Authors: Bruce Schneier
Data and Goliath (2 page)
Chapter 5 turns to government surveillance. Governments around the world are surveilling
their citizens, and breaking into computers both
domestically and internationally. They want to spy on everyone to find terrorists
and criminals, and—depending on the government—political activists, dissidents, environmental
activists, consumer advocates, and freethinkers. I focus mainly on the NSA, because
this is the secret government agency we know best, because of the documents Edward
Snowden released.
Corporations and governments alike have an insatiable appetite for our data, and I
discuss how the two work together in Chapter 6. I call it a “public-private surveillance
partnership,” and it’s an alliance that runs deep. It’s the primary reason that surveillance
is so pervasive, and it will impede attempts to reform the system.
All of this matters, even if you trust the corporations you interact with and the
government you’re living under. With that in mind, Part Two turns to the many interrelated
harms that arise from ubiquitous mass surveillance.
In Chapter 7, I discuss the harms caused by government surveillance. History has repeatedly
demonstrated the dangers of allowing governments to conduct unchecked mass surveillance
on their citizens. Potential harms include discrimination and control, chilling effects
on free speech and free thought, inevitable abuse, and loss of democracy and liberty.
The Internet has the potential to be an enormous driver of freedom and liberty around
the world; we’re squandering that potential by allowing governments to conduct worldwide
surveillance.
Chapter 8 turns to the harms caused by unfettered corporate surveillance. Private
companies now control the “places” on the Internet where we gather, and they’re mining
the information we leave there for their own benefit. By allowing companies to know
everything about us, we’re permitting them to categorize and manipulate us. This manipulation
is largely hidden and unregulated, and will become more effective as technology improves.
Ubiquitous surveillance leads to other harms as well. Chapter 9 discusses the economic
harms, primarily to US businesses, that arise when the citizens of different countries
try to defend themselves against surveillance by the NSA and its allies. The Internet
is a global platform, and attempts by countries like Germany and Brazil to build national
walls around
their data will cost companies that permit government surveillance—particularly American
companies—considerably.
In Chapter 10, I discuss the harms caused by a loss of privacy. Defenders of surveillance—from
the Stasi of the German Democratic Republic to the Chilean dictator Augusto Pinochet
to Google’s Eric Schmidt—have always relied on the old saw “If you have nothing to
hide, then you have nothing to fear.” This is a dangerously narrow conception of the
value of privacy. Privacy is an essential human need, and central to our ability to
control how we relate to the world. Being stripped of privacy is fundamentally dehumanizing,
and it makes no difference whether the surveillance is conducted by an undercover
policeman following us around or by a computer algorithm tracking our every move.
In Chapter 11, I turn to the harms to security caused by surveillance. Government
mass surveillance is often portrayed as a security benefit, something that protects
us from terrorism. Yet there’s no actual proof of any real successes against terrorism
as a result of mass surveillance, and significant evidence of harm. Enabling ubiquitous
mass surveillance requires maintaining an insecure Internet, which makes us all less
safe from rival governments, criminals, and hackers.
Finally, Part Three outlines what we need to do to protect ourselves from government
and corporate surveillance. The remedies are as complicated as the issues, and often
require fine attention to detail. Before I delve into specific technical and policy
recommendations, though, Chapter 12 offers eight general principles that should guide
our thinking.
The following two chapters lay out specific policy recommendations: for governments
in Chapter 13, and for corporations in Chapter 14. Some of these recommendations are
more detailed than others, and some are aspirational rather than immediately implementable.
All are important, though, and any omissions could subvert the other solutions.
Chapter 15 turns to what each of us can do individually. I offer some practical technical
advice, as well as suggestions for political action. We’re living in a world where
technology can trump politics, and also where politics can trump technology. We need
both to work together.
I end, in Chapter 16, by looking at what we must do collectively as a society. Most
of the recommendations in Chapters 13 and 14 require a shift in
how we perceive surveillance and value privacy, because we’re not going to get any
serious legal reforms until society starts demanding them. There is enormous value
in aggregating our data for medical research, improving education, and other tasks
that benefit society. We need to figure out how to collectively get that value while
minimizing the harms. This is the fundamental issue that underlies everything in this
book.
This book encompasses a lot, and necessarily covers ground quickly. The endnotes include
extensive references for those interested in delving deeper. Those are on the book’s
website as well: www.schneier.com/dg.html. There you’ll also find any updates to the
book, based on events that occurred after I finished the manuscript.
I write with a strong US bias. Most of the examples are from the US, and most of the
recommendations best apply to the US. For one thing, it’s what I know. But I also
believe that the US serves as a singular example of how things went wrong, and is
in a singular position to change things for the better.
My background is security and technology. For years, I have been writing about how
security technologies affect people, and vice versa. I have watched the rise of surveillance
in the information age, and have seen the many threats and insecurities in this new
world. I’m used to thinking about security problems, and about broader social issues
through the lens of security problems. This perspective gives me a singular understanding
of both the problems and the solutions.
I am not, and this book is not, anti-technology. The Internet, and the information
age in general, has brought enormous benefits to society. I believe they will continue
to do so. I’m not even anti-surveillance. The benefits of computers knowing what we’re
doing have been life-transforming. Surveillance has revolutionized traditional products
and services, and spawned entirely new categories of commerce. It has become an invaluable
tool for law enforcement. It helps people all around the world in all sorts of ways,
and will continue to do so far into the future.
Nevertheless, the threats of surveillance are real, and we’re not talking about them
enough. Our response to all this creeping surveillance has largely been passive. We
don’t think about the bargains we’re making, because they haven’t been laid out in
front of us. Technological changes occur, and we accept them for the most part. It’s
hard to blame us; the
changes have been happening so fast that we haven’t really evaluated their effects
or weighed their consequences. This is how we ended up in a surveillance society.
The surveillance society snuck up on us.
It doesn’t have to be like this, but we have to take charge. We can start by renegotiating
the bargains we’re making with our data. We need to be proactive about how we deal
with new technologies. We need to think about what we want our technological infrastructure
to be, and what values we want it to embody. We need to balance the value of our data
to society with its personal nature. We need to examine our fears, and decide how
much of our privacy we are really willing to sacrifice for convenience. We need to
understand the many harms of overreaching surveillance.
And we need to fight back.
—Minneapolis, Minnesota, and Cambridge, Massachusetts, October 2014
Data as a By-product of Computing
C
omputers constantly produce data. It’s their input and output, but it’s also a by-product
of everything they do. In the normal course of their operations, computers continuously
document what they’re doing. They sense and record more than you’re aware of.
For instance, your word processor keeps a record of what you’ve written, including
your drafts and changes. When you hit “save,” your word processor records the new
version, but your computer doesn’t erase the old versions until it needs the disk
space for something else. Your word processor automatically saves your document every
so often; Microsoft Word saves mine every 20 minutes. Word also keeps a record of
who created the document, and often of who else worked on it.
Connect to the Internet, and the data you produce multiplies: records of websites
you visit, ads you click on, words you type. Your computer, the sites you visit, and
the computers in the network each produce data. Your browser sends data to websites
about what software you have, when it was installed, what features you’ve enabled,
and so on. In many cases, this data is enough to uniquely identify your computer.
Increasingly we communicate with our family, friends, co-workers, and casual acquaintances
via computers, using e-mail, text messaging, Facebook, Twitter, Instagram, SnapChat,
WhatsApp, and whatever else is
hot right now. Data is a by-product of this high-tech socialization. These systems
don’t just transfer data; they also create data records of your interactions with
others.
Walking around outside, you might not think that you’re producing data, but you are.
Your cell phone is constantly calculating its location based on which cell towers
it’s near. It’s not that your cell phone company particularly cares where you are,
but it needs to know where your cell phone is to route telephone calls to you.
Of course, if you actually use that phone, you produce more data: numbers dialed and
calls received, text messages sent and received, call duration, and so on. If it’s
a smartphone, it’s also a computer, and all your apps produce data when you use them—and
sometimes even when you’re not using them. Your phone probably has a GPS receiver,
which produces even more accurate location information than the cell tower location
alone. The GPS receiver in your smartphone pinpoints you to within 16 to 27 feet;
cell towers, to about 2,000 feet.
Purchase something in a store, and you produce more data. The cash register is a computer,
and it creates a record of what you purchased and the time and date you purchased
it. That data flows into the merchant’s computer system. Unless you paid cash, your
credit card or debit card information is tied to that purchase. That data is also
sent to the credit card company, and some of it comes back to you in your monthly
bill.
There may be a video camera in the store, installed to record evidence in case of
theft or fraud. There’s another camera recording you when you use an ATM. There are
more cameras outside, monitoring buildings, sidewalks, roadways, and other public
spaces.
Get into a car, and you generate yet more data. Modern cars are loaded with computers,
producing data on your speed, how hard you’re pressing on the pedals, what position
the steering wheel is in, and more. Much of that is automatically recorded in a black
box recorder, useful for figuring out what happened in an accident. There’s even a
computer in each tire, gathering pressure data. Take your car into the shop, and the
first thing the mechanic will do is access all that data to diagnose any problems.
A self-driving car could produce a gigabyte of data per second.
Snap a photo, and you’re at it again. Embedded in digital photos is information such
as the date, time, and location—yes,
many cameras have GPS—of the photo’s capture; generic information about the camera,
lens, and settings; and an ID number of the camera itself. If you upload the photo
to the web, that information often remains attached to the file.
It wasn’t always like this. In the era of newspapers, radio, and television, we received
information, but no record of the event was created. Now we get our news and entertainment
over the Internet. We used to speak to people face-to-face and then by telephone;
we now have conversations over text or e-mail. We used to buy things with cash at
a store; now we use credit cards over the Internet. We used to pay with coins at a
tollbooth, subway turnstile, or parking meter. Now we use automatic payment systems,
such as EZPass, that are connected to our license plate number and credit card. Taxis
used to be cash-only. Then we started paying by credit card. Now we’re using our smartphones
to access networked taxi systems like Uber and Lyft, which produce data records of
the transaction, plus our pickup and drop-off locations. With a few specific exceptions,
computers are now everywhere we engage in commerce and most places we engage with
our friends.
