After Andrea is attacked by a stranger in Mexico City, she just wants to figure out who the guy was. Investigating this question drops her right into the middle of one of Mexico’s biggest conspiracies.
PJ VOGT: Hey, quick warning: this episode has descriptions of sexual assault and violence. If that’s not something you want to hear, you should skip it.
PJ: From Gimlet, this is Reply All. I’m PJ Vogt.
It always feels like kind of a cop out to me when people say the Internet sucks, the Internet’s bad. Because while I completely agree, it’s absurd that the same place we go for jokes and news is also the place where we have to wade through death threats, and racism, and like endless, endless bickering.
But it always feels kinda weird to blame it on the Internet. Like, that’s us. Those are the people we know and see everyday, behaving how they want to behave under the cover of darkness. Like, it’s a mirror. It’s our responsibility.
That’s what I’ve always believed. But what if that wasn’t true? What if you found out the internet was bad, not because of the people on it, but because powerful people were designing it to be that way? What if you found out it was part of somebody’s plan?
This is a story about a person who met the people behind the plan.
Her name’s Andrea Noel, and she’s an American reporter who covers Mexico.
ANDREA NOEL: I was based in Mexico City for several years and now I float between the border region and Mexico City, I go back and forth.
PJ: And what do you usually cover?
ANDREA: Normally I cover politics, corruption, drug war. I’m kind of on the drug beat.
PJ: So the thing that happened to Andrea, it actually happened on her day off.
PJ: She was taking a walk in Condesa, her neighborhood in Mexico City,
ANDREA: I remember very vividly that I was walking down the street, kicking myself and just thinking, you know, what have I been doing for the last six months, why haven’t I been leaving the house and walking around. It’s, you know, walking by the park and everything’s beautiful and people are laughing and it’s a great day and I was literally having that thought–
PJ: When out of nowhere, she feels a stranger’s hands pull up her dress and pull down her underwear. She drops to the pavement.
ANDREA: And I do this 360, and there’s nobody behind me, and this guy’s running away in like slow motion, and I’m not chasing after him and he’s just running away.
PJ: The guy turns a corner and he vanishes. Andrea stands up, she looks around. No witnesses. This guy has just attacked her in broad daylight, and there’s nothing she can do about it.
ANDREA: Like, I blamed myself basically. Like why am I wearing these shoes, why didn’t I chase the guy? In any case, the–these thoughts lasted for a few seconds. And I started walking, just ready to continue with my day. And then I saw that there was a camera pointed at exactly where this had happened in front of a building.
ANDREA: So I saw that camera, and then I looked around, and saw another camera, and then I looked around, and saw another camera, and there were just cameras everywhere.
PJ: And so right then and there, she comes up with a plan. After blowing off some steam with an angry tweet, she decides, “I am going to get the surveillance footage.” So she starts knocking on doors, until she finds this building manager who says, “Yeah absolutely. You can have it.” He lets her tape it off the monitor using her cell phone.
The video is short. You see Andrea, alone on the street. You see the guy as he runs up behind her and attacks. And as he flees, he runs towards the camera, so you get this blurry glimpse of his face. And then there’s just a moment where you look back towards Andrea, you see her pulling her underwear back on and looking around on the street. Even watching it feels kind of like a violation. But Andrea writes a new tweet, she asks if anybody can help her identify this idiot, and she posts it, along with the video.
PJ: Did it feel weird just like putting that online? Like letting people see you in a way, in a moment where you were being attacked?
ANDREA: Yeah ‘cause I- I- well–I mean I wanted people to believe that it was real, because I had tweeted when it happened, “This happened,” and people were like not believing it.
ANDREA: I- I–I just could not wrap my head around the fact that people were accusing me of like making this thing up.
PJ: Particularly because street harassment is notoriously bad in Mexico City. Nine out of every ten women have experienced sexual violence on their daily commutes, and police rarely prosecute the people who do this. Actually last year, the mayor’s big solution was to hand out whistles that women could blow if they felt unsafe. So Andrea knows that the guy who did this to her fully expects to get away with it, and she just decides she is sick of this.
ANDREA: Because at that point, you know, like, my initial fear just became like, rage, and I really wanted to get the guy.
PJ: It turns out, she’s not alone. When she posts the video, she immediately starts hearing from all these women who are just as mad as she is.
ANDREA: Thousands of tweets started pouring in, faster than you can scroll. I mean it’s fifteen per second, and it’s just going, and you can’t even read them all.
PJ: All these women across Mexico responding with their own stories of horrific violence.
ANDREA: You know, it was like I was a proxy, I was like a vessel for all of this… just impotence, I think is the thing. It’s like, “Shit man we’ve been silenced, but here’s somebody who’s talking so like, GO GO GO GO” you know? It’s like…
ANCHOR: Como espuma crecido el indignación por el caso de Andrea Noel
ANDREA ON TV: Entonces volví, tome fotos de las cameras, y luego…
PJ: By the next morning she’s live on the news.
ANCHOR 3: Andrea Noel escribío en su cuenta de Twitter. “Me acaban de levantar el vestido y bajar los calzones…”
PJ: It’s like overnight, she’s become a household name. And Andrea’ll be the first to tell you, she’s a weird poster child for this moment. She’s American, not Mexican. And what happened to her on the street is bad, but it’s not even the worst thing that had happened to her in the past year. But the fact that she’s saying, “Even this shouldn’t happen to women on the street,” that feels audacious.
And her supporters decide, “We are gonna help you find this guy.” And within 48 hours, they have a suspect.
PJ: This local YouTube celebrity named Andoni Echave.
Not only does Andoni look like the guy in the surveillance footage: same hair, same build, same complexion. The real thing that makes him look guilty as sin is the actual show that he hosts. It’s a prank show called Master Troll.
[MASTER TROLL VIDEO, LAUGHING]
PJ: Master Troll looks like a show where a bunch of people watch Jackass, and they were like “Let’s make this, but dumber and meaner.” So the pranks are stuff like, they’ll run up to an old lady and hit her with an inflatable hammer.
Another one is they’ll go up to women, and French kiss them, and then run off. And they like to pull men’s pants down. They run up behind men, they pull down their pants, and spank them. And the place where all of these pranks were filmed was Condesa, Andrea’s neighborhood.
Andoni put out a video officially denying responsibility, but you could tell he and his crew didn’t mind the negative attention. They were actually trying to promote the new TV show they had premiering that week.
ANDREA: They were really thrilled about the publicity, and loving it. Living, living it up. You know, they uploaded one video where they go around like pulling men’s pants down and said, “If you thought some lying hysterical hag would stop us, well, you’re wrong, hahaha!”
[MASTER TROLL CLIP]
PJ: Andrea and Andoni, they have now stumbled onstage for the sort of culture war that we have every other week in America.
PJ: And you know how these go. It’s Mike Pence vs. the cast of Hamilton. It’s Lena Dunham vs., for some reason, a local no-kill animal shelter.
And the two of them, Andoni and Andrea, they’re just like perfect foils for each other. Like Andoni is like the chauvinist with the offensive TV show. Andrea’s the feminist Internet writer who writes articles about how shows like that are problematic.
And it’s exactly the car crash you expect. Team Andoni says “Not only did he not do it, Andrea’s a fraud, she’s a liar.” Team Andrea actually circulates a petition and gets the Master Troll TV show cancelled.
Fighting goes on for weeks, and it’s an even bigger story because the Mexico police are involved, which is crazy because the Mexico City police do not investigate crimes like this. Only seven out of 100 crimes in Mexico are even reported. But now, when Andrea goes to the prosecutor’s office, they live tweet that she is being attended to.
That eight-second video of the attack, it becomes like the Kennedy assassination film. Everybody is watching it, trying to figure out exactly what they think happened. Including Andrea, who despite this huge fight is still not completely sure that Andoni is in fact the guy who attacked her.
ANDREA: You know I–I spent so many hours over the course of those weeks like frame by frame by frame.Doing like side by sides and really, really trying to look and like at one point I was looking for a tattoo that may or may not have been on his arm and you know I was looking at the shirt that he was wearing that looked like maybe a logo of a skull and then going through all of his photos trying to figure out like, “Is there a shirt like that? What is the clothes–” He wears vests. This guy is wearing a vest.
PJ: But while Andrea is anxiously re-watching the video, the story she’s in, it’s actually turning into a kind of nightmare. Andrea starts getting these death threats, not that she hadn’t gotten death threats before, but these are different.
ANDREA: Not just like, you know, “I’m going to rape you, bitch.” It’s more like photos of like skinned animals and like dead women.
And you know video messages saying, “I know where you live and the boss gave the order.”
SCARY AUDIO: (in Spanish) “Miss Andrea Noel, if you do not forget what happened, we’ll cut your little face. Remember (unintelligible) and we do what we want. Respect your life and that of your friends.
PJ: This person is saying, “If you don’t forget what happened, we’ll cut your little face. We do what we want. Respect your life, and that of your friends.” But what really scares Andrea are the pictures they send of themselves. Young men with dead eyes, staring into the camera holding guns.
ANDREA: Mexico is a country where only criminals and cops have guns, so when you think, he’s got guns, that just kind of shows you that you’re dealing with the level of like we’re either dealing with an authority, or we’re dealing with somebody who’s like involved in drug cartels.
PJ: It was only later that the strangeness of all this would sink in for her.
In what possible world did it make sense that that her accidentally getting a month-old TV show cancelled would piss off these kinds of people and this much?
Also, they seemed like an organized group. For instance, when they wanted to attack her, they had this signal, they’d retweet one of her tweets and just attached one word: ojo.
ANDREA: Which means eyeball ,and it just means like, “look.” Um, so I would see under a tweet that I would post, um, somebody would tag a troll and say “ojo” and then that troll would retweet that, and then his whole network of thousands of Twitter followers to go directly after me, and then, everybody knew to jump onto it.
PJ: They’re like little messenger ants.
ANDREA: Yes, absolutely. And that would precede a slew of death threats and rape threats.
PJ: There was this one guy that Andrea calls Pasta Prophet, he would show up again and again.
ANDREA: He probably had about 80,000 followers, and a very large network of people he was, you know, interacting with.
PJ: She gets Twitter to shut his account down. That does not phase him at all.
ANDREA: I then saw him re-emerge immediately as a new account, um, which very rapidly accumulated tens of thousands of followers.
PJ: And then it starts to bleed into the real world. Like the day that she’s eating at a restaurant and Pasta Prophet tweets a map of the area. Or the time she’s just walking out in town and she gets another tweet with her location, this time with the message: “Finish her off.” She starts to feel like the only place where she’s even safe is at her house. And then one day, she’s at home, in her apartment:
ANDREA: I was in my living room, I was sitting at my computer which is over by a window and noticed like a green light in my eye and um realized that there was like a green laser on my forehead.And then, I stood up and ducked and moved away and the laser followed me across the room.
PJ: That’s so creepy.
ANDREA: It felt like a, like a, “We know where you live.”
PJ: Andrea’s had it. She gives up her apartment, she gives away her cat, she leaves the country. She’s just not safe there anymore.
And then comes the final humiliation. This whole time, the police have had additional surveillance footage of the attack, but Andrea hasn’t been allowed to see it. Now they’re saying she might get to, but there’s a catch. They need her to come back to Mexico, and go in front of a judge for something called a preliminary trial. Essentially, what this means, is that for the first time, Andrea will be publicly saying, “I think Andoni did it.”
And then, and only then, the judge might decide to release the surveillance footage.
So she agrees to do this. And while she’s in the air, there’s no Internet on the flight back to Mexico, she actually misses the big news. Which is that Andoni has found his own surveillance footage of the attack.
ANDREA: And you can very clearly see that it was not him. He tweets the video. And outrage cycle begins again, I land, and I’m the biggest piece of shit that’s ever walked the earth.
PJ: Andoni is now the real hero of the story. Andrea’s the villain who tried to take him down. The cops completely drop the investigation. The actual culprit, whoever he is, will never be found. Andrea cannot believe that this is where things have ended up.
ANDREA: By the time this was over I was near suicidal to be honest. I could not believe what had happened. You know, I was just, I was horrified. I was horrified.
PJ: At first she just tried to stay off the Internet, to not read anything about what had happened to her. But it didn’t take long before she realized, she still had a question. Like, where had all of those people who were attacking her come from? Who was Pasta Prophet, who were his followers, what was going on here?
And as she started to wonder about this, she realized she had one clue she could follow. Which was that the trolls used to do this thing where they would send her pictures of this random guy and they’d say “He’s the one who attacked you, not Andoni.” At the time, she dismissed it, because she knew they were lying. But now, she started to wonder: Who was that guy? Why did they want to set him up?
ANDREA: So in some of those photo exchanges, in the sub-tweets and in the comments, I start to get a picture of, you know, I realize the guy’s named, let’s say, Jose. That’s not his name but let’s call him Jose. And, then I just keep watching. Weeks go by. Months go by. And then I learn that his name is Jose Felipe. And then a few more weeks go by, a few more months go by and then I see a last name. So you know over–just really being vigilant and aware, eventually I piece together a full name.
PJ: The full name gets her to a Facebook page. The Facebook page helps her piece together this guy’s life. But the thing that cracks it is when she notices that sometimes these accounts that are harassing Jose, they don’t call him Jose, they call him Pasta. Pasta Prophet. She finds Jose’s phone number and one night at a hotel in Mexico City, she decides, “I’m just going to try to call him.”
ANDREA: Hola, perdon te marque ahorita, y si me había equivocado el numero, pero te buscaba a ti. Soy Andrea Noel, como estás?
PJ: After the break, Pasta Prophet.
PJ: Welcome back to the show. So before the break, Andrea Noel was about to meet Pasta Prophet.
PJ: She’s at the hotel bar. She’s waiting for him. She’s watching different strangers come through the door.
And finally, he enters.
ANDREA: And for me it was like seeing a ghost. It’s like, this guy walks in and I knew his face, like, so well at this point.
PJ: He’s short, he’s a little chubby, he’s got a babyface.He sits down across from her, and they begin a very long conversation.
PJ: Pasta Prophet, for reasons that’ll become clear, did not want to be interviewed for this story. But here’s what Andrea says happened next.
ANDREA: The first thing we did was call a truce, of course, because, you know, I brought down his account and, he didn’t like that. And then he also threatened to kill me, and I didn’t like that.
[PASTA PROPHET TALKING]
ANDREA: My main motivation in talking to him was of course, I just wanted to know why, you know, I just wanted to know why all of this had happened.
PJ: He says, “OK, I’ll explain. Everything that happened to you happened because you were a pawn in a much bigger plan.” And he says he wants to tell her about that plan, because he feels like at a certain point, things just went too far.
ANDREA: He was basically a–a door opening into all–this world that I had spent the previous year only like poking at from the sidelines, and not really fully understanding.
PJ: So for years Andrea had heard about this conspiracy theory. That the Mexican government had somehow found a way to manipulate what news people ended up seeing on the Internet. Not censorship, something sneakier. And Pasta Prophet told her, these rumors, they’re true. I know because this is the work that I do. And so Andrea started to get a picture of how this worked. Not just in this one conversation, but in many more she would have with Pasta Prophet, and then many interviews she would have with other people who had been involved in this whole system.
PJ: So, as far as Andrea can tell, here’s how this whole thing started. In the year 2000, a completely unprecedented thing happened in Mexican politics, which is that the PRI, the party who had ruled Mexico for 71 years uninterrupted, they lost a presidential election. And then they lost the next one. And so they got desperate. And when the next campaign season started, these mysterious help-wanted ads started to appear online. Job opportunities for young, Internet savvy people with an interest in politics.
I talked to a woman who actually ended up answering one of these ads. We’re gonna call her Sophie. We’ve disguised her voice.
SOPHIE: I went to an interview, and they asked me things, like if I knew how to use Twitter, if I knew what was a hashtag. And I told “Yes yes yes,” and then they hired me and I began working like 3 days after my interview.
PJ: So Sophie shows up for her first day of work. The office is actually a house, in a neighborhood that she thinks is kinda sketchy.
And she learns that her job is gonna be to get young people to vote for the PRI’s candidate, Enrique Pena Nieto.
PJ: Would they have you tweet under your own personal account or did they have an account they wanted you to use?
SOPHIE: No they gave us a lot of accounts. In my case I had three or four. There were people that had more, like five or six, there were people that only had one, but they were fake accounts. You could not use your Twitter account for anything, anything, anything, because it was like secret.
PJ: For the record, we’ve reached out to multiple people at the PRI. None of them were able to provide us comment for this story. Sophie, and the hundred other people that worked alongside her, their job was to amplify good news about Peña Nieto, and bury the bad news. And for the people in her office and the many other offices like hers, the techniques for burying the bad news were kind of fascinating. Andrea got her hands on a bunch of the internal emails where this is described, but basically if you were an employee in one of these offices, you were given meticulous plans for how to fill the Internet with white noise.
ANDREA: So, in the morning you arrive at your desk and there’ll be an hour by hour strategy beginning, let’s say, 8 a.m. We’re gonna launch the hashtag “Happy whatever day it is.” Next would be, “Hashtag don’t you hate it when,” and then would be, “Hashtag my mom just told me,” or like “Hashtag I’ve never felt better than.”
PJ: It’s sort of- it’s the same–
ANDREA: It’s fill-in-the-blank sentences–
PJ: Terrible, mad-libs memes that dominate actually like a lot of American Twitter.
PJ: So they were basically do the work that Russian trolls would later do in the American election. Fill the internet with spam, and then have a bunch of fake people promoting opinions. But sometimes that strategy wasn’t enough. Sometimes there’d be a piece of news that was just too big to drown out. Like when The Guardian released a story alleging that the PRI had been bribing the country’s big TV network in exchange for good coverage.
For stuff like that, they would create a massive diversion online. They’d make up an event.
ANDREA: So you know, they call them smokescreens and you can see it like bullet pointed–
PJ: Like internally they called them smokescreens?
ANDREA: Oh yeah, I mean, there’s no, they’re not–they’re not shy about the terminology and they’re not pretending like I mean that’s the really, the thing that surprised me is how explicit and blatant the language is that they’re using. So a combination of smokescreens that can be like, actually I think they killed Justin Bieber when that article came out.
PJ: They killed Justin Bieber?
ANDREA: Yeah, but they’ve done that a bunch of times. You can see them killing Bieber three or four times.
PJ: So Andrea actually corrected herself later, it turns out that that time, after The Guardian story, they didn’t kill Bieber, they just pretended to cancel one of his concerts. Other times, he was not so lucky. And if every diversion failed, they still had one more tool. They’d just start a fight. They’d tweet some offensive, vitriolic hashtag and then hope that the ensuing argument drowned out any other conversation.
ANDREA: So it’ll be like “fuck gays” and there you go and all these people jump on to it.
PJ: Like instead of saying, “Hey everybody loves the president and hates his opponent.” You’re like, “Hey does everybody love Wednesday and hate gay people?”
PJ: And like- through like–banality and viciousness you can just like flood the room so that no real conversation takes place.
ANDREA: Exactly, and so that’s the whole strategy and you can see it hour by hour by hour.
PJ: So for three months, Sophie kills a bunch of celebrities and pretends to be a bunch of different people who really love Peña Nieto. And then it’s July, and it’s election day. And on election day, something happens that Sophie does not see coming.
PJ: Peña Nieto actually wins. The PRI is back in power. Sophie and a lot of her coworkers were stunned.
SOPHIE: The day of the, the final results of the elections, we cried.
PJ: In the blog center?
SOPHIE: In the blog center. We cried. Yeah because we didn’t want Peña Nieto to win, but we were working for him. So it was a very strange thing. But we thought at the beginning that Lopez Obrador was going to win.
PJ: So it felt safe to do a job that you didn’t agree with because you didn’t think it would matter?
SOPHIE: Yeah, exactly. Yeah.
PJ: So, Pena Nieto takes office. And Andrea says that afterwards, things change. Some smart person at the PRI realizes, “Oh no. We’ve built a super risky system here. There’s a paper trail of pay stubs and contracts that runs from us, to our marketing agency, to hundreds of people like Sophie. Which is a huge problem, because what we’re doing here is against the rules.”
And so they build this new system which other parties quickly adopt. Now, you take your money, you give it to your agency. But instead of hiring a bunch of people, they contract out to a very small network of anonymous freelancers. Freelancers like Pasta Prophet.
ANDREA: So, to explain. what we’re talking about is a network of freelancers who are basically faceless, you know, they don’t have to know each other’s names, they just know each other’s usernames, they’re in these WhatsApp groups, and they share information.
There’s no way to trace back the money. There’s no way to know where it’s coming from.
PJ: Pasta Prophet is a mercenary. He doesn’t have political loyalty. He’s happy to promote or target anybody, as long the money’s good. And it–the money is really good, he says he can make $1,000 for getting a political hashtag to trend. And the reason he can do this, the thing that makes him good at his job, is that he has this huge volunteer army by his side. This volunteer army that’s made up of Mexico’s most notorious Internet troublemakers.
ANDREA: There are these groups of, they’re Facebook groups that exist in Mexico That have gathered hundreds of thousands of like young, young children, like, 12 years old, 13-year-olds, 14-year-olds.
PJ: The kids in these groups, they’re the kind of kids who would be on 4chan in the U.S. They like sharing memes and they like trying to impress each other with excessive, imaginative acts of cruelty. The most notorious groups is called Holk Legion, their logo looks like Pepe the Frog, but on steroids.
The quickest way to explain what they’re like: In the aftermath of a horrific school shooting in Mexico last year, Holk Legion started publicly bickering with another similar group saying the shooter is one of our guys, not yours. Anyway, Holk Legion? They also happen to be Pasta Prophet’s army.
ANDREA: He’s what they call in Mexico like a chavoruco, like an old kid. You know like he was too old to be one of them, but he was their boss. He’s their admin. So they do a lot of stuff to get into his good favor, because they wanna be cool, and they wanna be accepted.
PJ: If Pasta Prophet asked one of these kids to go do something mean or cruel or mischievous, they’re game. But remember, he needs them to help him do his professional political work.
ANDREA: So, and here’s how he explained it to me. Say you’ve got 300 kids at your disposal. These kids want to spend their day sharing momos and having lolz. So obviously these kids aren’t gonna sign up to just move this really boring political spam all day.
He’ll say, “We’re going to do this for 15 minutes. Everybody get in. Everybody get on it. The rest of the day is recess.”
PJ: Recess meaning that Holk Legion got to do what Holk Legion actually liked doing: harassing people. Which finally answered the question that had brought Andrea all the way to Pasta Prophet.
ANDREA: You know specifically I asked him why he threatened to kill me, because that was a question that I had —
ANDREA: — lingering. And he essentially explained it as, his exact quote was it was for love of the sport.
PJ: The sport.
ANDREA: Yeah. I was recess. I was for love of the sport.
ANDREA: I got trolled by a bunch a 12-year-olds
PJ: Christ. How did it feel, finding that out? You seem chagrined more than anything.
ANDREA: I mean… wha- I mean what can I say about this? You know it’s just- it’s so… It’s been so confusing and, once I finally did figure it out- I mean you just feel like the biggest idiot in the world.
PJ: Everything that had scared her so much: the pictures, the messages, the thing with laser pointer, even the fact that they knew where she was sometimes– They were just a bunch of kids who liked to troll her, and some of them probably lived in her neighborhood. The more scared she got, the funnier it was to them. The only person who hadn’t been that amused was Pasta Prophet. After a while he started to feel bad, like they’d gone too far. And so he tried to cut ties with him.
ANDREA: It’s kind of life the mafia, I’ve realized, in that you can’t voluntarily leave. So then he became a target.
PJ: Which is why the kids had been sending Andrea his picture, trying to frame him. But in doing so, they’d made a mistake. They’d left a breadcrumb that Andrea could follow back to Pasta Prophet, back to them, back to the whole system they were a part of.
A system where Mexicans were getting an Internet that was more toxic and more horrible, and politicians were making it that way so that they could distract them. So Andrea has spent the last year learning everything she can about how that system works, and she’s showed us the hundreds of documents she’s planning to publish, demonstrating everything she’s learned. Her timing couldn’t be better, it’s election season.
ANDREA: We’re about to just decide, you know, the future of Mexico. And it could go a number of ways. We could either stick with the ruling party, which has shown itself to be brutal and horrific or we could go with like the leftist populist leader who’s often compared to like a Chavez-type. You know, I can’t remember a time that was quite as decisive as right now
PJ: And so Andrea finds herself in familiar, treacherous territory. She’s about to go out in public, and say this thing that she knows will piss off a lot of people, draw a fresh bullseye on her back. She knows Holk Legion is not going to like what she publishes.
ANDREA: Um and then obviously the rest of the story is when I like start pointing fingers at a lot of these super filthy politicians…And the president of the fucking country. Um so yeah I’m a little bit nervous.
PJ: But it’s funny you’re talking about like the hell-storm that you’re very possibly about to walk into and like, I can hear that you’re smiling.
PJ: What’s that about?
ANDREA: Well okay, so for me, it is incredibly satisfying to have an answer to a question, to a series of questions that um, to have reached an understanding of something that I did not understand. Um, you know, it’s like, becoming an expert thereminist.
PJ: (laughs) You mean cause it’s like this obscure strange thing?
ANDREA: Yeah it’s–just strange thing and you don’t quite know where to begin and then a year later, you know, um, –you’re uh, you got it.
PJ: Andrea Noel reports for the Daily Beast
PJ: Reply All is hosted by me, PJ Vogt and Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, and Damiano Marchetti. Our editor is Tim Howard. We had additional production help from Khrista Rhypl, and additional editing help from Sara Sarasohn. The show is mixed by Rick Kwan. Factchecking by Michelle Harris and Ana Prieto. Our intern is Anna Foley. Our theme music is by the mysterious Breakmaster Cylinder. Matt Lieber is snow before you get sick of it. Happy first birthday to Fitz Nagle. If you’d like, you can visit our website at replyall.limo. You can find more episodes of the show on Spotify, Apple Podcasts, or on cassettes that you’ve recorded the show on to, if you’re really old fashioned. Thanks for listening, we’ll see you next week.
After a secret breaks in the news, Reply All re-examines how Alex Blumberg’s Uber account was hacked. This episode is a follow up to #91 The Russian Passenger and #93 Beware All. Further reading: The Best Password Managers
ALEX GOLDMAN: So last March, our boss Alex Blumberg, came to us with what we thought was a very simple question. His Uber account had been hacked, and he wanted to know how it happened. And answering that simple question sent us on a quest that took months, but finally we got an answer.
And then, a month ago, a secret was revealed that totally upended our understanding of the story. So we’ve decided to reopen it.
Today, we’re re-airing the original story, and then following it up with more reporting. If you want to skip straight to the new stuff, it’s around 42 minutes.
Ok, here’s the show.
ALEX GOLDMAN: From Gimlet, this is Reply All. I’m Alex Goldman.
PJ VOGT: And I’m PJ Vogt.
ALEX GOLDMAN: Uh, this week we have our boss, Alex Blumberg, in the studio. Uh Alex actually just got back from a vacation in the Bahamas. Uh. How was it?
ALEX BLUMBERG: It was great.
ALEX GOLDMAN: So… Alex, you asked us to come into the studio and I don’t have any idea why. So, lay it on us!
ALEX BLUMBERG: I need some super tech support help—
PJ: Whoa! You’re crossing segments.
ALEX BLUMBERG: (laughs) I am. I’m–that’s right.
PJ: What’s your super tech support question?
ALEX BLUMBERG: So I was coming home, so I got home from vacation, I woke up the next day, and I look at my phone, uh, and I see some Uber notifications. And this is weird because I haven’t called Uber ’cause it was like six in the morning. And, that was weird enough. But the really weird thing is that the Uber notifications were in Russian. Here’s a screenshot.
PJ: (whispers) What?
ALEX BLUMBERG: So and I actually speak a little Russian.
PJ: Oh right. So what does it say?
ALEX BLUMBERG: This one says (speaking Russian) which means, your Uber is en route. Ar-Arthur, 4.9 stars, is um, will be there in one minute. Uh, you know, then the next one–Dennis is arriving in a Mercedes Benz E-class–
ALEX BLUMBERG: License plate, blah blah blah blah blah. Arthur is arriving in a Kia Rio. It’s literally–
PJ: Oh! So it’s more than one ride though?
ALEX BLUMBERG: So it’s more than one ride, two–like two different people have called Ubers in Russia (laughs) and the notifications are being sent to my phone.
ALEX GOLDMAN: Alright, so I have some questions.
ALEX BLUMBERG: Yes.
ALEX GOLDMAN: Did you check your Uber account to see if these rides appeared in your history, if that’s possible?
ALEX BLUMBERG: Ok, so, I checked my bank account, and in fact my bank account had been charged with two rides, 25 dollars.
PJ: So, like, what my brain is saying is: “Somehow, someone, in Russia, got the password for your Uber and is just like–”
ALEX BLUMBERG: And hacked my Uber account, right?
ALEX BLUMBERG: Right, but it’s still being charged to my bank account.
ALEX BLUMBERG: Right.
PJ: This actually, this seems annoying, but it seems like you call Uber, you tell them this happened, they refund the charges and they change your password.
ALEX BLUMBERG: How naive.
ALEX BLUMBERG: How innocent. You’re like an innocent, naive little lamb.
PJ: Ok, so what happens?
ALEX BLUMBERG: Alright, so then I like I press the Uber icon on my phone to like, go in, and instead of the normal thing that happens when it shows up and it says, “Hi Alex Blumberg, blah blah blah, where would you like to go?” whatever, the normal screen, I get this screen. . . And it says–
PJ: What? “Uber. Get moving with Uber. Enter your mobile number.” So it’s treating you as a new user, basically–
ALEX BLUMBERG: It’s treating me as the-as if I just downloaded the app and I-they have no record of who I am or anything, and-and–
PJ: Which is weird because you’re on your phone.
ALEX BLUMBERG: It’s on my phone. It’s the app that was installed my phone, but when I open it up, it doesn’t recognize me. So then I’m like, “Uh oh.”
So then the next step would be to call Uber… (pause) It’s impossible to call Uber.
ALEX GOLDMAN: Right.
ALEX BLUMBERG: So we emailed help.Uber.com and I got a [sic] e-mail response from them saying like, “We are unable to find a-any account associated with this email and mobile number.” And then I wrote back and I was like, “That’s really weird, because that’s my phone number, it’s definitely associated with this account, I have–I just received notifications this morning to this number.”
PJ: “Credit card charges from your company.”
ALEX BLUMBERG: “I have credit card charges from your company,” etc. etc. etc. And they wrote back the same thing, and they wrote back, “Sorry to hear your trouble, uh, we’re unable to find an account associated with the email, number. For security reasons, please email–”
And so then I kept on writing. And they kept on sending the same form email back and forth, and so then I was like, ok, what do I need to do? How do I–how am I gonna get out of this machine loop that I’m in here, where they keep sending me the same form letter back–
PJ: Over and over again.
ALEX BLUMBERG: Over and over again. And so then I was like, maybe if I-I wrote the word “escalate.”
ALEX BLUMBERG: And then I started typing some things in all caps–
ALEX GOLDMAN: Wait you just–you–
ALEX BLUMBERG: And I started cursing, just to, is this going to like get me to a higher level of service?
PJ: Like when you get a robot on the phone sometimes when, it’s like you say the right words.
ALEX BLUMBERG: “Agent! Agent! Agent!” I was doing the email equivalent of ‘agent’ over and over again.
ALEX GOLDMAN: Were you do–were you sending these all as individual emails?
ALEX BLUMBERG: Yeah yeah yeah, no, so I have, yeah. So look–it’s like 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, you know, it’s basically 15-20 emails back and forth between me and Uber.
PJ: And it’s all getting the same…
ALEX BLUMBERG: And it’s all getting the same thing. So, by this time I’d roped my wife Nazanin into helping me with this, and we found, and she-her Uber app was still working. And so she found, inside the app, there’s–there is a number that you can find and it’s the number that you are supposed to call if you’ve been assaulted or endangered. That’s the one number that is an actual human being on the other end.
ALEX BLUMBERG: So I called that number.
ALEX GOLDMAN: And…
ALEX BLUMBERG: And I said, “I haven’t been assaulted by a driver.”
PJ: But I need to talk to a person!
ALEX BLUMBERG: “But I need to talk to a person, because”–and then there was a very, very nice lady who was like, “I will try to, I–lemme try to help you.”
I explained to her the whole story, and she was like “Gimme your phone number,” and I gave her my phone number and she was like “There is no–I have no memory of this phone number.”
ALEX GOLDMAN: Get outta here.
ALEX BLUMBERG: And she was like, “Hold on.” And then she came back and she was like, “There’s one more thing I can do. This is a little unorthodox, but if you give me your credit card number, I think I can call up your account through that.”
And I was like, “Ok.” And I gave her my credit card number, the credit card number that had been charged that very morning from Russia, and she was like, “I have no record of this credit card ever existing at Uber.
PJ: That is so weird.
ALEX GOLDMAN: That’s bonkers.
PJ: It feels–
ALEX BLUMBERG: My entire existence has been erased.
PJ: It feels creepy.
ALEX BLUMBERG: It’s super creepy. And then I was like, “Is there anybody that can help me?” And she was like, “There’s nothing I can do.” So then I was like, “Okay.” (sighs). So then I started emailing some more.
ALEX GOLDMAN: And what–were you getting any variation in response?
ALEX BLUMBERG: No, and then they stopped.
PJ: Did she give you advice about–
ALEX BLUMBERG: And they they just stopped even auto-responding.
PJ: They stopped responding to your emails at all?
ALEX BLUMBERG: Yep. So I have not heard from them in three days.
ALEX GOLDMAN: (clears throat) Ok.
ALEX BLUMBERG: And here are my questions.
ALEX GOLDMAN: Go for it.
ALEX BLUMBERG: I want to know, how did this happen? And then …Did somehow I–I do this, or was this purely like a data breach at Uber?
ALEX GOLDMAN: Ok! I think that I–I hope that I can answer that. I will look into it for you and I will get back to you.
ALEX GOLDMAN: Uh, okay, a week ago–
ALEX BLUMBERG: Yes.
ALEX GOLDMAN: You came to me with a problem.
ALEX BLUMBERG: I did.
ALEX GOLDMAN: And the first thing that I wanted to know was like, is this a freak occurance, or does this happen all the time? What I was struck by was how common this Uber hacking turned out to be. Like, I went on Twitter and found a ton of people who were having similar problems. Like I found people who were reporting that there were rides that they’d never taken in places like London and Hong Kong and France and Indonesia. Like it’s happening all over the world.
ALEX BLUMBERG: Wow.
ALEX GOLDMAN: And what I was curious about is where these hacked accounts were coming from.
ALEX BLUMBERG: Uh-huh.
ALEX GOLDMAN: Like, how were people getting their hands on them? And I saw that Joseph Cox, who is a writer for Motherboard, and he was on the show (laughing) the other week, um–
PJ: Helping me hack your phone.
ALEX GOLDMAN: Helping you hack my phone.
ALEX GOLDMAN: So, I saw that he had written about exactly this problem.
JOSEPH COX: Hello, can you hear me?
ALEX GOLDMAN: Yes, I can hear you well. Joseph?
JOSEPH: Yeah, how you doing man?
ALEX GOLDMAN: So I called him up in Berlin. And he told me that a while back he was browsing the dark web, and, if you don’t know what that is, that is just a … part of the internet that is not easy to get to, it requires special software to get on, and a lot of illegal stuff is sold there.
JOSEPH: Uh, so I was just browsing one of the Dark Web marketplaces, which uh … I actually spend a lot of time doing. You’ll just go through the listings like you’re on Amazon or Ebay or whatever, and you’ll come across something pretty interesting like 70% of the time.
ALEX GOLDMAN: Can you give me an example?
JOSEPH: Hazmat suits (laughs), AK47s.
ALEX GOLDMAN: (laughs) Oh my god.
JOSEPH: You know, all–all the good stuff, really.
ALEX GOLDMAN: So, Joseph was just poking around, not really looking for anything in particular.
JOSEPH: And I just came across this vendor who said he was selling Uber accounts, uh, and I thought, “Well, that’s pretty interesting.” And then we looked into, and there were a hell of a lot of people selling stolen Uber accounts on the dark web.
ALEX GOLDMAN: And Joseph told me that they’re relatively cheap.
PJ: How cheap is cheap?
ALEX GOLDMAN: They’re between four and seven dollars each.
ALEX BLUMBERG: So you can buy … somebody else’s Uber account.
ALEX GOLDMAN: Mhm.
ALEX BLUMBERG: For four to seven dollars.
ALEX GOLDMAN: Right.
ALEX BLUMBERG: And then, and then, basically what you’re doing is buying my password and login.
ALEX GOLDMAN: Your username and password.
PJ: The fact that like, oh, there’s all these accounts, like to me that suggests that it’s not everybody’s fault, that like, somebody isn’t getting, if somebody shows up and they’re like, “I got 1000 Uber accounts, you want to buy one?” It’s not because they guessed 1000 passwords, it’s because like, Uber made a mistake.
ALEX GOLDMAN: Totally! And that’s what I assumed was the case also. Except Joseph specifically asked Uber if they had gotten hacked.
JOSEPH: Uber, they totally denied that they had a data breach, and then as I continued to report and spoke to these hackers who said that–how they were accessing accounts, that kind of backed up what Uber said. We found no evidence that there was a data breach actually at Uber itself.
ALEX GOLDMAN: And so I decided to go on the dark web and just ask people like, “Hey–where are you getting these Uber accounts?” And, you would be surprised to learn (laughs), I’m sure you’ll be shocked, they’re not super stoked to talk to people who want to talk to them about their criminal activities.
PJ: Well they probably just don’t listen to podcasts.
ALEX GOLDMAN: But, this one guy went by the username “Passman.” Um, I sent him a message saying, “Did all of these Uber accounts come from some huge hack of Uber?”
And he told me the same thing Joseph told me, which was: he didn’t think that anything like that had happened.
ALEX BLUMBERG: Ok.
ALEX GOLDMAN: And I said, “Interesting. Can you do me a favor, and see if, uh, any of these email addresses are in your cache of, um, hacked Uber accounts?”
PJ: And you gave him a bunch of Alex’s email addresses?
ALEX GOLDMAN: A couple. Yeah.
ALEX GOLDMAN: (laughs) And his response was, and I quote, “Why are you giving me your boss’ email addresses? Do you want me to take a crack at his other accounts? That’s daring.”
PJ: I kind of agree with him.
ALEX BLUMBERG: Yeah.
PJ: “So I went to all the local muggers and I showed them a picture of you–”
ALEX GOLDMAN: (laughs)
PJ: “–And your wallet, and they said they didn’t recognize you but it seemed like you have a lot of money!”
ALEX BLUMBERG: Oh my god. Okay.
ALEX GOLDMAN: Look, whatever, it’s done, I can’t take it back. Um. Regardless, Joseph told me that he had a theory for what might have happened, and it’s this thing that hackers do that’s called ‘credential stuffing.’
PJ: That sounds gross.
ALEX GOLDMAN: It does sound pretty gross. Joseph told me how it works:
JOSEPH: So companies’ websites are hacked every single day. Last year we had LinkedIn, Myspace, VK.com. All of these other breaches of tens if not hundreds of millions of accounts. Uh, with email addresses, and passwords being traded amongst hackers. But if you’re a clever hacker, you’re not only going to use those details, to break into accounts on that one site, you’re gonna see if they work on something else. The problem there is that people are using the same password on multiple websites and services.
ALEX GOLDMAN: Ohhhhhh.
JOSEPH: All they’re doing is reusing the password, but they’ll have a special piece of software which can just churn through just hundreds if not thousands, very very quickly. The more that me and my colleagues report on these data breaches every other day, every week, it is password reuse that is the main threat to ordinary users of the internet for sure.
ALEX GOLDMAN: So, at this point I’m thinking like, this might’ve been the thing that happened to you. Uh, someone got your password from some other account, like your diapers.com account, and it was the same password that you use for Uber.
ALEX BLUMBERG: I mean who uses a different password for every single online service they’ve ever–?
ALEX GOLDMAN: Yeah, I–I totally agree. I don’t do it either. And I am definitely rethinking that now that I’ve reported this story. And, to that point, Joseph had a piece of advice.
JOSEPH: Get a password manager, which is a piece of software which will generate unique, strong passwords so you don’t have to remember them.
ALEX GOLDMAN: But, since I know you don’t use a password manager, um, I wanted to know if someone had found your password in some hack that had made its way onto the internet. And luckily there’s a guy who can tell us if that happened.
TROY HUNT: My name is Troy Hunt. I am a security researcher. And I am recording from my home on the Gold Coast in Australia.
ALEX GOLDMAN: Which Troy makes kinda sounds like heaven on earth…
TROY: It’s sunny. It’s gonna be 30 degrees, that’s celsius. Nice and warm. I think I might go out on the water.
ALEX GOLDMAN: Ugh.
TROY: It’s clear skies–
ALEX GOLDMAN: Troy’s an internet security researcher. So he knows that the more a person uses the internet, signs up for new services, new websites, the more vulnerable they become.
TROY: You sort of leave these little traces of yourself all over the internet. And as time goes by, those traces just get larger and larger. Uh, and the chances of one of the places you’ve left your data being breached and that data then being leaked continues to go up.
ALEX GOLDMAN: So, in 2013, Troy started a website that’s called haveibeenpwned.com. P-W-N-E-D. It’s a way for people to find out whether their personal information has ended up on the internet
TROY: So when we see data breaches where a company, like, say LinkedIn, is hacked and their data is, uh, ultimately spread across the internet, I grab these data breaches, I aggregate them into a service, and I make them searchable so that people can discover where they’ve been exposed.
PJ: So what’d you find?
ALEX GOLDMAN: Well PJ, why don’t you put your email, your–your personal email address into, into this.
PJ: Oh boy that’s, this is uncomfortable. Okay. [typing noise] Oh no.
ALEX GOLDMAN: (laughing)
ALEX BLUMBERG: (laughing)
PJ: Woooooow. I’ve been pwned.
ALEX GOLDMAN: On how many different sites?
PJ: Two! That’s crazy. Like these are… it’s Adobe and tumblr… both of these are accounts that I’ve had forever. Oh that feels horrible.
ALEX BLUMBERG: Your username and password is on the dark web.
PJ: That is–
ALEX BLUMBERG: Right now.
PJ: A really bad feeling.
ALEX BLUMBERG: That’s wild.
ALEX GOLDMAN: Alex Blumberg, would you like to take a look and see what’s going on here.
ALEX BLUMBERG: Oh god–have I been pwned?
ALEX BLUMBERG: I’m–this is terrifying to type this in. [typing sound] Good news! No pwnage found!
ALEX BLUMBERG: Alright.
ALEX GOLDMAN: Alex, I don’t want to rain on your parade, but Troy told me that just because the website shows that you haven’t been pwned, that doesn’t 100 percent mean that your credentials were never part of a data breach.
TROY: Yeah, there are a heap of unknown unknowns. (laughs) You know? There are all these things that happen that we simply never hear about. There’s stuff that has already happened that will come to light later on. And there’s also stuff that will never come to light.
ALEX GOLDMAN: So, for example, in 2016, 360 million Myspace accounts were put up for sale on the dark web. But they had actually been taken in 2013. So for like three years someone was sitting on them, maybe using them, and, uh, Troy couldn’t put them in his data base because he didn’t know they’d been hacked.
ALEX BLUMBERG: So even though I got the message saying that I have not been pwned, I may still be pwned–
ALEX GOLDMAN: Yeah.
ALEX BLUMBERG: Somewhere. Should we interrupt this super tech support to do a very quick Yes Yes No on the, on the origin of pwned?
ALEX GOLDMAN: Yeah. It’s very easy. You ready?
ALEX BLUMBERG: Yeah.
ALEX GOLDMAN: Most people know it because in video games, when you beat somebody very badly you say that they’re “owned.”
ALEX BLUMBERG: Right.
ALEX GOLDMAN: And the ‘p’ is right next to the ‘o’ so people frequently misspelled it and then they misspelled it frequently enough that it just became it’s own word.
ALEX BLUMBERG: Gotcha.
PJ: I could have told you that also. [pause] I didn’t know that. (laughs)
ALEX BLUMBERG: (laughs) So haveibeenpwned.com.
ALEX GOLDMAN: Right. So based on talking to Troy and to Joseph, my working hypothesis has been like your Friendster account got hacked and it made it’s way onto the internet somewhere and it’s just never come to light. But, then I got in touch with Uber. And what they think happened, actually might be a lot worse than that.
ALEX BLUMBERG: What?! What did they tell you?
ALEX GOLDMAN: So you told me at the beginning of the show that your account just disappeared all together. Like Uber did not recognize its existence.
ALEX BLUMBERG: Yes, exactly.
ALEX GOLDMAN: And what they told me was, when someone changes their account info, like their email address or their phone number, the support team only has access to the new information. So the way that they found your hacked account was the screenshots that we sent them, of your phone’s lock screen, which had driver names and driver’s licenses on them. And from the license plate numbers, they identified the rides that were taken. And from those rides, they identified your account and got it back for you.
Um but once they got your account back, they took a look at it, and they told me that they’re pretty sure that not only was your Uber account hacked, but your Gmail account was hacked.
MELANIE ENSIGN: What we saw on our end, um, was … some suspicious logins, um, for Alex’s Uber account. So whoever was trying to log in did have his password. Um, but we have systems that will detect, um, logins that look suspicious.
ALEX GOLDMAN: That’s Melanie Ensign, and she is the person whose job it is to talk about security at Uber. And Melanie told me that when Uber saw your trips in Moscow, the ones that you didn’t actually take, they sent you an email that said, “You have to click on this link to verify that you’re actually now in Moscow.”
MELANIE: And so, whoever had access to his email account was clicking on those links, verifying it was him, and then deleting the notification before he saw them.
ALEX GOLDMAN: Oh!
MELANIE: And that’s why since Alex doesn’t have any memory of … ever seeing the email, why we believe that somebody had access to his email account first, um, because somebody was taking action on those emails and then deleting them.
ALEX BLUMBERG: These is where I’m like, “Okay maybe.” But there’s one thing that still does not make sense to me. I have two-step verification. And the–the purpose of this is that is to protect against just the thing that Uber is saying happened to my account.
In theory, even if hackers got my password information from the dark web, they go to their Russian computers and their Russian cyber cafe, they login, and then they’re gonna get a message that says, “Please enter the code.” And so, and I would be getting a text to my phone saying, “Here’s your authentication code,” and I’d be like what in the world is going on here and then I would like sound the alarms. So this–that’s what I don’t understand. Like how, because I have two-step verification, how did somebody manage to do this from a remote computer?
PJ: I mean is the question you’re really asking just, is Uber lying basically? Like are they saying that they sent suspicious activity emails that they didn’t really send and they’re trying to cover their asses?
ALEX BLUMBERG: I don’t think Uber’s lying. But I want to find out, can we determine, there’s gotta be somebody you can call in to make sure–to tell me if my account has been hacked or not. My Gmail account.
ALEX GOLDMAN: Alright.
PJ: And then, yeah–
ALEX BLUMBERG: And is it hacked still? Am I, at this very moment, pwned?
PJ/ALEX GOLDMAN: (laughing)
ALEX GOLDMAN: Alright. I’ll uh try to figure it out.
ALEX BLUMBERG: Alright.
ALEX GOLDMAN: (clears throat) Okay so it’s been a couple days. And I just sorta wanted to recap where we’re at.
ALEX BLUMBERG: Ok.
ALEX GOLDMAN: At first I thought that Uber had had some kind of data breach and your username and password had made it out into the world. And that does not appear to be the case. And then, I thought that maybe another account of yours got hacked from somewhere else and people used that username and password for your Uber, but that also seems unlikely.
And when I went to Uber, Uber told me that your Gmail account had probably been hacked. And so, uh, like I said, I’ve been looking into this and I don’t know what happened to your gmail.
ALEX BLUMBERG: Ok.
ALEX GOLDMAN: And in the past when tech support problems have gotten bigger than me– Or at least once, we brought in a ringer.
PJ: (gasps dramatically)
ALEX BLUMBERG: Ok.
PJ: Sort of like a super Alex Goldman.
ALEX GOLDMAN: He, yes. We brought in someone who is basically a super version of me. His name’s Dave Maynor. He is a security researcher, he lives in Atlanta, and I have him on the phone.
DAVE MAYNOR: Howdy!
ALEX BLUMBERG: Hey–
DAVE: How you guys doing?
ALEX BLUMBERG: Good. Hey Dave.
ALEX GOLDMAN: So Alex, I’ve already briefed Dave on what’s going on with you, so you can ask him any question you want.
ALEX BLUMBERG: So, that, my question is: Did someone take over my Gmail account? Um, and does somebody still have access to my Gmail, ’cause that would be scary. And–
ALEX BLUMBERG: It doesn’t seem possible because I had two-factor auth–authentication.
DAVE: Let’s start with your questions. First of all, is it possible? Yes, this happens all the time.The next step to–to kind of, narrow down this mystery, is to take a look at the access logs for your Gmail account and see if there is anything suspicious.
ALEX BLUMBERG: Ok, so where do I find the access logs?
DAVE: So, there is one where you can go to like this myaccount.google.com/device-activity.
ALEX BLUMBERG: (typing) Slash device, slash activity?
DAVE: Device DASH, uh activity. Like hyphen.
ALEX BLUMBERG: Alright. Yeah. Mac–and it’s got a bunch of Nassau, the Bahamas; Windows, the Bahamas.
PJ: Wait, Windows, the Bahamas?
ALEX GOLDMAN: Uh, it shows a windows machine, which Alex does not have, accessing his account from the Bahamas.
ALEX BLUMBERG: Oh–yeah, but no I did, ’cause, my dad had his, yes, no, my dad had his Microsoft tablet. So I tried to log on–that’s right, I tried to log on to a Google Docs thing. But my account was compromised three days or four days after I accessed the Surface. So it wasn’t like it happened right away.
DAVE: Well, so when you’re, when you’re a bad guy in the credential harvesting business, right, you’re getting a lot of information in at once, you gotta classify it.
ALEX BLUMBERG: Right, got it.
DAVE: And then you’ve got to sell it off to someone to make–uh, to, to use.
ALEX BLUMBERG: Right.
DAVE: So it’s not like it’s an instantaneous thing.
ALEX BLUMBERG: Got it. And how would they do that without him noticing?
DAVE: Well I mean–malware works in mysterious ways.
ALEX BLUMBERG: So it’s like, it’s in the background?
ALEX BLUMBERG: I see. So it’s in the background, it’s running in the background, it’s mimicking … it’s mimicking an actual legitimate user accessing Gmail, accessing Gmail, even though it’s not showing up on the screen or anything.
ALEX BLUMBERG: Yeah. Ok, let’s call my dad real fast.
PJ: Do we call… your dad’s name is Richard … Do we call him Mr. Blumberg?
ALEX BLUMBERG: (laughing) No you can call him Richard.
PJ: I don’t know if I can call him Richard.
ALEX BLUMBERG: (laughing) You can call him Richard.
PJ: I feel like I’m gonna call him Mr. Blumberg.
ALEX BLUMBERG: (laughing) Ok.
RICHARD BLUMBERG: Hello!
ALEX GOLDMAN: Hi, Mr. Blumberg.
PJ: Hey, Mr. Blumberg.
ALEX BLUMBERG: (laughs) You guys both went for Mr..
ALEX BLUMBERG: I, I told told them to go with Richard.
RICHARD: If you’re gonna be PJ and Alex, I’m gonna be Richard.
ALEX GOLDMAN: So Alex caught … Richard up on everything that happened so far and explained that we wanted to check his tablet to see if that’s how the hackers got into Alex’s Uber account.
ALEX BLUMBERG: There was one time when I logged into my account that was on a computer that people say could have been–could have been compromised. And that is when I log–tried to log into my Gmail account from your tablet.
RICHARD: Surface Pro.
ALEX BLUMBERG: Yes.
RICHARD: Yeah. Well I will say that sometime in the last few weeks, and it may have been when we were in the Bahamas, I got an email from, uh, Google saying that someone had tried to log into my–my Gmail account from a computer in … somewhere that I’d never been. I can’t remember where it was.
And, so I deauthorized that, I said, “No that’s not an authorized computer,” and then I went out and I changed my Gmail password immediately. You know, I haven’t used the Surface Pro since we, uh, got back from the Bahamas, but it had gotten so buggy, it’s gotten–it had slowed down so badly that I figured that–
ALEX BLUMBERG: Hmm.
RICHARD: I knew something–something was wrong with it.
ALEX BLUMBERG: Do you have a–did, did you have any malware, uh, detecting software on there?
ALEX GOLDMAN: A lot of Windows, uh, Windows devices come with something called
RICHARD: Yeah, I think there is Windows Defender on that.
ALEX GOLDMAN: Ok.
ALEX BLUMBERG: Is there anyway to look at Windows Defender and see if there’s anything…?
RICHARD: Yeah, let me, let me get the Surface Pro and I’ll fire that up. [long pause] Ok. I got Windows Defender up.
ALEX GOLDMAN: So, I’m going to ask you to do a full scan, if you can do a full scan. The problem is that a full scan takes awhile.
ALEX BLUMBERG: So what’s the verdict? Did it find anything?
RICHARD: “Scan completed on 718,851 items. No threats were detected on your PC during this scan.”
ALEX GOLDMAN: Hmmmm.
ALEX BLUMBERG: (laughs)
ALEX GOLDMAN: I’m legitimately so angry.
ALEX GOLDMAN: Like, I’m so frustrated by this.
ALEX GOLDMAN: Cause it’s just unanswerable.
ALEX BLUMBERG: (laughs)
PJ: It’s not unanswerable.
ALEX GOLDMAN: It’s obviously cannot be answered.
ALEX BLUMBERG: Uber was compromised. And they’re blaming it on me and my dad’s–my dad’s Surface Pro.
PJ: They found innocent, they found scapegoats in the Blumberg family.
ALEX BLUMBERG: (laughs)
ALEX BLUMBERG: Would Windows Defender definitely have found the spyware?
PJ: I mean–this is like, the default Windows antivirus program we’re talking about, so it totally could’ve missed something. I don’t know. The tablet still just feels like the most likely suspect to me. This stuff’s hard to actually say with any certainty. You know? It’s like trying to figure out who got you sick.
ALEX GOLDMAN: Kind of. I mean the virus analogy is actually very apt. It can make its way in from a million different places.
ALEX BLUMBERG: But if we were- if we–if we were just to backup some distance and look at this big picture: Uber, a multi-billion dollar company, employing I’m sure gazillions of cybersecurity experts to keep its data safe or the Blumberg family (laughs).
PJ: (laughs) Who are–
ALEX BLUMBERG: Yeah.
PJ: –sharp guys.
ALEX BLUMBERG: (laughs) But not very suspicious in general by nature.
ALEX GOLDMAN: So at this point, we thought had solved the problem.
ALEX BLUMBERG: Alright Dad.
RICHARD BLUMBERG: Thank you guys.
ALEX GOLDMAN: Thanks.
RICHARD: Alex, I love you. I’ll see you all later.
ALEX BLUMBERG: Love you too.
ALEX GOLDMAN: Based on all our reporting, our best guess was that Alex Blumberg’s Gmail had been hacked in Bermuda. But the fact that we couldn’t be 100% sure really bothered our senior producer, Phia Benin.
So for the next couple of weeks, she tried to figure out if there was any way to get more clarity. And about a month later, Phia brought us into the studio to tell us what she’d learned.
PHIA: Okay—so, there was just this one part of the story that was still nagging me—which is, if you remember, Uber said they sent emails to Alex when the like, weird activity was happening in Moscow. And Alex said he never saw any of those emails. Like, he never got them.
PJ: Yeah, even in his trash can, like, nothing, nothing, nothing.
PHIA: So, I wrote Melanie Ensign, that woman who works at Uber, and I was like, “I have to find those emails. When did you send those emails?” And she wrote me back. She didn’t actually send me the emails that they’d sent to Alex Blumberg. She’s just sent me four time stamps for the different times those emails should’ve gone out. And as she sent that to me, I actually heard from another listener who told me about something that I didn’t realize existed. Which is that there’s a place in Google Support that says, “Restore user’s permanently deleted emails.”
PJ: That’s nuts.
ALEX GOLDMAN: I didn’t know that that existed either. Does it restore them from the beginning of time?
PJ: I bet you—you can get like a month.
PHIA: You get 25 days.
PJ: (whispers) Nice job, me.
PHIA: And, uh, I learned about this when there were like—the day when Alex was on vacation was 26 days ago.
ALEX GOLDMAN: Get—get out of here.
PHIA: Oh no, no. Sorry. 24 days ago.
PJ: What a rollercoaster, man!
PHIA: (laughing) Sorry. Yeah so, I could look back, but I had like this tiny window where I could still look back, and it’s actually you have to like, submit something to Google and then they like, uh, you know, like scrape their system and send you everything.
PJ: I’m literally picturing like, a hard drive at Google Headquarters that like, a conveyor belt is moving towards an incinerator.
PHIA: It feels totally like that. And so like, um, we immediately submitted something to them, they did the scrape, they—they like said, “Ok, now everything should be there.” And I started looking at Alex’s email with all the restored emails.
PHIA: (pauses) Nothing!
ALEX GOLDMAN: Get outta here.
[JAZZY DETECTIVE MUSIC]
PHIA: No emails from Uber. Like, this was so frustrating. So, I got on the phone with somebody from Google customer support. And was like, “You guys have not restored all the emails. Like, I know for a fact there are these four emails from these four different specific times. I’m not seeing them in here. You guys are Google. You have to be able to find them.”
PJ: And what’d they say?
PHIA: And the guy was like, “You know, I’ve never—I’ve never seen this happen before. This is really strange.” And like, I got so frustrated.
And then he told me that there was a whole different way that we could be approaching this, that I didn’t actually need to be talking to him at all. Um, because Gimlet’s email is through a Google Business Account, that through the administrator, I could actually see all the emails coming in and out of Gimlet Media, I could see the subject lines, the like, who they were to and who they were from, and when they came in.
PJ: I’m just quickly thinking about like every email I’ve ever sent at work. I was like, “Eh, it’s Gmail. It’s all private.” Good to know.
PHIA: Yes. Ok, so, let me—let me quickly pull it up for you. Um, it’s actually called the Admin Console, and there’s a feature in here called “Reports.”
PHIA: So, you go into reports and there’s a place for email log search. And now you can look for like, the four specific emails that we know Uber says that they sent to Alex Blumberg. Um. So we’ll put Uber in the “sender field” and Blumberg in the “recipient” field. Does one of you wanna lead—drive this?
PJ: I wanna do it.
ALEX GOLDMAN: Alright.
PJ: Ok. So, I’m gonna hit search.
PJ: Searching … Searching … Oh wow. So there’s one, two, three, four, five emails. So there’s many, but, they’re all just the ones from once Alex was like, “What’s going on with my thing?” “My account has an unrecognized charge,” “I can’t sign into my account,” “I can’t sign into my account,” “My account has an unrecognized charge.” And finally you get “Interview request: The case of the missing Uber account” (laughing).
ALEX GOLDMAN: I wrote that, uh, subject line.
PJ: Uh. So this is really interesting.
PHIA: Yes. This is when I changed from feeling like Google, scrape through your servers, find these emails to—
PHIA: Maybe these emails never were sent.
ALEX GOLDMAN: Oh my god. This re—requires a dramatic sting. Like a dun dun dunnnn … Ok. I’ve done it. What happened?
PJ: So, yeah, this would seem to suggest that Uber either thinks they sent emails and didn’t send them. Or, in the worst scenario, is not telling the truth.
PJ: Did you go back to Uber with this?
PHIA: (Long pause) Of course I did!
ALEX GOLDMAN: Yeah, what kind of—even I wouldn’t ask that question.
PJ: Uh, so what did they say?
PHIA: Ok, so, yesterday—
PJ: You got us?
PHIA: So I wrote her yesterday, and she wrote me back fairly quickly, and here’s what she said: “Hi Phia! Great news! We figured it out!”
ALEX GOLDMAN: (Laughs)
PHIA: Alex’s—Alex’s password was part of a data dump that was sold online and tested by a bot script before being sold to the person who used it to request trips.
ALEX GOLDMAN: Ok.
ALEX GOLDMAN: I’m still super confused…
PJ: Hold on—I have specifi—data dump? Whose data dump? Like she said “data dump on a botnet.” Like, are they saying, “Oh, things were actually breached?”
PHIA: So she followed up with a second email. And she said … let me see, “By the way, we found his account in data dumps from LinkedIn, Dropbox, and Myspace, which isn’t surprising since they announced previous data breaches. If he hasn’t changed those passwords recently he should.”
PJ: But we checked that.
PJ: Wh-what did Uber say?
PHIA: Well, a couple hours ago, I came back into the studio with Alex Blumberg, who has a terrible head cold, and we called Uber.
MELANIE ENSIGN: Hi, this is Melanie.
PHIA: Hi Melanie, it’s Phia!
MELANIE: Hi! How are you?
PHIA: Um, I’m here with Alex and I’m recording our call.
ALEX BLUMBERG: Hey Melanie!
MELANIE: Awesome! Hi Alex!
PHIA: Melanie said in order to solve this problem she needed to call in, like, the big guns.
MELANIE: We actually have an elite team within our security organization, uh, that deals specifically with account security and compromised accounts, um, and those types of issues. So I—I thought, “Why don’t I go spend some time with them and let’s actually do a legitimate forensics investigation and figure out what’s happened?”
ALEX BLUMBERG: Ok.
PHIA: Um, what happened?
MELANIE: It turns out the initial email address that was actually associated with your account—
ALEX BLUMBERG: Uh-huh.
MELANIE: —was your former email address from This American Life.
ALEX BLUMBERG: Ohhhhhhhhh.
ALEX GOLDMAN: Ooohhhhhhhhhhhhhhhhhhh.
PJ: So this is like his old work email address.
MELANIE: So the notifications saying, “Your email address has been changed,” “Your phone number has been changed,” “Your password has been changed,” were all going to that address.
ALEX BLUMBERG: To the thislife.org address. Which is no longer even active. Which is a dead email address.
MELANIE: So those notifications are essentially going into the void.
PJ: Can I also just say this out loud so I make sure that I understand it?
PJ: Ok. Basically, all that happened was Alex Blumberg forgot that years ago, when he signed up for Uber, he used an old work email address.
PJ: He also forgot that he used to use the same password for everything, including a bunch of websites that have since been hacked.
And so hackers got his password from one of those websites, and they used it to break into his Uber and steal his rides, and then when Uber tried to warn Alex that this was happening, they emailed the address that they had on file, which was his old work email address. So he never saw it. And, also the hackers might have had access to that anyway.
PHIA: Yeah, and finding that out, it was like, everything all of a sudden started to click, like, remember how he didn’t have his ride receipts?
PJ: Yeah! I remember when we were talking about this like, off-mic, there was a point where he was like—he was like, “Yeah, yeah, yeah. I don’t get ride receipts.”
PHIA: Right. Everybody was like, “Hold on.”
PJ: And, we were like, “But everybody—everybody gets ride receipts.”
ALEX GOLDMAN: Yeah, of course you don’t.
PJ: But he was, they were just going to his old email account.
PJ: Also, when we searched haveibeenpwned, we searched alex@gimletmedia, we didn’t search his old email address.
PHIA: Right. And if you do search that old email address, it has three breaches to it. It’s been pwned three times.
ALEX GOLDMAN: Are they—are they LinkedIn, Myspace, and Dropbox?
PJ: So there you go.
ALEX GOLDMAN: Wow, so we were not just wrong, but we were like double-extra-super wrong.
PHIA: Well, I think like, we were inventing something very complicated because with the data we had that was the most likely outcome.
PHIA: Or like, the most likely how it happened.
PJ: Did Alex—how did Alex react to all of this?
PHIA: Alex is so thrilled to actually have an answer to like—to know exactly what happened to his account.
PHIA: You feel like “case closed”?
ALEX BLUMBERG: I do! I feel like case closed.
ALEX BLUMBERG: Wow!
PHIA: Took us a long time.
ALEX BLUMBERG: All it took was like dozens of engineers at Google, dozens of engineers at Uber, the entire staff of Reply All, a bunch of—a handful—
PHIA: (Laughs) Actually like, all of our listeners.
ALEX BLUMBERG: A bunch of listeners to Reply All, a handful of staff members at uh, at uh—at Gimlet, and my father.
ALEX BLUMBERG: And me.
ALEX BLUMBERG: Man! It makes it—so on the one hand, that’s great. On the other hand it’s like, what if you don’t have that at your disposal? Like, what are you supposed to do?
PHIA: You have to live with a lot more mystery in your life, I guess. And get a password manager.
ALEX BLUMBERG: Seriously.
ALEX BLUMBERG: Boy, is there a lesson to this, isn’t there?
PHIA: There really is.
ALEX BLUMBERG: (Laughing) Yeah…
PHIA: And I don’t have one either. We’re both the worst. Ok.
ALEX BLUMBERG: (Laughs) Ok. Wait, should we just get one right now?
PHIA: A password manager?
ALEX BLUMBERG: I’m—I’m sitting in front of a computer.
PHIA: Oh my god, I don’t want to.
ALEX BLUMBERG: I don’t either.
ALEX GOLDMAN: Coming up after the break, the revelation that sent us back to this story.
ALEX GOLDMAN: So everything you’ve heard up until now was part of our original reporting this past spring. And then, just a couple weeks ago, we started getting an avalanche of messages from listeners that were all saying the same thing: Have you seen the news?
News had just broken that hackers had stolen tons of Uber user data. 57 million users were affected, and the company hadn’t told anyone. They’d covered it up for a year. We wanted to know: Had they actually lied to us? Was Alex Blumberg not responsible for his account being stolen? So, I brought Alex and PJ back into the studio.
ALEX GOLDMAN: Hey, Alex Blumberg.
ALEX BLUMBERG: Yes.
ALEX GOLDMAN: We need to talk.
ALEX BLUMBERG: Ok.
ALEX GOLDMAN: (laughs)
ALEX BLUMBERG: We do.
ALEX GOLDMAN: Uh– go ahead.
ALEX BLUMBERG: Is this is a conversation where I’m going to feel sad and old and stupid at the end, or is this a conversation where I’m going to feel vindicated in my belief that a major, large corporation was lying to me?
ALEX GOLDMAN: Well as soon as I heard the news, I reached out to Uber. I contacted Melanie Ensign, who we talked to for the first story.
ALEX BLUMBERG: Right
ALEX GOLDMAN: And she wrote back to me and said, “At the moment, our teams are in going through the necessary disclosure process & investigations with regulators, so I’m not able to provide an interview until that requirement is complete”.”
ALEX GOLDMAN: But, Alex Blumberg, I do have an answer for you, because I talked to a bunch of other people: people at Uber who didn’t want to be named, security experts, journalists, and I was able to put together a pretty clear picture of how this whole thing actually went down.
And here’s the story I learned.
In fall of 2016, Uber gets an email. The email says, “I have a bunch of your information. Give me $100,000.”
ALEX BLUMBERG: (whispering) $100,000?
PJ: It’s like when Dr. Evil in Austin Powers doesn’t ask for enough money (laughing).
ALEX GOLDMAN: One million. I’m embarrassed for actually having done the uh–
ALEX BLUMBERG: It’s like so weird. It’s- I know it’s so bizarre that that’s my first thing to go to, but like, literally, that my first thought was like, “Hacker, ask for more money. It’s Uber!”
PJ: They probably spent that on their holiday party decorations.
ALEX BLUMBERG: Yeah!
ALEX GOLDMAN: (laughing) What a weird—you’re probably right.
ALEX BLUMBERG: Yeah.
ALEX GOLDMAN: So in Uber’s statement, they said that there were two hackers involved in this hack.
ALEX BLUMBERG: Mmhmm
ALEX GOLDMAN: What happened was there was a guy who was really interested in trying to get access to the GitHub accounts of Uber employees. Do you know what GitHub is?
ALEX BLUMBERG: Uh huh. It’s a programming thing.
PJ: It’s where you go, uh, it’s sort of like, uh, “I’m working on a project, and I want to collaborate with strangers. So that’s where we’ll collaborate.”
ALEX GOLDMAN: Right, you can public ones and private ones. And so he hired like a mercenary second hacker to help him break into one of these accounts.
ALEX BLUMBERG: Oh okay
ALEX GOLDMAN: That’s the extent of that second person’s involvement.
ALEX BLUMBERG: He put together a team, basically. He’s like, “I need a GitHub hack man” or something.
PJ: It’s like Oceans 2
ALEX GOLDMAN: Oceans 2! That’s exactly right
ALEX BLUMBERG: (laughs) Ok
ALEX GOLDMAN: The hacker gets on this Github account, looks through some of the code on there, and finds the login information for a server. He hops on that server, and that’s where the hacker finds all the data of these Uber accounts.
ALEX BLUMBERG: Wow
ALEX GOLDMAN: And this had happened to Uber before: In 2014, another Hacker broke in again using GitHub. Although that time, it was driver data and the company actually disclosed it. Anyway. So Uber finds itself in this situation where there’s someone out there with a bunch of their data who’s asking for $100,000 .
ALEX BLUMBERG: Right.
ALEX GOLDMAN: So I mean, Uber could send the police after this guy, but there’s a good chance that news of this breach is going to get out if they do that. Now we can’t say exactly why Uber did what they did next but it definitely solved that problem.
They decide to go with this loophole that lets everyone in this situation get what they want.
ALEX BLUMBERG: Uh huh.
ALEX GOLDMAN: They say to this hacker, “Hey we have this program where we work with hackers, legally — it’s called a bug bounty program. And what a bug bounty program is…”
PJ: It’s like, “If you find a hole in our fence, basically, and you tell us about it, we’ll pay you. Rather than breaking in and stealing our stuff, if you want to look for security flaws, there’s a bounty on it.”
ALEX GOLDMAN: Right. And so they say to this person, “Rather than holding this stuff for ransom, enter into our bug bounty program, and we will give you a reward.”
PJ: Which is not, that is the falsest distinction in the world. It’s like, “I’m not paying a kidnapper’s ransom, but if we call it babysitting that I didn’t ask for, then I can pay you it and it’s fine.” Like, it’s a very window-dressing distinction.
ALEX BLUMBERG: Ok. So, alright, so they say, they have him enter the bug-bounty/ransom program.
ALEX GOLDMAN: (laughs)
ALEX BLUMBERG: Their bug-bounty/legal ransom program.
ALEX GOLDMAN: Right.
ALEX GOLDMAN: Uber actually works with this third party company that’s called HackerOne. And I spoke to the co-founder, this guy named Alex Rice. And he showed me the Uber bug bounty page. And um, the first thing I noticed right away is that they have like an average bounty reward and it is– Well, why don’t I just show you guys.
PJ: Ok. Finally, thank God. We finally get to see the average bug bounty rewards.
ALEX BLUMBERG: (laughs) Ok.
ALEX GOLDMAN: So they’re bounty statistics.
ALEX BLUMBERG: Ok
ALEX GOLDMAN: Average bug bounty range is between $500 and $540, and the top bug bounty range is like $10,000.
PJ: So $100,000, not a typical bug bounty. Something that looks a little more like, if you had to put an adjective on it, ransom-y.
ALEX GOLDMAN: I confirmed that $100,00 is the most that uber had ever paid for a bounty.
The second thing that I learned is that in order to get a payment from HackerOne, the hacker can’t just be a–an anonymous nobody on the internet. They have to fill out like tax forms, they have to fill out IRS questionnaires, they have to give a ton of identifying information to this company.
PJ: And then does HackerOne hold onto that, or does Uber get to find out about it?
ALEX GOLDMAN: Uber gets it
ALEX BLUMBERG: So who was it?
ALEX GOLDMAN: I was told it was a guy who was relatively young, in his early 20s. He was not like an IT computer professional, he was just some kid.
PJ: So it wasn’t like a super hacker.
ALEX GOLDMAN: Right. Uber makes this guy sign this thing, saying that if this information makes it out into the world, he is on the hook. They will turn him over to the authorities. And he entered into an agreement with Uber where he allowed Uber onto his computer to run some forensic accounting to make sure all the data was gone.
PJ: And they know that they’re safe, also, because of the “One Computer, One Person” law that was passed last year, which says that every person is only allowed to own one computer.
ALEX BLUMBERG: Exactly. My point exactly. (laughs)
PJ: And never use another computer.
ALEX BLUMBERG: Yes! Which would be great in a world without cloud computing, or hard drives, or other computers or anything.
ALEX GOLDMAN: Yeah, I talked to people in computer forensics, and they told me it was impossible to know beyond a shadow of a doubt whether this hacker copied this information elsewhere or not. But apparently, Uber was satisfied with the investigation, and as a last step, they went through all the accounts that were affected by the breach and flagged them. So on their–
PJ: What does it mean that they flagged the accounts?
ALEX GOLDMAN: What it means is, they have internally a record of all the accounts that were in this breach, so if any of those get hacked, they can look at it and say, “Oh! There’s a pattern of these accounts getting hacked. This information might’ve gotten out.”
PJ: I see. So it’s kind of the way to make sure that the hacker, who they paid off to not tell people about the hack that they did, is keeping up their end of this completely absurd bargain.
ALEX GOLDMAN: That’s correct. (pauses) Alex Blumberg.
ALEX BLUMBERG: Yes.
ALEX GOLDMAN: This brings us back to your case.
A source at Uber told me that your account did not have a flag on it. Which would mean that your account info was not stolen by this hacker. And that means that it’s still your fault.
ALEX BLUMBERG: (sighs)
ALEX BLUMBERG: Son of a bitch!
ALEX BLUMBERG: Are you serious?
ALEX GOLDMAN: I am serious.
ALEX BLUMBERG: Ahhh.
ALEX GOLDMAN: As far as we know, your This American Life account was compromised on some other website, and that is how the Russian passenger ended up with your Uber account.
PJ: Ok but just like, I understand Uber is not responsible for Alex’s problem. Alex is responsible for Alex’s problem. But like, putting that aside, they lied to us. Like I don’t understand why knowing what we know now, we should trust them as a company, like whatever they say.
ALEX GOLDMAN: Well I mean. Ok. First of all, just to be very clear, in the first part of the episode, Joseph Cox says that he specifically asked Uber if they’ve had a breach.
PJ: Yes and they said no.
ALEX GOLDMAN: So just to to give more context: He asked them that question in 2015 before this hack took place.
ALEX GOLDMAN: To your larger question about whether they lied to us. I feel like it’s a lie of omission. Like it doesn’t feel good. It doesn’t make me feel like, “Oh, OK. well they’re on the up and up.” But I don’t think that it was an explicit lie, where they said we did not experience a breach when in fact they did.
PJ: Like you feel like they didn’t lie in like a legalistic sense of it.
ALEX GOLDMAN: Right.
PJ: But you like they were dishonest.
ALEX GOLDMAN: That’s correct. But, if you were to ask Uber they’d say, “Look we voluntarily disclosed this hack.”
ALEX BLUMBERG: Yeah
ALEX GOLDMAN: And that was the decision of their new CEO who, in addition to voluntarily disclosing this hack, fired the chief security officer and a top lawyer, and has very publicly said like “We are Uber 2.0, and we are changing as a company.”
Travis Kalanick, who was the previous CEO, has resigned.
On the other hand, Travis Kalanick is still on the board of directors at Uber. And Uber 2.0 hasn’t been exactly been forthcoming about the way that they’ve handled this hack. Like they haven’t sent emails to the affected users saying like, “Hey maybe you might want to change your password.”
PJ: Which is really frustrating because it’s like they’re just saying like “We’re holding the cards. You don’t have a choice.” Like you don’t even get to know.
I don’t know–I just. Ugh. I hate it. I just hate the impunity of it so much.
Like, basically I want them to say that we’re entitled to an explanation of why they did this in the first place. I want them to say like, really, really, like, “This is the calculation we made. Like, this is how we sat down, as cynical as it was or not, like, this was the argument against it, this was the argument for it. It was a mistake to lie–to not tell the truth, and we did it because of this, and we wouldn’t do it now because of that. And categorically there’s not another thing like this that’s sitting there waiting to be discovered. And if it is–uh, we’ll set all the cars on fire and go home.”
ALEX BLUMBERG: (laughs)
ALEX GOLDMAN: It seems like it would be really mean to set the cars of your contractors on fire.
PJ: I just want accountability.
ALEX BLUMBERG: (laughs)
ALEX BLUMBERG: I don’t know why you’re so upset–I should be the one who is so upset because–I–
ALEX GOLDMAN: You came in here–you came in here feeling like you were carrying the righteous sword of truth.
ALEX BLUMBERG: I was like, I thought vindication finally is mine.
ALEX GOLDMAN: And you still got owned.
ALEX BLUMBERG: I still got owned.
ALEX GOLDMAN: (laughs)
ALEX GOLDMAN: Reply All is hosted by PJ Vogt and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, and Damiano Marchetti. We’re edited by Tim Howard. Additional production help from Khrista Rypl. Our intern is Anna Foley. We were mixed by Rick Kwan. Happy birthday, Rick! Our theme music is by the mysterious Breakmaster Cylinder, and our ad music is by Build Buildings. Fact-checking by Michelle Harris. Special thanks this week to Claire Tibbs, Daniel Boteanu, Mike Isaac, and Greg Bensinger. Matt Lieber is a room that is at the perfect temperature.
You can visit our website at replyall.limo, and you can find more episodes of the show on iTunes or Spotify or wherever you would like to listen to podcasts. We’ll have a link to an article about the best password managers on our website, replyall.limo. Also, there’s a survey at replyall.club that we’re asking people to fill out right. Filling out the survey helps us find advertisers for the show, so if you have the notion, go ahead and fill it out. Thank you for listening. We’ll see you next week.
Today we bring you an episode from one of our favorite shows, Heavyweight.
The return of YYN: The horrifying specter of November 4th and a very disturbing ice cream recipe.
PJ VOGT: From Gimlet, this is Reply All. I’m PJ Vogt.
ALEX GOLDMAN: And I’m Alex Goldman.
Welcome once again to Yes Yes No, the segment on our show where our boss, Alex Bloomberg – who, you know, he’s aging out of being with it and hip – comes to us and says, “I don’t really get what’s going on on this thing on the Internet.” And then we explain it to him.
ALEX BLUMBERG: Hello.
ALEX GOLDMAN: Do you feel like my characterization of you as was mean or incorrect?
PJ: Those are your two options.
ALEX BLUMBERG: (laughing) No, sadly – it was mean and correct.
ALEX GOLDMAN: Umm…So do you have something for us?
ALEX BLUMBERG: I do. So here here’s a here’s a tweet from somebody named Rich “Lowtax” Kyanka.
PJ: Uh huh.
ALEX BLUMBERG: Umm, @Richard_Kyanka and he says, “ANTIFA SUPERSOLDIER UPDATE:” –all in caps– “My cumbersome mech suit is too large to fit through the door to Arby’s”
PJ: No comprehension.
ALEX GOLDMAN: Uhhh – PJ Vogt, do you understand this tweet?
ALEX BLUMBERG: And it’s got 237 likes and 47 retweets.
PJ: No, I do not understand this tweet.
ALEX GOLDMAN: Alex Blumberg, do you understand this tweet?
ALEX BLUMBERG: (laughing) I do not understand this tweet.
ALEX GOLDMAN: (laughs)
ALEX BLUMBERG: Alex Goldman, do you understand this tweet?
ALEX GOLDMAN: I do. I do.
PJ: What is going on?
ALEX GOLDMAN: All right.
ALEX BLUMBERG: It’s fallen to you my friend.
ALEX GOLDMAN: All right. So you guys know what Antifa is, right?
ALEX BLUMBERG: I do. I do. But I could use a little refresher actually.
ALEX GOLDMAN: OK.
PJ: How much do you understand Antifa?
ALEX BLUMBERG: I know they are opposite fascists.
PJ: Yes like against, against.
ALEX BLUMBERG: In fact, anti.
ALEX BLUMBERG: And that’s what anti stands for.
ALEX GOLDMAN: Antifa is basically a loose coalition of groups around the country that tend to show up at protests wearing all black, sometimes holding shields, often covering their faces with masks or bandanas. And the thing that sets them apart from most protesters is that some of them are willing to be violent. .
ALEX BLUMBERG: So their believe is like, we’re not gonna just like, march and stuff. To fight fascism you have to be willing to actually fight.
PJ: The whole like, should, the like, should people punch Nazis thing, it’s like a political movement that’s like, “Yes, yes, and we should punch Nazis.”
PJ: Like, when the shooting in um, Texas happened this month, there were–there were people on the- not Breitbart, but like Mike Cernovich, and like Gamergate-y, like alt-right Internet, were like “The shooter was Antifa. This was an Antifa plot.” Like, they’re kind of like constantly… It’s like one of the menaces that they’re sure is always about to show up at their door.
ALEX BLUMBERG: Got it, got it, got it. OK. Alright. OK, so that’s good. So I know what Antifa is now.
PJ: You’re now, we are now through the first word.
ALEX BLUMBERG: (laughing) We’ve got the first word down.
ALEX GOLDMAN: So, this tweet is in reference to something that has that sort of spun out over the course of the past couple of months. There’s a group of left wingers that’s called Refuse Fascism, and it’s run by this guy named Bob Avakian.
PJ: I’ve not heard either of those things.
ALEX GOLDMAN: So Bob Avakian was kind of well known in the 70s and 80s as like a political organizer. He is this communist guy. He publishes books, he does these really long lectures, he describes himself as a “poetic revolutionary.” But most people have no idea who he is. And, he is definitely not part of Anitfa.
So on August 5, Bob Avakian posts this things on his website that says, “This nightmare must end. The Trump Pence regime must go.” And basically, he says he wants to take to the streets in cities across the U.S. and continue protesting until the Trump administration is removed from power.
PJ: Like he’s calling for… right
ALEX GOLDMAN: And this massive protest he called for probably would have come and gone, and no one would have noticed it. But it caught the eye of this conservative Youtuber named Jordan Peltz. He posted this Youtube video that was called, “Antifa Has to Go!” Here, you can take a look.
JORDAN PELTZ: Good morning, everyone.
He is not a police officer, but he dresses like a police officer.
JORDAN PELTZ: Um, I usually don’t… make posts, especially vlogs like this, but there’s been a number of things that have happened over the last seven days (fades down)
He wears like, the shou–the chest-mounted walkie talkie that cops talk into, and he’s sitting in his not police car.
PJ: But it looks like a police car.
ALEX GOLDMAN: Uh huh.
ALEX BLUMBERG: Uh huh.
PJ: Like, it has the divider behind the seats.
ALEX BLUMBERG: Oh my god He’s got like a- like a- and he’s got like a big, like star–
PJ: Like a fake sheriff’s star, and like uh-
ALEX GOLDMAN: So, just so we’re clear, the star on his shirt…
PJ: Is printed on his shirt.
ALEX GOLDMAN: … is printed on his shirt.
PJ: Oh no, I have depth perception. Fully.
ALEX BLUMBERG: (laughs)
ALEX GOLDMAN: And so Jordan’s video is all about this November 4 protests. But Jordan’s not describing a protest, he’s describing like an all-out war, and he’s replaced the name of Bob Avakian’s group, Refuse Fascism, with Antifa.
JORDAN PELTZ: And to Antifa’s next step, on their website, they are calling for an open civil war that they will start here in the United States in November. They are fundraising for weapons, training, ammunition, supplies.
PJ: He also has a massive rifle behind him.
ALEX GOLDMAN: Yes.
PJ: And all this stuff about like, an armed insurrection, like Bob Avakian was not saying that.
ALEX GOLDMAN: Absolutely not. So, Jordan Peltz makes this video, and it starts taking off.
And then, this thing gets even bigger, because this Facebook group called “Our Vets Before Illegals” posted this, like distilled version of the Peltz video with a bunch of menacing music behind it, and they cut in scenes from violent Antifa protests.
(dramatic, patriotic music)
JORDAN PELTZ: Honestly, if our leaders and our leadership isn’t going to step up and finish this, we have to.
ALEX GOLDMAN: So that got viewed 3.1 million times.
ALEX GOLDMAN: And then the fears around this uprising on November 4 are exacerbated when in late September, some of the members of Bob Avakian’s group Refuse Fascism-
PJ: The original group.
ALEX GOLDMAN: Right – and I’m talking maybe eight or nine people-– go, they block traffic on the LA Freeway, holding like, you when you’re at the… You know when you’re at like, a sporting event and people hold individual letters to spell out something? Their’s says, “November 4, it begins.”
ALEX BLUMBERG: Whoa.
ALEX GOLDMAN: So they shut down traffic, they all get arrested, but that is- that is-
PJ: Now there’s like proof.
ALEX GOLDMAN: Yes. And then, this argument that Antifa’s trying to start a civil war, it starts to spread. Like Alex Jones, the Infowars guy, he picks it up and talks about how this violent group of people are now planning this big revolution.
ALEX JONES: Antifa plans civil war to overthrow government. And they’re handing out AK47s, shanks. They’re planning their attacks on public officials, police.
Meanwhile, lefty Twitter people, they like get wind of the fact that suddenly the right-wing is very scared that there’s going to be this huge uprising. And they think it’s hilarious.
PJ: Right, and their favorite thing to do if somebody on the right is really scared about something, is to just like, mess with them.
ALEX GOLDMAN: Yeah. So, they start making jokes about how ridiculous this thing is. They tweet stuff like… Do you remember the beginning of The Real World, the TV show?
ALEX BLUMBERG: Yeah.
ALEX GOLDMAN: This was like: “On November 4, millions of Antifa supersoldiers are going to stop being polite and start being real.”
ALEX BLUMBERG/PJ: (laugh)
ALEX GOLDMAN: And the one that really made a- an actual- actually surprising impact was this Twitter goof who goes by the name Krang T. Nelson.
ALEX BLUMBERG: Uh huh.
ALEX GOLDMAN: Tweeted: “Can’t wait for November 4, when millions of Antifa super soldiers will behead all white parents and small business owners in the town square.”
ALEX BLUMBERG: (laughing) OK. (laughing)
ALEX GOLDMAN: But what happened is that people who thought that Antifa was actually going to have an uprising on November 4th, they took these jokes very seriously.
ALEX BLUMBERG: Oh, really?
ALEX GOLDMAN: And another pretty fringey right-wing website, this website called Gateway Pundit, they reported on these joke tweets.
ALEX BLUMBERG: As real?
ALEX GOLDMAN: As real. They were saying, “Left-wing Antifa threatens to overthrow the government,” and they would have a bunch of these tweets where people were making goofs.
ALEX BLUMBERG: It’s like the actual exaggerated fear and the- and the- and the mock exaggerated fear have literally met and are fully overlapping.
ALEX GOLDMAN: They totally are.
ALEX GOLDMAN: So like-
ALEX BLUMBERG: That’s wild.
ALEX GOLDMAN: And there are videos on Youtube of concerned, armed citizens planning on how to defend against Antifa.
MALE VOICE 1: November 4 is coming! Are you ready? Are you ready for what’s gonna happen on November 4?
MALE VOICE 2: Go home, clean your rifles, load up your magazines, make sure your food preps and your water preps, your medical supplies…
MALE VOICE 3: You want a war with us? Bring it on! That’s all I can say. [cocks gun]
MALE VOICE 4: Honestly, I’m happy. I’m happy. Dude, we’ve been on the verge of the great war or whatever for what seems like forever, and I’m just ready to get it going
So, as this sort of anxiety continues, this starts going sort of more and more mainstream.
ALEX BLUMBERG: OK.
ALEX GOLDMAN: And then the morning of November 4, Fox News does a piece of it.
PJ: (gasps) Oh no.
ALEX GOLDMAN: Yeah.
PJ: Oh my god, it’s Fox and Friends. “Antifa Apocalypse?”
FOX AND FRIENDS MALE VOICE: The group known as Antifa, anti-fascists, they’re going to be holding one of 20 protests being held across the country. The group, Antifa Refuse Fascism is planning 20 rallies- 20 rallies across the country, to try to drive President Trump and Vice President Mike Pence, drive them from power using violence [fades out]
ALEX BLUMBERG: Oh my god.
PJ: Uh, so the giant chyron is, “Antifa plans to overthrow president.”
ALEX BLUMBERG: Wow. What?
PJ: And like the other thing that’s crazy about this is like, Donald Trump loves Fox and Friends. Like, he tweets about it all the time. He seems to watch it most mornings. Like he probably saw this story.
ALEX BLUMBERG: Do you think that the president of the United States thinks that this was really going to happen?
PJ: Yes, I do. He said after Charlottesville, like, something that people didn’t totally like–
ALEX BLUMBERG: Holy shit. It didn’t even occur to me. But of course.
PJ: When they asked him to denounce white supremacists, and he was like “There are bad guys on both sides.” He was talking about Antifa. Like he actually clarified a couple days later when he was like doubling down on his comments, he was like “Antifa.” Like that’s… He lives in a news reality where like there’s a left wing militia that’s like organizing the overthrow of the state.
ALEX GOLDMAN: And where that tweet, Krang’s tweet, which is sort of like, “We’re coming to behead white people and small business owners,” is real.
ALEX GOLDMAN: So on the morning of November 4, all of the Twitter goofs wake up, and immediately start tweeting things like, “Hey Antifa super soldiers. Um, I’ve got a bunch of PB&J in my wagon. We’re gonna meet down at so-and-so, and start beheading white people. What do you say?” And like, there were a lot of jokes to that effect.
ALEX BLUMBERG: (laughing) Uh huh.
ALEX GOLDMAN: And so what ended up actually happening is that a lot of the armed preppers from the Youtube videos, they like, went out anticipating an Antifa civil war. And, of course, that’s not what they found, because that didn’t exist. What they found was like, in a couple cities, there were some normal protests, people holding signs, banging drums, saying “Hey hey, ho ho, Trump and Pence have got to go.” And so all these armed people who were anticipating this violent Antifa uprising, their takeaway was like “Well, yeah, of course. The reason that Antifa didn’t show up is because we scared them away.
PJ: Wow, that is so crazy.
ALEX BLUMBERG: All right, I think I’m ready to, um, I think I’m ready to recap, everyone.
ALEX GOLDMAN: Alright.
ALEX BLUMBERG: Alright, here it is. The tweet again: Rich “Lowtax” Kyanka says: “ANTIFA SUPERSOLDIER UPDATE: my cumbersome mech suit is too large to fit through the door to Arby’s.”
OK so, I’m assuming a mech suit is sort of like a- a soldier suit, or something?
ALEX GOLDMAN: It’s a giant robot from anime that you can run around in.
ALEX BLUMBERG: Oh, cool. (laughs) OK, great. OK, so anyway, this tweet. I now know that this tweet is in response to the armed uprising, um, by Antifa, on November 4, that many people believed was going to happen, but was actually never going to happen, because it was just the idea of like, um, some rando who nobody takes seriously, but then it got picked up, and blown out of proportion. And this, and he’s resp- and he’s talking about that whole thing.
And he’s- and he imagines a world in which there was an actual um, armed uprising, and he was one of the supersoldiers and he’s sending out an update that he couldn’t come to the war because his mech suit got stuck at the door of Arby’s.
ALEX GOLDMAN: We’re at Yes Yes Yes.
PJ: We’re at Yes Yes Yes.
PJ: Coming up after the break, we get stuck in some buffalo.
ALEX BLUMBERG: Hey fellas, here’s a tweet.
ALEX BLUMBERG: OK. (laughs)
PJ: We should call this segment, “Hey fellas, here’s a tweet.”
ALEX BLUMBERG: (laughs)
ALEX GOLDMAN: That is- that is a catchier name than Yes Yes No.
ALEX BLUMBERG: (laughs). Uh- OK, so uh-so-so– This one is interesting because it’s got like a lot of things that I sort of half know, but then they’re all- they’re all in the way of things that are sort of like, mashed together in- in a way I find confusing
PJ: Like you know the words, but then when you arrange the words together…?
ALEX BLUMBERG: I know the words, and I even know some of the words that are- are certain memes, because you’ve explained them to me on previous Yes Yes Nos, but now they’re coming back in like new and confusing forms.
ALEX GOLDMAN: OK.
PJ: That’s the way of things.
ALEX BLUMBERG: Ready?
ALEX BLUMBERG: Alright, so here’s the tweet. It’s from Brian Feldman. “Constable Frozen milkshake-ducked for being horny on main” is 2017’s “Buffalo buffalo buffalo buffalo buffalo buffalo buffalo buffalo” (laughs)
PJ: Alex Goldman, do you understand what this tweet means?
ALEX GOLDMAN: Yes. PJ Vogt, do you understand this tweet?
PJ: Mostly, yes.
ALEX GOLDMAN: Uh, Alex Blumberg, do you understand this tweet?
ALEX BLUMBERG: No, no.
PJ: Okay, we’re back at Yes Yes No.
ALEX BLUMBERG: Yeah
PJ: Back in the comfortable place
ALEX BLUMBERG: Familiar territory
ALEX GOLDMAN: Before we start, do you guys know the “Buffalo buffalo buffalo…” thing?
PJ: I don’t- that’s the part I don’t know.
ALEX GOLDMAN: So buffalo written nine times with, what, three, with three that are capitalized is a grammatically correct sentence using different uses of the word “buffalo.”
ALEX BLUMBERG: Eight.
PJ: Oh, so it’s like Buffalo the animal. Eight times
ALEX GOLDMAN: Buffalo the animal, buffalo to intimidate, buffalo the city in New York. If you write it- write it, the sentence construction is like…
PJ: The first three actually make sense to me, the next five you kind of lose me a little bit.
ALEX BLUMBERG: Wait.
ALEX GOLDMAN: Right, I mean there’s more to it than that, and it’s actually very complex, but the whole joke of it is that, this is – even though this looks like gibberish, this is an actual sentence.
PJ: I’m not moving forward until I understand this sentence.
ALEX BLUMBERG: Yes.
ALEX GOLDMAN: Oh my god. Buffalo buffalo, animals that call themselves buffalo, the animals called buffalos from the city of Buffalo.
ALEX BLUMBERG: That’s a Buffalo buffalo (laughs).
PJ: So New York bison.
ALEX GOLDMAN: Yes. So Ok, it’s Buffalo buffalo, which are buffalo from the city of Buffalo, that intimidate- that the animals from the city of Buffalo bully, so that Buffalo buffalo buffalo…
ALEX BLUMBERG: Wait.
PJ: Oh my god.
ALEX BLUMBERG: Wait. Buffalo buffalo – so it’s animals – buffalo from- bison from New York.
PJ: I feel like we’ve been here for a thousand years, and this is just hell. Like we’ll never get out of this sentence.
ALEX BLUMBERG: Buffalo… Wait. But then I’m like, at the third buffalo, I’m still confused.
ALEX GOLDMAN: Ok so the third buffalo is, again, describing, um, New York cit- New York State buffalo.
PJ: Ugh, this is so painful.
ALEX BLUMBERG: Got it.
ALEX GOLDMAN: So the… Alright, so think of this way, you have to draw this for it to make sense.
PJ: Alex’s explanation, by the way, so far is, “OK so vuffalo from the city of Buffalo, uh, swindle buffalor… Ok so, so, buffalo from the city of Buffalo.” You literally keep doing the first three buffalo.
ALEX GOLDMAN: Just hold on a second.
PJ: I can’t!
ALEX GOLDMAN: Hold on a second!
ALEX BLUMBERG: Get to the fifth buffalo!
ALEX GOLDMAN: Let’s start with the first two.
PJ: No! No.
ALEX GOLDMAN: Think of the first two as their own independent thing. The first two are buffalo from the city of Buffalo.
ALEX BLUMBERG: I got that: New York bison.
PJ: That is well established.
ALEX GOLDMAN: The second three buffalo are…
PJ: The second three buffalo?
ALEX GOLDMAN: …the second three words “buffalo.”
ALEX BLUMBERG: Uh huh.
PJ: The first two and the second three?
ALEX BLUMBERG: The second three are?
ALEX GOLDMAN: The second three describe their own clause. Which is… Um, so it’s Buffalo buffalo that, buffalo Buffalo buffalo, that buffalo from the city of Buffalo bully…
PJ: What are you doing?
ALEX BLUMBERG: Wait.
ALEX GOLDMAN: … are buffaloing buffalos from Buffalo, New York. That’s the last three.
ALEX BLUMBERG: (laughs)
PJ: I’m just going to pretend that makes sense to me so we can move on. I’m sorry that I wanted to know this.
ALEX BLUMBERG: I don’t, I- it doesn’t make sense to me.
PJ: OK, so what we know is the buffalo thing is a joke about words.
ALEX GOLDMAN: Right.
PJ: And how one word can mean a lot of things, and you can use it over and over again.
ALEX BLUMBERG: So, allegedly, this, this- this sentence that is just the word buffalo eight times is an actual grammatically correct sentence about bison from New York swindling other bison from New York.
PJ: Oh. Now I understand what’s going on. Because the first sentence in this tweet, “Constable Frozen milkshake-ducked for being horny on main” seems like a bunch of words, but it also connotes meaning. I think that’s what’s going on here.
ALEX GOLDMAN: Yes!
ALEX BLUMBERG: Oh.
PJ: But we still have a ways to go.
ALEX GOLDMAN: Mhmm.
PJ: So Alex, just going through the first part: “Constable Frozen milkshake-ducked for being horny on main.” I know that you know some of these things.
ALEX BLUMBERG: I know milkshake-ducked.
PJ: And do you want to do a refresher on that?
ALEX BLUMBERG: Milkshake-ducked is- is how…. Is-is-is- is a term that means when the Internet loves you for a second, and then it turns on you.
PJ: Yes! Yes. OK.
ALEX BLUMBERG: Much like the milkshake duck.
ALEX GOLDMAN: In the tweet that originated the phrase “milkshake duck,” there is a premise that there’s a cute duck that drinks milkshakes, and then you find out that the milkshake duck is racist.
ALEX BLUMBERG: Right.
PJ: So like this- the tweet that we’re talking about refers to uh, for lack of a better word, a scandal that erupted a couple of weeks ago. Alex, have you seen Frozen?
ALEX BLUMBERG: Yes. I have kids. Actually, my kids won’t ever watch the whole thing through because they’re afraid of everything so they can’t… (laughs) It’s too scary for them.
PJ: Is Frozen scary?
ALEX BLUMBERG: No. (laughs)
PJ: What is it about?
ALEX BLUMBERG: Yeah, there’s two princesses: Anna and Elsa. And they’re- they grow up in the castle together in the happy land, but then their parents go off on a voyage, and then their ship wrecks, and they die. And then the one with the powers is like, can’t, um, isn’t allowed to hang out with the one without powers.
And then there’s- and then when she finally lets… She runs away, and then she finally lets loose and she rips off her gloves, and that’s when she sings her signature song.
ALEX GOLDMAN and ALEX BLUMBERG: (singing) Let it go, let it go!
ALEX BLUMBERG: (singing) Don’t hold it back any more.
ALEX GOLDMAN: I don’t know any other part.
ALEX BLUMBERG: (singing) Let it go…
ALEX GOLDMAN and ALEX BLUMBERG: (singing) The cold never bothered me anyway
PJ: Is it like a Queen song?
ALEX BLUMBERG: (singing) Duh dun-un-un-uh
ALEX GOLDMAN: No, we’re just not very good singers.
PJ: It sounds like a Queen song. OK so basically the point is that the Internet really likes Frozen. The Internet really likes Elsa.
ALEX BLUMBERG: Mhm.
PJ: And it being the Internet, there’s, like, a lot of… A lot people taking Elsa and putting her in weird situations. So there’s like a whole genre of Youtube videos that is like adults dressing up as Elsa pretending to be pregnant, there’s like Elsa pregnant with her husband Spider Man stuff. It’s just like, once you hit a certain level of entering into people’s imaginations, like things start to happen.
ALEX BLUMBERG: Elsa… Imagining Elsa pregnant?
PJ: Yes. Like that’s like the weird edge of it. There’s- in like the less weird version of it, there’s this really popular Tumblr blog called Constable Frozen.
ALEX BLUMBERG: OK.
PJ: Which is made by this unknown person who loves Frozen and is just good at these like super meticulous Photoshops. Where they’ll take characters from Frozen like Elsa, and put them into other movies and things like that. Just like, what if Elsa was everywhere?
ALEX BLUMBERG: Uh huh.
PJ: And people go crazy for it. Like tens of thousands of notes, which is Tumblr’s version of just like, likes, or retweets, or whatever.
ALEX BLUMBERG: Got it.
PJ: There’s also like a bunch where it’s Elsa crossing over to different Disney franchises.
ALEX GOLDMAN: There’s like a lot of like, Frozen/Moana crossovers that this person makes.
ALEX BLUMBERG: My daughter was also afraid of that one. She also got too scared with that one when she was sailing across the sea, and there’s a lava monster that she has to fight. But…
PJ: That feels reasonable.
ALEX BLUMBERG: But, and so she was literally doing the same thing which she always does, which she was scaring, and telling us to turn it off, but then we would go to turn it off, she would be like, “No! No!” And so then, she was just sort of like crying, and like turning away, and then not letting us turn it off, and not wanting to leave the room. And she was like, in that state of crying, not wanting us to turn it off, but also not wanting to leave the room for like a good half an hour, and then she defeated the lava monster, and then she sang her song, and then Samira was so overwhelmed that she just started weeping, and she was standing in front of the TV, like, singing along.
ALEX BLUMBERG: (laughs) With tears coming out of her eyes. And she was singing like, (sings) “They are descended from warriors.” And like… Anyway, that’s the power of Disney. Or whatever, whoever makes that thing.
ALEX BLUMBERG: Uh. Yeah.
PJ: OK, so Constable Frozen, like does all these mashups. Some of them have Moana. A lot of them don’t. Can I just… Can I show you one of them? This is like a series that Constable Frozen made.
ALEX BLUMBERG: (laughs) OK.So it’s- it’s Elsa getting off a big plane and waving at people.
PJ: And she’s like, so it’s like, she’s computer generated or whatever, but this is like a picture of a plane.
ALEX BLUMBERG: This is a real picture of a plane. OK.
PJ: Second frame.
ALEX BLUMBERG: Second frame… She’s getting off a plane that says Arrendale, which is the land of which she’s the princess in the movie.
PJ: And she’s surrounded by Marines.
ALEX BLUMBERG: And she’s surrounded by Marines, and she’s about to descend a big staircase. And then she’s standing next to Donald Trump. (laughs) And then she’s at the-
ALEX GOLDMAN: She’s in Congress.
ALEX BLUMBERG: She’s in Congress, standing in front of Joe Biden and John Boehner, and then she’s shaking Donald Trump’s hand.
ALEX GOLDMAN: That is a good photoshop.
ALEX BLUMBERG: Yeah, it really is.
ALEX GOLDMAN: Oh and she’s freezing him!
ALEX BLUMBERG: There’s a close-up of her freezing his hand.
PJ: And that’s it.
ALEX BLUMBERG: That’s it.
PJ: So it’s kind of just like, I don’t really understand, that had, um, 29,000 notes. And I don’t get it. Like I don’t actually get what’s good or bad or whatever about it, it’s just like-
ALEX BLUMBERG: Well, just imagine the world in which Princess Elsa from Arendelle was making a diplomatic visit to the United States, and meeting Donald Trump, and appearing before Congress. Or the person.
PJ: Right it’s like- this person has like, Being John Malkovich brain, but for like, Elsa, and they represent it, and like people…
ALEX BLUMBERG: Love it.
PJ: … Love it. In that way that people love things on Tumblr which is like I never understand what’s going on.
ALEX BLUMBERG: Got it.
PJ: But then, this month, Ryan Broderick, who does the Internet Explorer podcast. He was like, “Hey everybody, I’ve gotten to the bottom of like the weirdest, strangest, Internet mystery I’ve ever found. I’ve gotten to the bottom of like the weirdest, strangest Internet mystery I’ve ever found.” Which like, for him, is a very large claim to make.
ALEX BLUMBERG: Wow.
PJ: And he’s like, “It’s about Constable Frozen. And like something that was under our noses the whole time.”
ALEX BLUMBERG: (gasps) What?
PJ: So. Some of the Constable Frozen creations feel… slightly adult?
ALEX BLUMBERG: Mhmm.
PJ: Um, so like the thing that unlocks it for him is like there’s one post in particular from October 27 of this year that a lot of people noticed because it’s…
ALEX BLUMBERG: Mmmmm
PJ: Yeah. It’s Rapunzel from the movie Tangled. She’s tying up a woman using her hair, which is like whatever. And then the next scene of it is, like, Rapunzel strapped to a table with her arms restrained, and then, off to the side, there’s this prince. And you could miss it at first, but he’s off to the side and he has like a ball gag in his mouth,
ALEX GOLDMAN: It’s a bit soft focus, so it’s not the first thing your eyes are drawn to.
PJ: It’s the kind of thing that once you see you kind of don’t not see.
ALEX GOLDMAN: (laughs)
PJ: And so when that happened, and people saw the ball gag, they starting going back to old Constable Frozen posts, and they were like “Huh. There’s stuff under her nose that like just seemed weird at the time, but in retrospect feels like significant.” And so Ryan’s theory…
ALEX BLUMBERG: Right because it’s like going back and watching like the Louis CK movie.
PJ: Where it’s like “Oh this guy constantly talked about masturbation, maybe that was meaningful”
ALEX BLUMBERG: Yeah.
PJ: Yeah. So Ryan’s theory is that this whole time, Constable Frozen has been like a hidden in plain site vore fetish blog
ALEX BLUMBERG: What… what kind of fetish?
PJ: So vore is like…
ALEX BLUMBERG: Vore?
PJ: Vorarephilia is a fetish where you sexualize the idea of people consuming other people. But it doesn’t have to be, like, cannibalism, like it can be…
ALEX BLUMBERG: (laughs) That’s the best “but” I’ve ever…
ALEX BLUMBERG: But it doesn’t have to be cannibalism!
PJ: So like there’s soft vore. It’s usually like Furries or Disney characters. Like cute things. Like a giant Genie from Aladdin, and like a small version of the Genie from Aladdin will be like going into his mouth.
ALEX BLUMBERG: Right
PJ: It’s not like gnashing teeth or viscera
ALEX BLUMBERG: It’s not like Hannibal Lector like cutting off arms, and drinking them with Chianti.
PJ: No it’s like every time there’s a kid’s movie where somebody like goes a giant whale or the schoolbus going into a body, but sex…ual
ALEX GOLDMAN: Sex-tual?
ALEX BLUMBERG: How do they know it’s sex-tual?
PJ: They know that people are getting some sort of complicated pleasure out of it, because a lot of those people are like making Tumblrs, and like sharing vore pictures. So once you know… Like Ryan is someone who’s done a deep dive on soft vore. And so he was like “Oh my god, like, look at some of these posts.” Like um…
ALEX BLUMBERG: Some of these Constable Frozen posts?
PJ: Yeah. So like, there’s one where it’s like Elsa, and her sister, and they’re talking to Merida from the movie Brave, who’s got red hair.
ALEX BLUMBERG: Ok.
PJ: First panel, they’re talking to her. Then like Merida disappears, and she and her red hair are gone, and they’re like… Elsa and her sister are sharing red spaghetti, which looks like a lot like the missing person’s hair.
ALEX BLUMBERG: Merida’s hair.
PJ: Merida’s hair. Or like there’s this one very popular post that’s just called like “ice cream.” Where…. Anna is Elsa’s sister?
ALEX GOLDMAN: Yes.
PJ: Anna sees Olaf ,the frozen snowman, in the library, and she’s like “Olaf! Soft serve ice cream!” Olaf quickly drinks a glass of milk, flies over Anna’s head, and then sort of spews soft serve ice cream from above her into her like, smiling mouth below.
ALEX BLUMBERG: Into her smiling open mouth.
PJ: Smiling open mouth.
ALEX BLUMBERG: And so he- he becomes an animated snowman soft serve ice cream dispensing machine that flies over your mouth and…
PJ: Spits it out. Which is vore-ish, because he is feeding himself to her.
ALEX GOLDMAN: He’s made of ice. He drank milk.
PJ: Well and the funny thing is like Tumblr is a place where people are often going to share their, like, weird sort of sexual fetishes, so it’s not like these are people who are like, “Oh my god.”
ALEX BLUMBERG: Sexual fetishes on the internet!
PJ: Right, it’s not like they’re saying like “this is gross” even, they’re just like “What you’ve done is you’ve gone horny on main.” Which is when you tweet or post porn from your main, actual account instead of some porn-specific alt account.
ALEX BLUMBERG: (laughs)
ALEX GOLDMAN: I think it sounds, I think it sounds so funny. Because like in the 70s, that totally could’ve been a Bruce Springsteen album.
PJ: “Horny on main?”
ALEX GOLDMAN: And it’s just like, yeah, the E Street band playing fucking trumpets, or whatever.
ALEX BLUMBERG: Right.
PJ: But like Ted Cruz like accidentally faved a link to porn, or like his intern, according to him–
ALEX BLUMBERG: Uh huh.
PJ: –did a couple of months ago, that’s Ted Cruz going horny on main.
ALEX BLUMBERG: Oh! Got it!
ALEX GOLDMAN: Um, has Constable Frozen responded to the controversy?
PJ: Well so this other reporter, Brian Feldman, who was actually the guy who… He does Select All, the blog- the internet blog for New York Magazine, but he’s also the guy who actually tweeted this tweet that we’re Yes Yes Noing. He tracked down the person behind Constable Frozen, who turns out to be a man.
ALEX GOLDMAN: Which is interesting, because everybody in the responses on Tumblr just automatically assumed that it was a woman.
PJ: A lot of people did. Yeah, I don’t know. But it’s a man, he’s South Korean. His name is Shin Chul. And over a very hastily put together Google translated-assisted interview, where Shin Chul said “I hate vore, this is not vore.”
ALEX BLUMBERG: I d-I don’t– I believe him.
ALEX BLUMBERG: It definitely feels porny.
PJ: Yeah. Definitely like something is going on here. Like this isn’t just some big, cultural misunderstanding. I mean, there’s like an image on this blog that I won’t open at work because it looks much like a “Two Girls, One Cup” with like, chocolate ice cream and Elsa.
ALEX BLUMBERG: Yeah. Whatever type of horny on main he was…
ALEX GOLDMAN: They’re definitely horny.
ALEX BLUMBERG: They’re definitely horny on main. Yeah. That definitely feels established.
ALEX BLUMBERG: Whether it’s like, like really, really out there horny main, or it’s sort of like, eh…
PJ: Just, Disney character horny on main.
ALEX BLUMBERG: Yeah, yeah exactly.
ALEX GOLDMAN: Do you want to uh, explain this tweet back to us?
ALEX BLUMBERG: Yes. OK so let me just… OK so, here’s the original tweet. It’s from @bafeldman. “constable frozen milkshake-ducked for being horny on main” is 2017’s “Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo”
So, the first phrase, “Constable Frozen milkshake-ducked for being horny on main,” refers to the owner of a Tumblr who would create scenes with photoshopped Disney characters– usually the character from Frozen – doing like, funny things but then like, slightly porny things. Um, and so the owner of Constable Frozen got milkshake-ducked, which means that like, first the Internet loves you, but then they turn on you, for being horny on main, which means um, tweeting out porn from your regular account, rather than from your secret account.
ALEX GOLDMAN: Uh, that is correct. And now you’re going to make him explain the buffalo thing?
PJ: Yeah. Now just do the easy part of wrapping up the buffalo sentence.
ALEX BLUMBERG: So that seemingly nonsense sequence of words, is 2017’s this seemingly nonsense sequence of words, “buffalo buffalo buffalo buffalo buffalo buffalo buffalo buffalo.” Which I still don’t know exactly what that means, but apparently it is a, there, if you, you can grammatically make it, you can make it all make sense. If there’s a bison from New York…
ALEX GOLDMAN: Alright.
ALEX BLUMBERG: So the Buffalo buffalo.
ALEX GOLDMAN: buffalo Buffalo buffalo… They bully bison from New York, who also buffalo Buffalo buffalo.
PJ: Alex, I think that was a perfect explanation.
ALEX BLUMBERG: But how- where’s the who? Just bison from New York.
PJ: We’re staying here until this is done.
ALEX GOLDMAN: No. We’re at Yes!
PJ: No, we’re not at yes!
ALEX BLUMBERG: (laughs)
ALEX GOLDMAN: Bison from the city of Buffalo.
ALEX BLUMBERG: Proper noun Buffalo noun buffalo (fades down).
PJ: Reply All is hosted by me, PJ Vogt, and Alex Goldman. If you happen to illustrate a vore image of a cartoon Alex eating a tiny cartoon Alex, please tweet it at me. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, and Damiano Marchetti. Our editor is Tim Howard, his band Soltero has a new album out called Western Medicine Blues, it’s extremely good. Go listen to the song “New Revelations,” you’ll be glad. Our intern is Anna Foley. We were fixed by Rick Kwan. Special thanks this week to George Ciccariello-Maher, Merritt K, and Brian Feldman. Fact checking by Michelle Harris. Our theme music is by the mysterious Breakmaster Cylinder. Our ad music is by Build Buildings. Matt Lieber is cookies someone brought to the office. You can visit our website on replyall.limo. You can find more episodes of the show on Spotify, Apple Podcasts, wherever you listen. Thanks for listening. We’ll see you soon.
This year we’ve gotten one question from listeners more than any other: is Facebook eavesdropping on my conversations and showing me ads based on the things that I say? This week, Alex investigates. Further Reading Our guide to keep Facebook from following you around the internet can be found at http://replyall.limo/donttrackme . Facebook’s official statement that…
ALEX GOLDMAN: From Gimlet, this is Reply All. I’m Alex Goldman.
PJ VOGT: And I’m PJ Vogt.
ALEX: So over the course of maybe the past year, we’ve gotten a fair amount of emails from people who think that Facebook and Instagram, which is owned by Facebook, are using the microphone on their phone to listen to their conversations and advertise stuff to them, based on the things they’re saying.
PJ: Yeah, I have also gotten some of these messages. I’ve- I basically have felt like I don’t — I think it would be such a risky thing for Facebook thing to do, they’ve been like, “Oh, it’s probably just a coincidence, and people are imagining stuff.”
ALEX: Yeah, but I’ve been talking to this guy named JP, and some of the stories that he’s been telling me are super hard to dismiss. He told me that he that he first started noticing this happening at the beginning of the year.
JP: I was baking pizza dough. I was, you know, making pizza dough, and I said, “This would be a lot easier if we had one of those fancy Kitchenaid mixers.” Ten minutes later, there’s an ad for Kitchenaid mixers on sale.
ALEX: Okay wow.
ALEX: Not long after that, JP is in Target, with his partner Gary, and he yells down the aisle “Hey, can you pick up some Red Bull?”
JP: And then I opened Instagram on the way home, you know, I wasn’t driving, I was in the passenger’s seat, (laughs) and there was an ad for four new flavors of Red Bull. “Try them now.”
JP: And I was like, “This is insane. This is crazy.” You know, they just kept coming. And I was like, “Let’s try something funny.” And like we would say something ridiculous, like, “Man, I could really use a pair of really sexy underwear.” And like, these weird mesh underwear ads started showing up in our feeds. And it was nonstop
ALEX : And then JP told me a story that just felt really crazy. Let’s call it the perfume story.
JP: The thing that really got us, was uh — my partner’s mom came to visit from Oklahoma, a very nice lady, but, you know, doesn’t travel that often.
ALEX: Her name’s Debbie, and she was going to visit JP and Gary in San Francisco. And on her way there, she gets a bottle of perfume confiscated by the TSA. So, when she arrives in San Francisco, she says, “Hey, I want to go the perfume store and get a new bottle of perfume.”
JP: And my partner and I, we don’t wear colognes, we’ve never bought perfume that I know of, never search for it. And within 30 minutes, he had opened his Facebook and there was an ad for a women’s perfume store in San Francisco.
PJ: That’s weird.
ALEX: Yes! It’s weird!
ALEX: On a scale of like, 1-10, what would you say your belief that this is actually your phone listening to you?
JP: Uh, 10. I’m convinced.
ALEX: Wow. OK.
JP: And it just, it creeps me out. And I have no idea how to stop it. I actually- this week, removed the Facebook app and Facebook Messenger and Instagram from my phone, and now I just have links to the websites. I’m like, this close to just deleting my account.
ALEX: So naturally, the first thing I did was contact Facebook. Ask them for an interview.
PJ: They said no.
ALEX: They said, “No, we won’t do an interview. And also, listening to people’s conversations via the microphone on their phone to target ads to them is not something Facebook does.” They said that unequivocally.
PJ: Right. Which… Again, I don’t think they do it, but if you’re a person who does, you’re like, “Well, of course they would say that. Why are they going to tell you about how they’re secretly spying on you?”
ALEX: Um, right. But the thing is that Facebook wouldn’t offer me a satisfactory explanation as to why these ads were showing up in JP’s feed. So, I looked into this, and after doing some reporting, I realized the reason they don’t want to talk to me about this is probably because the technology they use to target people with ads is really invasive. I talked to the guy who first built that technology. His name is Antonio Garcia Martinez. He’s since left Facebook, but he started at the company back in 2011.
ALEX: So just to be clear, there was no targeted ads division before you, right?
ANTONIO GARCIA MARTINEZ: (laughs) You use the term division like a whole part of the company. It was literally me and three engineers.
ANTONIO: Remember, the only Facebook ads were those little postage stamp sized little turds on the right hand side, on the right hand bar. There was no commercial content in feed.
Antonio’s big insight was that they’d make way more money if they just squeezed more information out of their users. And the most obvious piece of information was location. People’s devices were telling Facebook where they were, and the targeted ads team could weaponize that.
ANTONIO: All of location targeting was the responsibility of one guy. He’s a friend of mine, a guy named Pierre. He’s a kind of weird, quirky, idiosyncratic French dude. And he would basically take, you know, the lat/long data off your mobile phone, your check ins, um, you know, IP address lookups, if you’re logging in from a laptop or a desktop machine. And that would kind of go into Pierre’s magic location machine, and out would come a location.
ALEX: Location is important to Facebook because A) Just where you live tells them a ton about the kind of stuff you’re probably interested in. And B) if you suddenly appear in a different location, a location that Facebook doesn’t recognize, then it knows that you’re traveling.
PJ: So like, with the perfume story, it’s like she was telling them that she was traveling even if she didn’t realize she was telling them that.
ALEX: And so the next thing I learned was that in 2012, Antonio came up with what is probably his enduring legacy at Facebook — the thing that he will be remembered forever for.
PJ: Which is what?
ALEX: So he wanted to figure out a way to keep tracking people after they left Facebook. Like, to be able to see what they were doing all across the internet. And so he developed this thing that’s now called Facebook Pixel, and it’s installed on millions of websites. So when you go to one of these sites with Facebook Pixel on it, it watches what you do and reports that information back to Facebook. It can see how long you linger on a certain webpage, it can see if you purchase something, it can see if you put something in your cart on a website and decide not to buy it. It’s kind of like an internet surveillance camera.
PJ: Got- so that’s why like, that’s why, like, when you look at a pair of shoes or whatever- it follows you around Facebook.
ALEX: It follows you around the internet. Right. There’s this app that I use called Ghostery that shows you if Pixel is on a site that you’re visiting. And it’ll also show you all the other ad trackers that are on that site. Like, if you go to the New York Times website, there may be 30 or 40 of these trackers.
PJ: Like, as soon as there’s an ad, you basically have to picture 30 or 40 like helpful friendly sales associates like following you around the store–
PJ: –trying to guess how much money’s in your wallet, like, guessing your like weight and age, and like being like, “Oh, he looked at the hooded sweatshirt, oh my god, OK, OK, write that down, write that down, he likes hoodies.”
ALEX: Right, So by 2012, the targeted ads division has figured out how to follow you all around the Internet. They have all this info on everything you’re purchasing, everything you think about purchasing.
But once they figured out they could do this, they got, like, data hungry. They weren’t just interested in the information that you could give them online, they wanted to know things about what you were doing offline. And so they figured out a way to buy your personal history.
PJ: So it’s like, I have a file on Alex Goldman. I’ll go buy Alex Goldman’s credit report. I mean, probably not that but–
ALEX: No, yeah. I mean, we don’t know exactly what Facebook is buying, because they’re a black box, but we do know that they’re buying from companies that sell credit reports.
ALEX: Yes. I talked to this reporter from ProPublica, her name is Julia Angwin. She’s investigated a lot of this stuff.
ALEX: Wait, where are they buying this stuff?
JULIA ANGWIN: Oh you can buy this from these delightful places. Uh, one of them just had a big breach, Equifax, you may have heard of them.
ALEX: Yeah, Equifax. Right.
JULIA: Experian, Axiom. You know, there’s about- there’s tons of them.There’s probably about seven or 10 big ones out there who sell information about your income, the square footage of your house- within 25 square feet.
ALEX: These companies sell information on whether you’ve been married, whether you’ve been divorced, whether–
PJ: Your credit score?
ALEX: Whether your name has showed up in a lawsuit. They know your income. And you know those loyalty programs that like supermarkets and pharmacies have? The data brokers often run those programs. So they know how often you’re buying diapers or cold medicine or birth control.
PJ: So like, if Debbie had like, a loyalty card at like, her local perfume store. They would know like, this is the type of perfume she buys. And even like, in theory it’s like, they would know like, oh and she bought it like eight months ago. Like, she’s due for some new like, eau de Debbie, or whatever.
ALEX: (laughs) Absolutely. They’re basically learning everything they can about you, and then they break your personality and your interests down into all these hyper-specific traits. And Julia told me there are a ton of these.
JULIA: So, we were able to put together a big database of about 52,000 attributes that Facebook was collecting about its users.
ALEX: (laughs) Oh my god.
JULIA: So they had some categories that were just mind boggling. There was one that was just my favorite called, “a person who likes to pretend to text in awkward situations.”
ALEX: (laughs) How did they even figure that out?
JULIA: I have no idea.
ALEX: There’s actually a page on Facebook where you can see how Facebook categorizes you.
PJ: I want to check mine.
ALEX: Ok, so when you go to your Facebook, you go to settings, and then you click on ads. And then, uh, there’s a section called “your information,” and under that you can click “your categories.”
PJ: Your categories.
ALEX: “Close friends of men with a birthday in seven to 30 days.”
PJ: So that’s like a reason somebody… That’s a category where you’re buying perfume for other people. Who are they trying to hint that I need to buy a birthday present for?
ALEX: “Away from family. Gmail user. Millennial.”
PJ: “Housemate-based households: People living in households where one or more people are not immediate members of family. Away from hometown. Frequent traveler.” I don’t know, it’s weird.
ALEX: It is weird. And this is not a complete picture of the information that they have on you. Facebook knows so much more, but they just keep a lot of it secret. And honestly, we only get a real glimpse of how much they know when they screw up. For instance, I talked to Charles Duhigg, he used to work at the New York Times, and he’s written a lot about how big companies track you. And he had this story about a friend of his who learned something really disturbing through Facebook.
So,his friend’s this liberal guy, lives on the East coast.
CHARLES: His brother-in-law lives in another different state, they don’t see him often, but his brother-in-law is kind of one of those, like he’s into guns, and he’s really conservative. But my friend, he wants to have a relationship with his brother-in-law. So like, he like friended him on Facebook and they’ll like cross post, and he always tries to, like, like the posts of his brother in law that aren’t, like, totally crazy.
ALEX: But then this really weird thing started to happen on Charles’ friend’s Facebook feed.
CHARLES: Which is that he saw- he started getting these like, these right-wing political ads that were like a little white supremacist. Like not really white supremacist, right? Because you can’t put white supremacist stuff on Facebook. But it was- it used a lot of the code words.
ALEX: Which freaked Charles’ friend out, because it’s not like he had ever expressed any interest in white supremacy or anything like that. So Thanksgiving rolls around, and he sees his brother-in-law, and he’s like, “Hey, um, I’ve been getting all of this sort of like stuff that feels disconcertingly, to me, like white nationalist or sort of, like racist. And you’re probably like the only conservative that I friend online. I’m wondering if you have any idea what this might be happening.” And he was like, “Come outside. We need to talk.”
ALEX: And they go outside and he says listen, “I disavowed this, I’m not into it anymore. But for a couple of months last year, I was going to a lot of like white pride, white nationalism meetups.”
ALEX: Yeah, so one of the things that Facebook can do is if you like something, it can advertise that thing to your friends. So the brother-in-law obviously signaled to Facebook that he was into white supremacy somehow, and Charles’ friend was liking a lot of the guy’s posts, and they were friends on Facebook, so Facebook was like, “Alright, well, why don’t I advertise this white supremacist stuff to you.”
PJ: Wow. That’s wild. It’s like Facebook built a machine that just like as a side-effect outs white supremacists, but that’s not even like the point of the machine, like, they don’t care. Like, the whole point of it is just to like to learn things about you to sell you crap.
ALEX: Yeah but think about all of the stuff that this thing can do. Like if you look at everything that I just talked about, and you apply it to JP’s perfume story, I think it explains it.
PJ: Oh, totally.
ALEX: So, like Debbie is going through the TSA in Oklahoma. She gets her perfume confiscated, and she’s like, “Aw, crap. Now I’ve gotta buy new perfume.” She searches for it on her phone.
PJ: She like- she looks at it, she’s like, “Oh, it’s kind of expensive, I’m not going to buy it right now.”
ALEX: Right, but she goes to a page where Facebook has a, has a Pixel on it.
PJ: Facebook knows this person is now in the market to buy perfume. And-
ALEX: And it knows that-
PJ: -she’s traveling.
ALEX: She’s traveling-
PJ: Right. And they probably know that she’s traveling to visit her son because like he’s her son, he lives in San Francisco. She’s logging in in San Francisco, so is he.
PJ: So why not show the son a perfume ad because he could be like, “Oh mom, isn’t this the perfume you like?”
ALEX: (clears throat)
JP: Hi, this is John Paul
ALEX: Hey, this is Alex, how are you doing?
JP: Hey, I’m great how are you?
So I called JP, and I told him that while I couldn’t say with 100 percent certainty that Facebook wasn’t listening to him, I had a lot of evidence that they just didn’t need to.
ALEX: So then Facebook knows that she wants perfume, right?
ALEX: Knowing your relationship, Facebook might have given your partner that ad because it knows that she’s nearby and it knows that she wants perfume.
JP: Okay. (laughs) I mean… So maybe they’re not listening on the microphone, but- I don’t know. It just feels like they are. It’s just really, like, it-it-this is a weird thing we’ve signed up for and–and allowed. You know, thank you for the additional information. I- (stammers and laughs).
ALEX: (laughs) Um–
JP: Oh boy.
ALEX: So I actually kind of thought my work was kind of done here, and then a couple of days later, I got an email from JP with the subject line, “I’m not sure I’m convinced.”
ALEX: And he just told me another story, a story about talking about having a leg cramp, and then getting an ad on Instagram for cramp cream.
PJ: I actually don’t find that surprising. Like, I feel like, I think you can learn as much as you want, I don’t think you’re ever going to convince anybody who already believes that Facebook is spying on them that they’re not. And I think it’s actually Facebook’s fault. Like, they’ve created this problem because they’re really good at collecting information about us, they won’t be very transparent about what they collect or how. And so, you’re basically forcing people to come up with the simplest possible solution for how Facebook knows stuff about them, and that’s that they’re listening in.
I would be surprised if you could find literally one person in the world who thinks this is happening who you could tell them what you’ve learned, and they would be like, “Yeah. You’re right.”
ALEX: I could find one person.
PJ: You cannot find one person. We can- we can literally open the phone lines, we can let people call in, you will not find a person.
PJ: After the break, Alex takes some phone calls.
PJ: Okay, so Alex.
PJ: So I tweeted out, and I just like, “Hey we’re going to take calls. If you believe this thing is true, call in.” Before we even open the phone lines, I just want you to know how screwed you are. (laughs) So like, let me just actually bring it up, hold on.
ALEX: I saw.
PJ: Like, like hundreds of people, I think. Like, everybody thinks this is true. Including like, including tech journalists who I respect a lot. Like it’s not just like a fringe belief. Like everybody thinks this is true. Literally like the VP of Facebook’s ad division jumped in and was like, “We’re not doing this!” And there were just like all these people being like, “You’re lying, you’re lying.”
Like, you are- I think you are walking into something that is maybe a little bigger than either of us realized. And I’m really excited to watch you walk into it.
ALEX: I still think I can do it.
PJ: Okay. let’s take a call. Let’s open the phone lines.
ALEX: Sounds good.
ALEX: Hi, who’s this?
MONIQUE: Hi, this is Monique.
ALEX: Hi Monique, this is Alex.
PJ: And PJ.
MONIQUE: Hi guys
PJ: So what’s going on here is that we’re talking to people who believe that Facebook is listening in on them using their microphones. And Alex, who’s done a lot of research, and as far as I can tell believes it’s not happening, he’ll try to give you an alternate explanation
MONIQUE: Ok, so I have a very quick story, and this is so funny, I was just telling my friend about this last night. Um, so, a few months ago I was on the phone talking to my friend and she was talking about this device that she had bought, um, to help her open coconuts.
MONIQUE: It was this really weird thing and she was trying to explain–she was explaining this tool, but she couldn’t remember the name. And we get off the phone, and then that was it. And maybe 15, 20 minutes later, I’m scrolling on Facebook and I see an ad for this device called the Coco-Jack.
PJ: (laughs) The Coco-Jack?
MONIQUE: I screenshot it. And was like “Is this what you were talking about?” And she was like “Yes.” And ever since then, I’ve been convinced that they’re onto me.
ALEX: OK (clears throat).
PJ: God, this is like watching a conductor warm up.
ALEX: OK, is this person your friend on Facebook?
ALEX: Did she buy the Coco-Jack online?
MONIQUE: I don’t know for sure, but I don’t think she did.
PJ: I just watched a balloon deflate–
ALEX: No! Not necessarily.
ALEX: Do you know where she bought it?
MONIQUE: If I recall correctly, she was in Vegas at some, like um, weird little shop, like “as seen on TV” shop. And she picked it up there.
ALEX: Do you think that she was, like, frustrated by all her coconuts beforehand, and so she Googled like, “How to open coconuts?”
MONIQUE: Perhaps. Maybe. But why would I be seeing it on my- like I saw it on my feed?
ALEX: So Facebook has the ability to follow you around the internet as you browse. When you’re logged into Facebook, and you go to a shopping site, and you put something in your cart, and you decide not to buy it, the site will then transmit that information back to Facebook, saying, “Hey, this person’s really interested in the Coco Jack.” Right?
MONIQUE: Uh huh.
ALEX: So another thing that Facebook does is that it allows advertisers to advertise certain products to the friends of people who have either purchased or shown interest in that product. So your friend-
ALEX: -Being really into the Coco Jack, her favorite new device, might have left some kind of digital trail.
MONIQUE: I think that it’s a possibility, um–the way it happened. It happened so quick. As soon as we were off the phone, not long after I saw it in my feed. So I was convinced, like, oh, they heard me talk about about a coconut opener, and now they’re trying to sell me one. That’s what it looked like.
ALEX: I understand. And that sounds creepy.
ALEX: And I empathize with feeling creeped out by it. But given an alternate explanation that does not require Facebook to be clandestinely listening to you using your microphone, which one feels more likely to you?
MONIQUE: (sighs) You know what? I’m still kind of convinced that they might be listening to me.
ALEX: Aw, Monique! You’re killing me here!
PJ: This is not happening for you today.
MIKE: A coworker of mine had, this is going to sound silly, but she had brought in a brand of cough drop that I had never heard of before. It was new. We were talking about how I’d never heard of this cough drop before, and I didn’t Google it. I didn’t get on my phone and look it up. And I’m scrolling through Instagram like, maybe an hour later. And all of a sudden, there’s an ad for this cough drop.
PJ: Alex Goldman, how do you explain that?
ALEX: Are you friends on Facebook with this friend who suggested, who- who brought in the cough drops.
MIKE: But can I- can I add a caveat?
MIKE: I wasn’t friends with them until after the cough drop incident.
PJ: (laughs) You’re so screwed.
ALEX: Oh boy.
JASON: We were talking about whether we prefer like a firm or a soft mattress. And a couple days later, I started getting served ads for a mattress company called Casper.
ALEX: So, Casper may have decided that they have, like, not penetrated the market in your town of people who are about to graduate from college and are probably going to need a mattress when they move into their own apartments. It’s very possible they know how much money you make because they buy information about you from data brokers. Facebook buys information.
PJ: Sir, are you finding this convincing?
JASON: It- it’s a decent explanation. It just, like this one sounds as like plausible as, my phone heard me have this conversation with my friend, and immediately after that conversation, I’m immediately being served this ad about mattresses.
ALEX: What could I possibly do to tip the scale in this situation?
PJ: Ok, let’s try another person to see if you have any chance of-
ALEX: Oh I’m definitely- I’m definitely going to convince someone.
PJ: So you are now 0-4?
ALEX: I can’t remember. Three or four.
TOM: Sillicon Valley startup idea of a milkshake.. And then for the next week I saw ads for Soylent in my Facebook scroll.
ALEX: And like what was the lag time between you mentioning it and seeing Soylent ads?
TOM: So I was visiting some family in a different town, and I remember the next week when I came back. It was within a couple of days.
ALEX: OK. Where were you visiting, and where do you live?
TOM: So I live in Des Moines, Iowa.
TOM: And I was visiting my wife’s cousins in Kansas City.
ALEX: OK. Both hotbeds of Soylent consumption. Do you have any friends who, um, consume Soylent?
TOM: Um, I had a coworker who was trying it for a while.
ALEX: Uh, around–
TOM: But I don’t think I’m friends with them on Facebook.
ALEX: Do you have any friends who live in San Francisco?
TOM: Uh… No.
ALEX: Can you (laughing)? PJ has to keep turning away from me because he’s laughing too hard about my futile attempts to convince people that-
PJ: I’ve never watched anyone do something so badly.
PJ: It’s like watching someone in the Olympics just fall down (laughs).
PJ: I didn’t think this would go like perfectly, but I did not think it would go this catastrophically so fast (laughs).
ALEX: What am I supposed to do? The problem here, which is the same problem with reporting out this story, is that Facebook not only is like a black box that tends to not want to tell you about how their stuff works. It is done using so many complex algorithms, that they don’t even know. If I was like, “Hey tell me how this ad got served to this gentleman,” the people of Facebook would say like, “I don’t know the answer to that.”
PJ: I feel like you’re reverse convincing me.
ALEX: What, like now-
PJ: I feel like I’m starting to go to the other side now.
JULIA: Hi, uh, my name is Julia.
ALEX: This is Alex. How are you doing?
JULIA: I’m great. How are you?
ALEX: I’m good. I’m going to try and convince you that Facebook is not listening to you. Is Facebook listening to you?
JULIA: Oh. 1000 percent. Um, so I was at a friend’s house a few weeks ago.
JULIA: We were talking about a guy that she went to high school with, and I went to college with. We did not look him up. We did not google him. We did not go on his Instagram or his Facebook.
JULIA: And the next day, both of us got him as a recommended follow on Instagram.
JULIA: And this is like not somebody who I had interacted with online literally in any capacity for like a good many years. And it was both of us that got the recommended follow, and you don’t get the recommended follows that often. So, it’s definitely listening to me.
ALEX: PJ’s- PJ is smirking at me because he thinks that I can’t answer this.
PJ: No, I’m just smiling because your face is covered in flop sweat
ALEX: And you’re absolutely right that I can’t answer this one.
ALEX: Because ad targeting and the “people you may know” data sets are totally separate. I don’t- I haven’t been researching this. I have no idea. I have- I can’t answer this one.
JULIA: I do it tells you though that the microphone is definitely listening.
ALEX: Uh- I-
JULIA: What it’s being used for…
ALEX: PJ can’t- PJ can’t keep it together. He’s losing his mind. He thinks this is so funny.
PJ: (laughing) I just think it’s funny because Alex had a lot of confidence (laughing harder, barely audible) he would have all the answers, and would be able to explain it to people.
ALEX: (laughing) I’m sorry Julia, I can’t answer this one. I going to have to let you go. Maybe they’re listening to you, and suggesting friends based on that, but I haven’t been paying attention to that.
PJ: (laughing) Wait–wait–you’re giving up instead.
ALEX: (laughing) I’m sorry?
JULIA: [Skype breaking up] You need to follow this. I do think it is like irrefutably the microphone is on.
JULIA: I think this is fair.
PJ: You’re not even arguing, Alex!
ALEX: Why would I argue? He’s like, “Why aren’t you arguing? Why aren’t you arguing?” I don’t know anything about how they decide who they should suggest to you as friends. They could be.
JULIA: But don’t you think this means that like the microphone is on, and is listening, and is recording information.
ALEX: I have no idea.
PJ: (laughing) Oh my god.
ALEX: PJ can’t take it. You need to pull yourself together. I’ve got to convince someone before the end of the day, and I’m definitely not going to do it with Julia.
PJ: (laughing) Well, I think that your argument is that maybe the microphone is listening to you is not going to convince anybody that the microphone is not listening.
ALEX: (laughing) It might. It might.
PJ: Julia, thank you so much.
ALEX: So, I wasn’t able to convince anybody, but whether you think Facebook is listening to you or not, we are going to put a bunch of information up on our website about how to prevent them from tracking you as much as they do. And if you do believe that Facebook is listening to you, we’ll also have instructions on there for how to disable the microphone privileges for your Facebook app. You can find it at replyall.limo/donttrackme.
Reply All is PJ Vogt and me, Alex Goldman. We were produced this week by Sruthi Pinnamaneni, Phia Bennin, and Damiano Marchetti. Production help from Jon Hanrahan. Our editor is Tim Howard. Our intern is Anna Foley. Fact checking by Michelle Harris. The show was mixed by Rick Kwan.
Special thanks this week to Zoe Kleiman, Christine McClellan and Emily Taylor. Matt Lieber is sitting on your couch and looking around at how nice your house looks after you just cleaned it. Our theme song is by the mysterious Breakmaster Cylinder and our ad music is by Build Buildings. You can listen to the show on Apple Podcasts, Spotify, or wherever you get your podcasts. Thanks for listening, we’ll see you in two weeks.
To find all our sponsors and show-related promo codes, click here.