Five More Questions: Privacy Expert Bruce Schneier Sees Outdated Data Laws Benefiting Feds, Businesses
Editor's note: Five More Questions is an occasional series by Brian Lambert that follows up on people who recently made news.
Bruce Schneier has carved out an interesting niche for himself.
The southwest Minneapolis resident has become one, if not the best-known, of credible voices on the topics of privacy and security, personal and otherwise. His thinking on matters from Edward Snowden and the NSA to the nexus of government and corporate data-mining has made him a regular presence on The Atlantic, Forbes, Foreign Policy, Bloomberg and Guardian websites.
It also earned him a nod in the current issue of Wired magazine as one of the 101 essential "signals" (as opposed to "noise") to follow on the Internet. He will also soon begin a fellowship at Harvard.
A conversation with Schneier, an intense yet accommodating 50 year-old, has the potential to spiral into facets of cyber-snooping you barely knew existed, much less had considered an active presence in our lives.
Attempting to leave the Snowden-NSA controversy aside for a moment, my mission was to draw Schneier out on the (more?) pervasive and burgeoning practice of commercial, for-profit data-mining and analytics of ostensibly private, personal information.
Put another way, what is more pernicious — what Visa knows about us and how it trades that information, or some spooky government entity?
To find out, we asked him five more questions about what he's seeing:
1. You've written several times recently about the interaction between the government and these very large data-acquiring companies, such as Facebook, Google, Visa and so on. At this moment, how do you best describe the relationship of government to these corporations? Is it "coercive" or "complicit"?
Bruce Schneier: It's really a confluence of interests. The business model of the Internet is surveillance. That's how Facebook makes money. That's how Google makes money. Data is collected by corporations as a byproduct of what they do. Phone companies do it. The credit card companies do it. The banks do it. And the government also wants this data.
So what we're seeing is where the NSA can't collect this data themselves, they just ask for it from corporations. Sometime the corporations give it willingly. Sometimes they resist and have to be forced. On the other hand, we are seeing corporations use government to protect their interests. So they lobby for decreased privacy laws, for no laws to restrict what they can do with this data.
So it really is a happy confluence of interests, and both parties are benefiting. Each party is using the other to benefit.
But to your question, my guess is the government starts by asking nicely, and some companies are happy to go along with it. Some are not. We know that Google has fought some. We know Yahoo has fought some. We know InternetArchive has fought some. LavaBit is in the process of fighting. We read about companies that don't want to cooperate but believe that if they get the legal letters, it'll be worse. So that's a coercive relationship.
I've argued the corporations should fight this if for no other reason that corporations need to be trusted. They need us to give them our data. Our photos. Our friends lists. Our e-mails. Our posts. And if they look like they are betraying us, they are going to lose that trust. There are serious costs to complying. So by fighting, they at least get plausible deniability.
That's probably the best we can hope for right now, until we change the government half of this.
2. To play the Incurable Skeptic card here, even if there were legislative action prohibiting the government from engaging in the practices we see with the NSA and prohibiting companies from trading in our private information without our explicit permission, based on what you know about the size and sophistication of these operations, would you trust that it had actually stopped?
Schneier: This is the web of mistrust that we've built, and I wrote an essay on this. When you're at a point where everybody's lying to you; when the NSA lies to Congress, when Obama lies to the country, when corporations lie to their users and customers, how do you know there has been change?
But we know how to do it. You come clean. And if you ask how we verify that, I say, "We probably can't." You have to trust. But it has worked in the past. In the '70s, we had NSA overreach, we had Project Shamrock. Then we had the Church Commission, and things did get better for a few decades. Then it got worse again.
It'll be the same mechanism here. It'll be transparency, oversight and accountability. And this means corporations have to be so transparent that we believe they're not hiding anything. And you have to have actual oversight. You have to have a FISA [Foreign Intelligence Surveillance Act] court that is real and public, and there must be accountability when someone lies.
Is this fanciful? I don't know. Trust is inherently a social contract. But I'm heartened that this at least hasn't broken apart along party lines, and we are seeing a surprising outpouring of public outrage about this. This is not a debate that is going to go away.
3. Especially if we have a steady, credible flow of new information about these programs?
Schneier: Exactly. [Guardian reporter Glenn] Greenwald is not an idiot. He's doing this smart. He's doing this slow, so that the stories matter, not just the personalities. So I do think we have the possibility of change. There's no question there will be this huge array of power on behalf of "no change."
You have military power, which is considerable. You have the Department of Justice power, which is considerable. And you have corporate power, which is considerable. But there are cracks there. As I say, you have corporations saying to the government, "Let us be more transparent. Let us tell our customers how we have betrayed them."
4. Can you imagine a technological situation where it would be possible for the average citizen to easily access all the known information about him or her and see who has had possession of it and how it has been traded?
Schneier: It's likely to be more legal than technical. Look at Europe, where the movement of personal data is more restricted. In the United States, it's a free-for-all. If a company collects personal data about you, they can use it. They can sell it. They do whatever the hell they want. In Europe, it is not like that. Data tends to be restricted to the purpose for which it was collected. Secondary uses are much more restricted.
Google is actually pretty good about letting you see what interests they've tagged you on, for the purpose of feeding you ads. Facebook is much less transparent. But it is reasonable to be able to see your FBI file, your NSA data. These are not difficult things.
The corporate side, though, is much more difficult. You being able to see your raw data is much easier than being able to see your processed data, because companies will see that as their proprietary information. For example, you can see your credit report, but you cannot see how that score is calculated. Because that is their secret sauce.
5. In terms of legislative action, is there a fundamental constitutional argument to be made that all information related to the private citizen is first and foremost the property of that individual, and maybe that anyone who wants to acquire it and trade it must obtain permission and pay that individual for its use?
Schneier: I think you can make that argument. The law is that when you work with a company, you both own that information. I use Gmail for my mail, so it's my email. But Google also owns it, because it's on their servers. I think it's fundamentally flawed. It made some sense 50 years ago. But today, when everything we do is intermediated by computers, computers that are owned by somebody else, it doesn't make sense to say that when you put your photos up on Flickr that Flickr has some rights to them.
When we eventually solve this, and I think we eventually will, we're going to look back on this time and say, "What were we thinking? That made no sense." And it doesn't.
We live in an age where the law has not kept pace with technology and both government and corporations are taking advantage of all the legal loopholes that exist.
The Privacy Act and computer privacy laws were written, in most cases, before the Internet, and certainly before the modern Internet. And it is in the interests of these powers that the laws remain antiquated.