I’m in a locked room, underneath a volcano somewhere in the southern hemisphere talking to one of the world’s leading security experts, Bruce Schneier. We’re discussing the NSA, squid, Edward Snowden, Chuck Norris, and what parents should really be worrying about when their kids go online. His new book, “Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World” is picking up rave reviews.
GeekDad: Bruce, please tell us who you are in fourteen words.
Schneier: Security technologist. Speaker, author, researcher. Security and privacy advocate. Anti-fear. Meta meta meta guy.
GeekDad: Do you have kids or spend time with kids?
Schneier: I have no children and four grandchildren, three of whom live near me.
GeekDad: You work on serious security issues, and have even briefed Congress about Edward Snowden. But it seems that the Edward Snowden story has not changed most people’s behavior online. I think we just assume that our data is being collected and that we’re not worth anyone’s time to sift it. We’re maybe more worried about kids seeing our “recently viewed” list on Netflix, our spouse seeing our Google search history, and our employers knowing how much time we’re on LinkedIn. Can you tell us why we should we be less complacent about our data?
Schneier: Because things are done with it in our name. Our data determines what sorts of advertising we see, but it also determines what sort of offers we receive and prices we’re offered. It determines what mortgage rate we get, and whether or not we even get a mortgage. It helps prospective employers decide whether or not to offer us a job, and helps the TSA decide whether or not to let us fly an airplane. It can make us the subject of a criminal investigation and — in extreme cases — result in the US dropping a drone strike on our heads. It is used to make inferences about what we think and want, what we do and can do. In many areas of our lives, what our data says is more important than what we say.
GeekDad: One project I’m producing at WGBH is focused on creating a platform for contemporary media literacy for kids. In one example we show kids that sharing photos can also inadvertently disclose their geo-location. What kinds of data do you think kids or parents should be most concerned about, either for kids now or for when these kids are out in the world later as adults, followed by a massive trail of digital footprints?
Schneier: If you’re worried about which specific kinds of data you should be most concerned about, you’re not thinking about the problem correctly. It’s not this data stream versus that data stream; it’s all of our data, mixed together and correlated. It’s our locations being constantly tracked by our cell phones. It’s our personal relationships constantly being tracked by our phone calls, text messages, emails, and Facebook chatter. It’s our intimate thought and concerns being collected by our search engines. It’s what we do and what we buy, where we go and who we go with. It’s cameras plus face recognition plus Facebook’s database of tagged photos. It’s everything.
GeekDad: When I make kids games or apps, I tend to consider any data to be collected as part of a transaction: I collect a login name from you as a player so that you can save a game state or something you’ve uploaded like a drawing. It’s a fair exchange and one that’s the least invasive it can be for the purpose. And you’ve said that you like Amazon’s recommending books to you based on your prior purchases. So how far do you think we can or should go before trading data and privacy for cool tools, recommendations, or free email services takes us down a rabbit hole we cannot escape? Is there a tipping point or point of no return?
Schneier: Kind of depends, doesn’t it? You’re right, in many cases its part of the transaction. When you turn Google Maps on and let it give you directions and real-time traffic information, you are allowing the company to have you under constant surveillance. You make that same bargain with your cell phone company otherwise the device couldn’t ring when someone calls you. When you use Facebook to interact with all your friends, you are allowing the company to know who your friends and associates are, what you are interested in with them, and so on. When you use Google search, you are willingly give the company deep insight into everything you’re thinking about. And you are allowing those companies to do whatever they want with the data — publish it, use it to surreptitiously manipulate you into purchasing things, sharing it with friendly and hostile governments, anything — forever. The question is whether most people are fully cognizant of this transaction, and whether or not it’s fair. I maintain that the answers are “not much” and “no.” So, yes, free services are seductive, but the cost may be too high. And I don’t think there is a point of no return. I don’t think there is a point where society is irrevocably locked into a system where powerful corporations have the entire population under constant surveillance and there is nothing that can be done. That’s just fatalism. Society has made bigger moral corrections in the past, and we can correct this one.
GeekDad: For the most part you seem to be a pretty public person. As someone who writes so much about the data that companies and government collect about us, I was surprised to find so much about you in plain sight online. How much of that is your choice to share it, and how much is it the cost of trying to live and work in the 21st century?
Schneier: Honestly, I don’t know what you found. I don’t think of myself as a public person. I think of myself as a pretty private person. Like everyone else, I do what I have to do to live in society. I have a smartphone, and I use it constantly. I have an e-mail address, and I use search engines. I prefer DuckDuckGo to Google, because it doesn’t track your searches, but it’s not as good a search engine. I don’t have a Facebook account. I don’t have a Twitter account. I don’t do a lot of things. But you’re right, all of the surveillance technologies we use are necessary to be a fully functioning member of society these days, and turning them off isn’t really an option.
GeekDad: Clearly your work requires you to talk to people who are outside of the public view. What lengths do you go to when you need to communicate electronically to maintain your privacy?
Schneier: I go to the lengths necessary, and that includes the precaution of not describing them in much detail in public.
GeekDad: I read a piece about the security at ICANN where they maintain domain name registrations with secret meetings in vaults for which people hold parts of a key, each piece locked in security boxes. It read like a science fiction spoof. Is this where we need to be headed if we want to stay really private? Or to go off the grid like Gene Hackman in Enemy of the State?
Schneier: That ICANN protocol isn’t about privacy, it’s about security against both technical and legal attacks. But you’re right. If we want to stay private from large government organizations, whether it be the NSA or the Chinese equivalent, we have to take extreme technical measures. And even then we’re not truly safe against targeted attacks.
GeekDad: Talking of science fiction, you were nominated for a Hugo award for a book of restaurant reviews. Even your blog has recipes for squid. Is food critic the Clark Kent half of your identity?
Schneier: Not half, but a part of.
GeekDad: The other half is clearly your Superman status online. I found a fact website like one for Chuck Norris. In the interests of accuracy, would you care to confirm or deny any of the following facts about you I found there?
Bruce Schneier instantly knows the amount of Jelly Beans in a jar.
Bruce Schneier speaks fluent Navajo.
Geologists recently discovered that “earthquakes” are nothing more than Bruce Schneier and Chuck Norris communicating via a roundhouse kick-based crypto system.
Bruce Schneier’s mother’s maiden name is a large prime number.
Bruce Schneier tap-dances in Morse Code.
Schneier: Having read through every Bruce Schneier Fact, I can state without hesitation that they are 100% accurate.
GeekDad: You’re credited with coining the term Security Theater for what we now go through at airports. What makes you craziest about any of those procedures when you travel? And would it be more classy if we spelled it Security Theatre?
Schneier: There’s a lot about airport security to make you crazy. For me, mostly it’s amateur travellers who don’t know what to do. Luckily, the PreCheck line is mostly populated by seasoned travellers who know what to do and how to get through the checkpoints most efficiently. And that’s precisely the problem with PreCheck. It’s fundamentally class-based, and that’s morally and politically wrong. By segregating people into those who can afford to use the streamlined system and those who cannot, we ensure that the very people who can improve the mess that is airport security never get to experience it. Force Congressmen to routinely go through the most annoying security possible, and it’ll change pretty quickly.
GeekDad: Lastly, you’re known for red herrings such as giving the NSA’s address in Maryland as your own when asked. Do you ever edit your Wikipedia page with misinformation? If not, what would you add? Perhaps to add a Latin Grammy or a rare but delicious squid you discovered?
Schneier: It’s a major Internet faux pas to edit your own Wikipedia page, so I don’t. For a while my page said that I had two cats, Ditzy and Margo. There was a back-and-forth between editors over whether that information was relevant to an encyclopedia entry, but what amused me is that those were not the names of my two cats.