Schneier Lecture "The Future of Privacy"

Last Wednesday I gave a lecture on "The Future of Privacy" at the University of Southern California. The audio is online.

Posted on October 5, 2006 at 9:26 PM • 14 Comments

Comments

TomOctober 5, 2006 9:55 PM

Darn, was this lecture open to all students/faculty/everyone? I go to USC but didn't hear about this, otherwise I would have gone!

DrixOctober 6, 2006 6:23 AM

I must say it's a very concise presentation of many of the arguements I've been trying to drill home to friends and colleagues. It's good work. Prehaps I can get one or two of them to listen. Goodness knows, they're all too busy to read anything I link them to... or at least that's their excuse.

Adam DurandOctober 6, 2006 9:13 AM

I listened to it last week, and I must say, that was an excellent lecture.

tony the tigerOctober 6, 2006 12:16 PM

Very interesting talk. The one thing you may want to start to reconsider is your position that there are 3 things that make air travel safer, air marshals, locked cockpits and passengers knowing they have to fight for their safety. I think the pendulum on the third point is starting to swing the opposite way. Just ask Seth Stein. Now we have to worry about the jerk in the seat behind us beating the crap out of us because he/she doesn't like the way we are fiddling with our Ipod. So now I have to worry about fighting off terrorists and other passengers. Great!

Lemming#33203183October 6, 2006 5:30 PM

Very interesting talk, here are a few notes (which don't do justice, and most are distillations and not direct quotes):
------------------ begin ---------------------------
The debate is *not* security vs. privacy. (think of a locked door). "The real debate is liberty versus control."

The problems with companies recording our data come mainly from the *secondary* uses (i.e., what happens once our data is sold to someone else).

Mutual disclosure (the police officer shows his id, and I show mine) is not the
answer, because of the power imbalance.

* "Security, I think, is liberty plus privacy."

There are times when security and privacy are at odds.

"In general in our society, when privacy has to be violated we maintain security* through a mechanism called oversight."

The death of privacy is not inevitable, despite the claims over the decades to the contrary.

"What we are lacking in our country is a comprehensive privacy law."

Short term we're going to lose, but "eventually society won't be able to sustain no privacy, that there will be a backlash."

"this is a multiyear project, I give this project ten, twenty years."
------------------ end ---------------------------

I agree wholeheartedly that a comprehensive privacy law is the solution.

Bruce seems to say that we're going to have to lose our privacy first, and then have the kind of disaster that will cause us to pass a law protecting it, because this is the way our system works: when we have "grandmas calling congressmen" that's when we get a law passed.

So we need to have a privacy law ready to go when that time comes. (Ironically, much the same way the Patriot Act was pretty much off-the-shelf.)

Pat CahalanOctober 6, 2006 5:36 PM

> "What we are lacking in our country is a comprehensive privacy law"

Examining the trend in privacy laws, I would say this is going to occur faster than we may think it will occur. I'm a little more optimistic on this point than most people, I think.

Lemming#33203183October 6, 2006 6:59 PM

@Pat Cahalan, I'm wondering what gives you that optimism.

The public don't seem to understand the issues involved yet, and they're still too busy being afraid of terrorism to worry about either big brother or corporate databrokers.

Meanwhile, corporations have a vested interest in being able to collect and buy and sell your information. Therefore, just as in California, they will lobby hard against consumer privacy protections. Why shouldn't they?

I fully expect that as soon as anything approaching real privacy protection gets passed in the states, the feds will pass something that supercedes it and waters it down to nothing, just as they have with a number of other issues relating to consumer protections. (States' rights only applies when it fits a certain agenda, apparently, but I digress.)

I'm also wondering who is out there putting together a law and what principles they are basing it on. One point of Bruce's talk was that such laws need to be technology-neutral, since we can't forsee the next tech innovation and the privacy challenges it will bring.

And for that matter, how did the Europeans get whatever laws they have? Was there a crisis first, or just those who remember police states?

LarsOctober 9, 2006 3:55 AM

Just halfways through the lecture, but it seems to me that one of the main problems you have over there in the US is solved in german data protection laws (or privacy laws, my translation abilities are kinda lost here) quite good. For example there is a law that determines that any data collection activity has to be bound to some purpose and that the (personal or personalizable) data collected cannot be used for any other purpose. (This includes that the data cannot be given to anyone else if not stated in the original purpose.)

And of course the person whose data is collected has to agree to any purpose for which the data is collected. Privacy laws around here are probably one thing I do like.

OverseasOctober 9, 2006 1:02 PM

@ Bruce - great lecture.

Privacy Laws - hmmm. If COPPA and HIPPA is setting the standard, you might be tempted to ask - Why even bother? Sure US will get privacy laws, but most of these will be both less comprehensive and equally unable to prevent abuse as the european laws.
California was on to something sensible around RFID, but Arnold just vetoed after massive lobbying.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..