Schneier on "Security, Privacy, and the Generation Gap"

Last month at the RSA Conference, I gave a talk titled "Security, Privacy, and the Generation Gap." It was pretty good, but it was the first time I gave that talk in front of a large audience -- and its newness showed.

Last week, I gave the same talk again, at the CACR Higher Education Security Summit at Indiana University. It was much, much better the second time around, and there's a video available.

Posted on April 9, 2010 at 12:55 PM • 12 Comments

Comments

WayneApril 9, 2010 2:51 PM

Hmm the video doesn't work. I keep getting "Server not found: rtmp://flashstream.indiana.edup/ip" message. Server overwhelmed by popular demand? Flash is working fine on PC.

ShaneApril 9, 2010 2:55 PM

Really enjoyed your presentation. There's a lot of great quotes. Is there a transcript?

GregApril 9, 2010 7:00 PM

Nice presentation, I'm really happy to have the chance to hear you speak on a recent topic. Thankfully I can now put my suspicion that you are also my sister's partner out of my mind as I've now heard your voice. Er wait, I don't know that is your voice...

YousefApril 10, 2010 5:13 AM

Excellent lecture; however, I have one query:
Given how technologically ignorant most politicians are - not to mention their propensity to be lobbied - how do you expect to get any decent laws to govern privacy?

Yet another BruceApril 10, 2010 5:33 AM

@Wayne: it says "indiana.edup", so once you get rid of the extra "p", it should work.

rfApril 10, 2010 9:48 AM

You could also try the rtmp url:

rtmp://flashstream.indiana.edu/ip/flv/vic/higher_ed_cybersecurity_summit_20100401

If you have such a player.

Stephan EngbergApril 12, 2010 2:10 AM

Bruce

Great talk with many insights

One comment
You cannot solve the problems with the way of thinking that created the problems.

Your approach is accepting that all data is identified and regulate it. Whereas you suggest nothing in the direction of preventing data from being identifiable in the first place.

To use your pollution analogy, it is like trying to manage toxic garbage dumps while ignoring the processes creating the toxic vaste in the first place.

We need to change paradigm to one of enabling non-identified services.

Non-identified services is not anonymous if the process naturally cannot be (my employer, doctor and friends will know who I am), but even in these cases we can avoid that any database know.

In my view, you are using double standards when you say that anonymisation is hard and thus only talk about laws but dont include virtualisation of real world entities (physical devices and legal persons) as an essential of to preventive security.

The real public/political choice is to virtualise through infrastructure to ensure online transactions can occur non-identified.

But to start understanding the economics - it is NOT benefiscial to society that gatekeepers take control of information (can identify) or cartel standards prevent innovation by removing the choice from citizens to choose the better service that is not agreeable to some commercial cartel or some bureaucrat control freak.

We need to start by focusing on the value transactions - government and comemrcial. Later dealing with the social transactions which are much harder as - as you so rightly say - the market is distorted when people pay for services with abuse of their data thus becomming providers instead of consumers.

Politely Bruce. Your knowledge of understanding of many of these issues are impressive, but you get the route to re-empowering the citizen wrong.

We need to understand that we are killing markets ability to generate wealth (except for the few war that essentially steal values form others) and democracies ability to ensure stability and balancing of opposite forces.

You dont have freedom of speech if you can only speak identified. You dont have freedom of choice and ability to negotiate if your otential providers are vastly supperior in knowledge ABOUT YOU and processing capabilities.

Re-empowering require the possibility of end-to-end transaction isolation - (having to) trust people but never making systems you are vulnurable towards.

The best example I have is Digital Product (Id/RFID) where I shamelessly refer you to my slides from an EU consultation in 2006.
http://www.rfidconsultation.eu/docs/ficheiros/Stephan_J_Engberg.pdf

This is now hapening in the market place. And just because one provider did, it is altering the structure of markets. RFID manufacturers are scrambling to make RFIDs where consumers get control and enable services without creating identifiable data.

The Real ShaneApril 12, 2010 11:57 AM

@Bruce

Someday, good sir, remind me that I need to shake your hand. Vigorously.

Jeremy L. GaddisApril 13, 2010 11:03 PM

Bruce,

It was a pleasure to hear you speak and your talk was quite interesting. Thanks for taking a moment to chat and sign my old, worn copy of "Secrets & Lies" as well. It was a pleasure having you join us.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..