I studied what drug smugglers do," he says. "I wanted to beat them at their own game." He shows me a nickel. Then he slams it on the floor of his apartment. It pops open. Inside there is a tiny eight- gigabyte microSD memory card. It holds a copy of Tor.

As fast as Tor has grown, government surveillance of the Internet has expanded even more rapidly. "It's unbelievable how much power someone has if they have unfettered access to Google's databases," Appelbaum says.

As he is quick to point out, oppressive foreign regimes are only part of the problem. In the past few years, the U.S. government has been quietly accumulating libraries of data on its own citizens. Law enforcement can subpoena your Internet provider for your name, address and phone records. With a court order, they can request the e-mail addresses of anyone with whom you communicate and the websites you visit. Your cellphone provider can track your location at all times.

"It's not just the state," says Appelbaum. "If it wanted to, Google could overthrow any country in the world. Google has enough dirt to destroy every marriage in America."

But doesn't Google provide funding for Tor?

"I love Google," he says. "And I love the people there. Sergey Brin and Larry Page are cool. But I'm terrified of the next generation that takes over. A benevolent dictatorship is still a dictatorship. At some point people are going to realize that Google has everything on everyone. Most of all, they can see what questions you're asking, in real time. Quite literally, they can read your mind."

Now, in the wake of the Wikileaks controversy, Appelbaum has gone underground, concealing his whereabouts from even his closest friends. He suspects his phones are tapped and that he's being followed. A week after being questioned in Newark, he calls me from an undisclosed location, my request to contact him having been passed along through a series of intermediaries. The irony of his situation isn't lost on him.

"I'll be using Tor a lot more than I ever did — and I used it a lot," he says, his voice uncharacteristically sober. "I have become one of the people I have spent the last several years of my life protecting. I better take my own advice."