Every Christopher Soghoian production follows a similar pattern, a series of orchestrated events that lead to the public shaming of a large entity—Google, Facebook, the federal government—over transgressions that the 30-year-old technologist sees as unacceptable violations of privacy. Sometimes he discovers these security flaws by accident, other times because someone has pissed him off, but mostly because he’s parked at his computer all day looking for security flaws.

When he finds one, Soghoian, a PhD candidate in computer science at Indiana University Bloomington, learns everything he can about it and devises what he sees as a viable solution. Then he alerts the offending party and gives them a chance to fix things, explaining that if they don’t, he’ll go public with his discovery. (OK, sometimes he skips the give-them-a-chance step.) When the inevitable wave of media coverage starts breaking, Soghoian is often the first expert that reporters turn to for sound bites—about stories he has effectively handed them. In the end, the security holes get patched, and Soghoian gets more notoriety and more work. He’s vertically integrated.

“If Chris Soghoian points out a technology-related privacy problem, then it should probably be taken seriously,” says Marcia Hofmann, a senior staff attorney at San Francisco-based Electronic Frontier Foundation, which tackles free speech and privacy issues. “Nobody else is doing what Chris does—at least not at his level.”

Consider Gmail. Everything you send and receive through Google’s email servers is automatically encrypted using secure sockets layer, or SSL, which is indicated by the letters https at the beginning of a Gmail URL. It wasn’t always so. Google used to keep SSL off by default; it can slow things down a bit. It was left to users to figure out how to opt in for extra security.

Soghoian is a Ralph Nader for the Internet age—rumpled, charming, and grumpy, as righteous as he is intelligent.

Soghoian interned at Google in the summer of 2006 and says that, like many Google employees, he was issued an encrypted laptop. He found it unacceptable that the company wasn’t offering the same level of protection to the public. So three years later, when a fellowship at Harvard’s Berkman Center for Internet & Society gave him access to free legal counsel and contacts to numerous tech-world leaders, he persuaded 36 of them, including Ronald Rivest (the R in RSA encryption algorithm) to sign an open letter urging Google to make SSL the default. He sent the letter to reporters and to then Google CEO Eric Schmidt.

Soghoian won’t claim direct credit, and Google won’t give it (or deny it). But hours after the letter was published, Google changed its position, claiming that it had been planning to make SSL the default for Gmail. Seven months later, it did so. “All of the privacy lawyers at the big Internet companies now have Chris on their radar,” says Caspar Bowden, a former Microsoft exec who recently moderated a panel on privacy organized by Soghoian. “He has a natural talent for bringing issues to a head, making real changes to corporate and government policies, and communicating the issues to the wider public. Organizations will probably feel bruised by the encounter but will realize in time they have been moved to a better place. Few people can do that, and Chris is a rare example of a genuinely strategic activist.”

The impression that Soghoian is trying to become a Ralph Nader for the Internet age is only strengthened by his personal style—rumpled, alternately charming and grumpy, as righteous as he is intelligent. He’s notoriously frugal; he bikes everywhere, and he lives in a basement room of a Washington, DC, house he shares with four roommates.

And he talks. A lot. With a slight British accent—the product of a childhood spent in London—he speaks in 1,000-word bursts with nary a like, y’know, or pause. Whether he’s talking to staffers on the Hill, presenting at conferences, or giving interviews, he’s direct, confident, focused, and unwavering. “I can walk into a room and explain how a cookie works or how geolocation tracking works or how encryption works or why data retention is a bad idea,” he says. “This is what I’m good at.”

Soghoian was born in San Francisco in 1981, his mother a social worker and his father a jazz musician and computer engineer. When Soghoian was a year old, the family moved to London, where his father had a job as a computer engineer.

He has been using computers for as long as he can remember. When Soghoian was 11, he persuaded his headmaster to sign paperwork that let him head over to King’s College London computer lab, where he used email, jumped into Usenet groups, and explored the nascent World Wide Web. As a teen, he took evening classes in computer science at a community college. He finished high school at 16 and went to James Madison University in Virginia to study computer science. There he talked his way into a few graduate-level security classes, which piqued his interest in the field.

In 2006, Soghoian enrolled in the PhD program at Indiana University Bloomington’s School of Informatics and Computing. During the late summer of that year, the 25-year-old was en route to Indianapolis from that most public of venues, the Burning Man festival in Nevada, when privacy became a much more personal issue. At the airport in Reno, Transportation Security Administration agents told him he couldn’t take his Middle Eastern lunch through security. He wrote about it on his security-themed blog, Slight Paranoia.

Them: You can’t take these on board. They’re liquids.

Me: No. They’re solid foods. The hummous is more of a paste than a liquid.

Them: You can’t take it through.

Me: I realize that hummous and Al Qaeda come from the same part of the world, but, well, so does algebra.

Soghoian was pulled aside for a thorough search.

Once he got back to Bloomington, Soghoian set about exposing what he saw as the absurdity of TSA procedures. He devoured papers on airline security, looking for loopholes and back doors. Then he realized he could make his point simply by altering a Northwest Airlines eticket he had on his PC from a recent flight. The October 18 blog post he wrote about it, titled “Paging Osama, please meet your party at the information desk,” explained how to bypass the FBI’s no-fly list in 10 easy steps.

Soghoian’s Targets Over the past five years, the technology activist has delighted in publicizing the questionable practices of powerful organizations. TSA In October 2006, Soghoian revealed a TSA security breach by publishing a method for printing fake boarding passes, which earned him an FBI apartment raid. The TSA began to close the loophole the following June. Firefox In 2009, he created TACO, a security plug-in for Firefox that enables users to opt out of targeted advertising. Google Soghoian published an open letter to Google, in June 2009, calling for automatic encryption for Gmail users. Seven months later, Google made encryption the default. The following year, he filed an FTC complaint against the company for providing search info to third parties. Sprint Nextel While working for the FTC in the fall of 2009, Soghoian secretly recorded a Sprint Nextel executive admitting that his company gave user data to law enforcement some 8 million times in one year. The recording was featured on The Colbert Report (punch line: “Can you hear me hear you now?”). The following year, a Ninth Circuit Court judge cited the Sprint recording in a decision about how Fourth Amendment protections relate to GPS tracking. Telecoms In December 2009, Soghoian released a list of the prices companies charge the government for handing over private data. This past July, he went on NPR to explain phone spoofing and voicemail hacking. He later appeared on CBS Evening News and demonstrated the technique by breaking into his own voicemail. Federal government Soghoian coauthored a paper, published in March, that explains how governments are able to spy on allegedly secure websites; for example, a federal agency could use a surveillance device from the likes of Arizona-based Packet Forensics to route around encryption software. Dropbox In April, he blogged about Dropbox’s backdoor access to user data. Two days later, Dropbox clarifies its terms of service. Facebook He helped expose Facebook as the unnamed entity behind a PR campaign in May to push negative stories about Google’s privacy policy. AT&T In June, Soghoian persuaded AT&T to require passwords for user voicemail accessed from their own phones.

“TSA doesn’t have access to the Airline’s computer systems,” he wrote. “Thus, they have no real way of knowing if a boarding pass is real or not. All they can do is verify that the name on the piece of paper (which may or may not be a boarding pass) matches the ID they have been given.” In other words, if you were on the no-fly list, all you had to do was buy an eticket under a fake name and save it as HTML. You could then go into the HTML code and replace the fake name with your real one, print the ticket, and present it and your ID at security, which has no computers to check the no-fly list or confirm that the name on the ticket matches airline records. At the gate, where ID is not required, you could use your original boarding pass with the fake name, which, when scanned, wouldn’t come up as a no-flier.

Soghoian spread the word to the media—including Wired.com—and the workaround quickly made headlines. On October 27, US representative Ed Markey, a Massachusetts Democrat who was then a senior member of the House Committee on Homeland Security, called for the arrest of whoever was responsible. When the FBI showed up, Soghoian asked the agents to wait a moment, went to his computer, and posted a quick note to his blog—”FBI are at the door. Off to chat.”—then told them to come back with a warrant. They did. “Having my own computer seized by the FBI turned what had been an academic interest in privacy into something that directly impacted my life,” Soghoian says. “I saw firsthand how a massive government agency can, in my opinion, abuse its power to go after a critic of government policies. That one experience made it very easy to see the government as an adversary, against which I continue to fight.”

But Soghoian is not against fighting from within the system. Once Markey realized the perpetrator was a grad student who studied security, he backed down and even suggested that the Department of Homeland Security give Soghoian a job “showing public officials how easily our security can be compromised.” DHS passed, but three years later, the Federal Trade Commission’s Division of Privacy and Identity Protection recruited Soghoian as a staff technologist. “They didn’t have anyone doing this,” Soghoian says. “That’s the equivalent of the EPA not having any environmental scientists on staff.”

His first act at the FTC was to refuse to submit to the required background check. “I shouldn’t have to sacrifice my own privacy to protect consumers,” he says. The FTC brought him in anyway to, in his words, “add technical weight to their privacy-enforcement team and to help them find new cases.” Emboldened by his new position, Soghoian attended the October 2009 Intelligence Support Systems World conference, a sort of South by Southwest for security wonks—cops, intelligence-gathering experts, surveillance-tech vendors, and telecom brass who gather to discuss everything from the Patriot Act to the latest spyware. It’s known informally as the Wiretapper’s Ball.

Soghoian managed to record a Sprint Nextel executive boasting that the company had provided user location data to law enforcement agencies some 8 million times. Naturally, Soghoian made the tape public. Stephen Colbert—among others—picked up the story, which was later cited by the Ninth Circuit Court of Appeals in a case concerning police surveillance tactics.

When Soghoian’s contract came up in August 2010, the FTC chose not to renew it. Soghoian claims his boss’s boss told him the conference stunt was the reason. (The FTC wouldn’t confirm this.)

Regardless, Soghoian says going to the conference was worth it. “I shaved for the first time in several years and put on a cheap suit,” he says. “I felt like a secret agent, infiltrating the enemy’s HQ. It was easily the most creepy yet exciting place I’ve ever been.”

After leaving the FTC, Soghoian went back to living off his savings, a graduate stipend, and income from a fellowship and consulting work. And he has found plenty of opportunities to continue his privacy crusade. He files up to four Freedom of Information Act requests each week, an arcane task that he says delights him, and he has an ongoing suit against the Department of Justice for its refusal to hand over 600 pages of documents related to the FBI’s use of GPS tracking.

Last spring, he and some friends discovered a flaw in the privacy policy of Dropbox, the cloud service that allows users to sync files across multiple devices. The company failed to disclose that it had a back door into that data. Soghoian wrote a blog post about the flaw. “The response from the tech community and paying users was instant and vicious,” he says. Dropbox subsequently updated its privacy policy, disclosing its access to data stored on its servers. (The company declined to comment for this article.)

A few weeks later, he received an email from an employee at the PR giant Burson-Marsteller offering to help him write and publish a smear piece about Google’s privacy policy. The effort was being funded by an unnamed client. Soghoian refused. Instead, he posted the exchange online and tweeted about it. The media picked it up, and Dan Lyons of The Daily Beast determined that the client was Facebook, which quickly found itself engulfed in a storm of bad publicity.

In June, Soghoian persuaded AT&T to require customers to always enter a password to access voicemail, a policy that leaves users less vulnerable to phone hacking. He has been pressing T-Mobile and Sprint to do the same. After the Murdoch empire’s News of the World phone scandal blew up last summer, Soghoian appeared on NPR, explaining how phone-spoofing technology allowed reporters to access voicemail illegally. The next night, he broke into his own voicemail on the CBS Evening News in front of 5.5 million viewers.

Soghoian’s financial situation improved in August when he began a George Soros Open Society Foundations fellowship, which gives him a high-five-figure stipend and a research assistant. His fellowship project is a website called PrivacyReports.org, which will grade telecom and ISP privacy practices for the layperson. Search engines, email providers, cell phone companies, online backup services—Soghoian will break down each company’s level of security and privacy protections. “Visitors will be able to know how long providers are retaining their text messages and whether they provide law enforcement easy access to your location data,” he says. “People have a right to know what companies aren’t telling them. My hope is that after a year, once I have the data up and it’s proving to be useful, I can give it to the ACLU or someone like that to run.”

And then? Soghoian says that under the right circumstances he’d consider another government job—ideally for the Privacy and Civil Liberties Oversight Board, which advises the White House on matters of individual privacy. It has been inactive since 2008. “I don’t want security clearance,” he says. “I don’t need a staff. I just want to be an ombudsman, with an office and letterhead and access to lawyers and a fax machine. I know it’ll never happen. They’re not going to want someone who has a track record of speaking truth to power using their soapbox to point out their flaws. But that would be an ideal gig.”

Mike Kessler (@mikeskessler) is a freelance writer in Los Angeles. This is his first piece for Wired.