Data and Goliath, The hidden Battles to Collect Your Data and Control Your World, Bruce Schneier, 2015
Schneier is a world class expert in cryptography and internet security. He is one of the first people contacted by Glenn Greenwald and the Guardian to help analyze the Edward Snowden papers. Schneider credits Snowden with informing us of the extent of NSA surveillance today.
Schneider’s first book Applied Cryptography, was published in 1993. The US military and government had fought a twenty year battle to prevent use of strong encryption, except by the military, ending with a plan to allow encryption only if government back doors were placed in the technology. The market decreed that such technology was unsellable and Schneider thought by 1990 the battle to control encryption had been won. Snowden revealed that the government had simply gone underground, secretly inserting hardware and software into systems to give themselves the desired encryption back doors. The NSA maintains a small army of cyber hackers who look for vulnerabilities in existing systems. Once found, they may create software hacks to exploit the vulnerability, or they may simply stockpile the vulnerability for future use. Occasionally they may even tell the developers about the problem so the hole can be fixed but this is rare.
One Snowden disclosure has the NSA intercepting Cisco communications equipment shipments to modify the hardware before forwarding the equipment to its destination. The Watergate break ins pale by comparison with a government acting completely out of control.
Again, after Snowden, the market is speaking, and Schneier puts the three year estimated cost in lost US business because of the Snowden revelations at $180 Billion. So where are the major fixes by Congress and the administration to reign in the illegal and unconstitutional abuses? Nowhere.
A part of the problem is that US corporations are equally guilty of illegally collecting and mining private data on its users. So a lot of pressure that corporations should be applying to the government to reign its surveillance in can backfire and constrain the corporation’s own surveillance. This they strongly oppose. The corporations are as guilty of secrecy as the government so the actual data collected, the length of retention, where the data is kept, the uses made of the data (data mining), the sale of the data, etc. are all kept secret from the user. Without sanctions and enforcement user data will never be safe.
Schneier is an optimist and believes that we can find solutions to this massively invasive surveillance but its hard to see even from this book.
Schneier gives a few hints about protecting yourself from surveillance but admits that, other than encrypting your communications, little can be done. The internet and cell phones won’t work unless location and meta data are clear (not encrypted) and Schneier goes to great length to show how meta data can reveal even more useful detail to government and corporate spies than the content of communications. Meta data can be automatically analyzed by computer and networks of communication easily constructed. Latanya Sweeney, a computer science professor, conducted a study in 1990 using census data, and found that zip code, birth date, and sex could be combined to uniquely identify 87% of the United States population. Meta data mining can be used by government to study protest groups and by business to exploit connections with highly targeted marketing and product placement. Neither government nor the corporations are likely to give this ability up without a major fight.
Schneier mentions DuckDuckGo a search engine that does not track users. Tor is an anonymous web browser. Wicker offers encrypted messaging. Ello is a social network that does not track users. Snowden used encryption and secure messaging when communicating with Greenwald and Poitrus.
Coming under particular scrutiny here are Google and Facebook, both because of their dominant market positions and because of their aggressive exploitation of user data to generate revenue. This reader was an early user of Google when they first were available on the web. The searches for obscure information needed for a software developer were vastly superior to other search engines like Yahoo so this reader has stuck with them. But as advertising hits have become more pervasive and since most of these hits don’t actually retrieve pages, this reader is now in the market for an alternative search engine and is trying DuckDuckGo.
One of Schneier’s scariest observations is that we seem very adaptable, we get used to the obvious use of our private information by corporations for their own exploitation. We conclude quickly that that is just the way things are and we like the modern technology and the capabilities it gives us. We don’t see the dangers of government and corporate surveillance. He gives some attention to the “creepy threshold“, the point at which the user senses that the internet services seem to be drawing inferences about us that we never anticipated. Beyond this threshold, users are likely to object. Schneier points out that mass surveillance is not effective as a means of uncovering either crime or acts of terror. Traditional investigative police work would be far more effective but the governments seem determined to spend their resources on non productive mass surveillance.
Fixing privacy protection is made more difficult by the global nature of the internet. The user’s data can be stored and mined anywhere in the world. Each country has its own privacy rules and levels of enforcement. There could be engineered technical solutions created by the Internet governing bodies but deploying them would encounter enormous resistance from governments and corporations.
Schneier calls for a new magna carta to reaffirm that the legitimacy of rulers (whether political or corporate) comes from the subjects. He points to the 2009 Madrid Privacy Declaration as
…the most robust articulation of privacy rights in the modern age.