Latest Essays

A New Privacy Constitution for Facebook

Mark Zuckerberg wants to fix the social network. Here’s what he’ll need to do.

  • Bruce Schneier and Adam Shostack
  • OneZero
  • March 8, 2019

Facebook is making a new and stronger commitment to privacy. Last month, the company hired three of its most vociferous critics and installed them in senior technical positions. And on Wednesday, Mark Zuckerberg wrote that the company will pivot to focus on private conversations over the public sharing that has long defined the platform, even while conceding that "frankly we don't currently have a strong reputation for building privacy protective services."

There is ample reason to question Zuckerberg's pronouncement: The company has made—and broken—many privacy promises over the years. And if you read his 3,000-word post carefully, Zuckerberg says nothing about changing Facebook's surveillance capitalism business model.

Read More →

Cybersecurity for the Public Interest

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2019

The Crypto Wars have been waging off-and-on for a quarter-century. On one side is law enforcement, which wants to be able to break encryption, to access devices and communications of terrorists and criminals. On the other are almost every cryptographer and computer security expert, repeatedly explaining that there's no way to provide this capability without also weakening the security of every user of those devices and communications systems.

It's an impassioned debate, acrimonious at times, but there are real technologies that can be brought to bear on the problem: key-escrow technologies, code obfuscation technologies, and backdoors with different properties.

Read More →

There's No Good Reason to Trust Blockchain Technology

  • Bruce Schneier
  • Wired
  • February 6, 2019

In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: "We have proposed a system for electronic transactions without relying on trust." He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great promise, but it's just not true. Yes, bitcoin eliminates certain trusted intermediaries that are inherent in other payment systems like credit cards. But you still have to trust bitcoin—and everything about it.

Read More →

The Public-Interest Technologist Track at the RSA Conference

  • Bruce Schneier
  • RSA Conference Blogs
  • January 29, 2019

Our work in cybersecurity is inexorably intertwined with public policy and—more generally—the public interest. It's obvious in the debates on encryption and vulnerability disclosure, but it's also part of the policy discussions about the Internet of Things, cryptocurrencies, artificial intelligence, social media platforms, and pretty much everything else related to IT.

This societal dimension to our traditionally technical area is bringing with it a need for public-interest technologists.

Defining this term is difficult.

Read More →

Defending Democratic Mechanisms and Institutions against Information Attacks

  • Henry Farrell and Bruce Schneier
  • Defusing Disinfo
  • January 28, 2019

To better understand influence attacks, we proposed an approach that models democracy itself as an information system and explains how democracies are vulnerable to certain forms of information attacks that autocracies naturally resist. Our model combines ideas from both international security and computer security, avoiding the limitations of both in explaining how influence attacks may damage democracy as a whole.

Our initial account is necessarily limited. Building a truly comprehensive understanding of democracy as an information system will be a Herculean labor, involving the collective endeavors of political scientists and theorists, computer scientists, scholars of complexity, and others.

Read More →

Evaluating the GCHQ Exceptional Access Proposal

  • Bruce Schneier
  • Lawfare
  • January 17, 2019

The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI—and some of their peer agencies in the U.K., Australia, and elsewhere—argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdroping. Sometimes their complaint is about communications systems, like voice or messaging apps. Sometimes it's about end-user devices.

Read More →

Machine Learning Will Transform How We Detect Software Vulnerabilities

  • Bruce Schneier
  • SecurityIntelligence
  • December 18, 2018

No one doubts that artificial intelligence (AI) and machine learning will transform cybersecurity. We just don't know how, or when. While the literature generally focuses on the different uses of AI by attackers and defenders — and the resultant arms race between the two — I want to talk about software vulnerabilities.

All software contains bugs.

Read More →

The Most Damaging Election Disinformation Campaign Came From Donald Trump, Not Russia

  • Bruce Schneier and Henry Farrell
  • Motherboard
  • November 19, 2018

On November 4, 2016, the hacker "Guccifer 2.0," a front for Russia's military intelligence service, claimed in a blogpost that the Democrats were likely to use vulnerabilities to hack the presidential elections. On November 9, 2018, President Donald Trump started tweeting about the senatorial elections in Florida and Arizona. Without any evidence whatsoever, he said that Democrats were trying to steal the election through "FRAUD."

Cybersecurity experts would say that posts like Guccifer 2.0's are intended to undermine public confidence in voting: a cyber-attack against the US democratic system. Yet Donald Trump's actions are doing far more damage to democracy.

Read More →

Surveillance Kills Freedom By Killing Experimentation

  • Bruce Schneier
  • Wired
  • November 16, 2018

Excerpted from the upcoming issue of McSweeney's, "The End of Trust," a collection featuring more than 30 writers investigating surveillance, technology, and privacy.

In my book Data and Goliath, I write about the value of privacy. I talk about how it is essential for political liberty and justice, and for commercial fairness and equality. I talk about how it increases personal freedom and individual autonomy, and how the lack of it makes us all less secure. But this is probably the most important argument as to why society as a whole must protect privacy: it allows society to progress.

Read More →

Information Attacks on Democracies

  • Henry Farrell and Bruce Schneier
  • Lawfare
  • November 15, 2018

Democracy is an information system.

That's the starting place of our new paper: "Common-Knowledge Attacks on Democracy." In it, we look at democracy through the lens of information security, trying to understand the current waves of Internet disinformation attacks. Specifically, we wanted to explain why the same disinformation campaigns that act as a stabilizing influence in Russia are destabilizing in the United States.

The answer revolves around the different ways autocracies and democracies work as information systems.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.