Trust: Ill-Advised in a Digital Age
Las Vegas
Bruce Schneier ordered a Coke, no ice, at the Rio casino on a Saturday afternoon. I ordered Diet Coke, also no ice, and handed the bartender an American Express card. He said he needed to see proof of identity. Credit cards are often stolen around here, and eight casino workers had recently been fired for not demanding ID, he quietly explained. The bartender wanted to keep his job.
Mr. Schneier, 49, is a student of interactions like this, offline and on. He is a cryptographer, blogger and iconoclast in the world of computer security, and his latest subject of inquiry is trust: how it is cultivated, destroyed and tweaked in the digital age.
Offline, he likes to point out, we have ways to establish trust, as in this casino, where we expect the bartender to serve us a soda, not a poisoned chalice. We establish trust based on how we speak, whether we appear drunk or deranged, whether we meet at a casino or a toy store—and also, irrationally, on attributes like race and age.
Online, this becomes even more complicated, Mr. Schneier argues. We no longer think twice about letting our friends see our vacation pictures on Flickr, now owned by Yahoo. So habituated have we become to revealing intimate details, Mr. Schneier writes, that we forget that Facebook, the company, can read our missives at any time, potentially forever.
Mr. Schneier is in charge of technology security at BT, the British telecommunications company. His latest book, “Liars and Outliers: Enabling the Trust That Society Needs to Thrive,” published earlier this year by Wiley, is filled with foreboding: less about technology than about the vulnerability of the heart and mind.
“The technology changes how our social interactions work, but it’s easy to forget that,” he writes. “In this way, our traditional intuition of trust and security fails.”
That failure brings new dilemmas in the Internet age. How do you know whether the e-mail that looks as if it’s from your bank is real? Should you trust Apple with your credit card information? (A spectacular hack last weekend of a technology blogger’s Apple account raised this sobering question.) Can you trust the authorities to respect your online privacy? (The Department of Homeland Security has been known to comb through Twitter for key words—like pipe bomb, plume and listeria—that might signal trouble.)
Distrust recently helped scuttle what was to be a landmark law to protect critical infrastructure from cyberattack. The measure would have encouraged companies to share information with the government on cyberthreats. Suspicion of authority animates the chat rooms of activist hackers associated with Anonymous. A prominent member who went by the alias Sabu turned out last year to be an F.B.I. informant who helped to indict several fellow hacktivists.
Trust, Mr. Schneier writes, is the glue that binds our societies. Over centuries we have invented various means of ensuring it: moral codes, reputation within a certain community, laws and of course security tools, from embankments, the most primitive kind of defense, to facial-recognition technology.
The liars he worries about most these days are not cyberwarriors or even cybercriminals but private companies and government agencies advancing their own interests, whether for surveillance or commerce. Apple controls the memory on our iPhones. Google keeps tabs on what we search for, and whom we write to, when we use Gmail. We unknowingly pledge allegiance to the companies we do business with.
“Now we have to trust all these entities,” Mr. Schneier warned. “Google has great customer service. Problem is, you’re not the customer.” He added later: ” ‘Security’ is now a catchall excuse for all sorts of authoritarianism, as well as for boondoggles and corporate profiteering.”
Mr. Schneier is not exactly hiding in a cave subsisting on berries. His Twitter feed (@Schneierblog) has nearly 20,000 followers. His author page on Facebook links to reports and papers on topics like how to hack hotel room keys, how to devise “implicit authentication” (which relies on subconscious memory rather than hard-to-remember passwords) and how to fool eye scanners. “We already know you can wear fake irises to fool a scanner into thinking you’re not you,” he wrote, “but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you’re someone else.”
A native New Yorker who lives in Minneapolis, Mr. Schneier is something of a contrarian. He saves what hair he has left for a ponytail. He sued the Transportation Security Agency over its use of body scanners and exhorts audiences to opt out of security screenings—not because of radiation or because they are ineffective but because, as he says, it’s worth preserving the right to opt out.
He takes occasional potshots at security consultants, extols hackers, who he says look at things in “a certain sideways way,” and advocates for the right to be anonymous online in certain circumstances.
Stewart Baker, who has also written about cryptography, served as the National Security Agency’s chief lawyer, and debated Mr. Schneier on occasion, sees an inherent conflict among some of Mr. Schneier’s ideals. Mr. Baker argues that you can’t insist on anonymity and simultaneously expect to enforce a system of trust.
“His individual response to rules is to celebrate rule-breakers and to see value in transgression and to discount the value of authority,” Mr. Baker says of Mr. Schneier. “His personal sensibility is to run with outlaws, but when he looks at society he realizes we can’t all run with the outlaws.”
At the bar, I asked Mr. Schneier what kept him up at night. His answers surprised me. He is more worried about the international cyberarms race than about outright cyberwar . He’s also concerned about cybercrime. But his greatest fear is ubiquitous surveillance: license-plate readers, sensors, geolocation tracking and so on.
He is troubled, too, by the Internet’s refusal to let our memories fade. He predicts a presidential race in the near future in which a candidate’s bad junior high school poetry will be resurrected as a political weapon.
“You should be mindful,” he warned, “that the Internet never forgets.”