Data and Goliath: Confronting the Surveillance Society

Within a remarkably short period of time—less than two decades—all of us have become immersed in a sea of electronic data collection. Our purchases, communications, Internet searches, and even our movements all generate collectible traces that can be recorded, packaged, and sold or exploited.

Before we have had a chance to collectively think about what this phenomenal growth in data production and collection means, and to decide what to do about it, it threatens to become an irreversible feature of our lives.

In his new book Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World (Norton, 2015), author and security technologist Bruce Schneier aims to forestall that outcome, and to help recover the possibility of personal privacy before it is lost or forgotten.

"Privacy is not a luxury that we can only afford in times of safety," he writes. "Instead, it's a value to be preserved. It's essential for liberty, autonomy, and human dignity."

Schneier describes the explosion of personal data and the ways that such data are harvested by governments and corporations. Somewhat provocatively, he refers to all types of personal data collection as "surveillance," whether the information is gathered for law enforcement or intelligence purposes, acquired for commercial use, or recorded for no particular reason at all. Under this sweeping definition, the National Security Agency and the FBI perform surveillance, but so do Google, Sears, and the local liquor store.

"Being stripped of privacy is fundamentally dehumanizing, and it makes no difference whether the surveillance is conducted by an undercover policeman following us around or by a computer algorithm tracking our every move," he writes (p.7). Others would argue that it makes all the difference in the world, and that while one never wants to be followed by an undercover policeman, a computer algorithm that helps us drive a car to our destination might be quite welcome. Schneier, of course, knows about the benefits of such applications and acknowledges them later in the book.

Having gained access to classified NSA documents that were leaked by Edward Snowden and having aided reporters in interpreting them, the author is particularly exercised by the practice of bulk collection or, the term he prefers, mass surveillance.

"More than just being ineffective, the NSA's surveillance efforts have actually made us less secure," he says. Indeed, the Privacy and Civil Liberties Oversight Board found the "Section 215" program for bulk collection of telephone metadata to be nearly useless, as well as likely illegal and problematic in other ways. But by contrast, it also reported that the "Section 702" collection program had made a valuable contribution to security. Schneier does not engage on this point.

Aside from the inherent violations of privacy, Schneier condemns the NSA practice of stockpiling—instead of repairing—computer software vulnerabilities and government strong-arming of Internet firms to compel them to surrender customer data.

His arguments are fleshed out in sufficient detail that readers will naturally find points to question or to disagree with. "For example," he writes, "the NSA targets people who search for information on popular Internet privacy and anonymity tools" (p. 38). It's not clear what "NSA targeting" means in this context. Many people conduct such information searches with no discernible consequences. In any case, Schneier positively encourages readers to seek out and adopt privacy enhancing technologies.

"Surveillance is a tactic of intimidation," Schneier writes, and "in the US, we already see the beginnings of [a] chilling effect" (pp. 95-96). But this seems overwrought. One may curse the NSA, file a lawsuit against it, advocate reductions in the Agency's budget, or publish its Top Secret records online all without fear of reprisal. Lots of people have done so without being intimidated. (Agency employees who defy their management are in a more difficult position.) If there is a chilling effect associated with NSA surveillance, it doesn't appear to originate in the NSA.

What is true is that surveillance shapes our awareness and that it can alter our conduct in obvious or profound ways. Many people will slow down when driving past a police car or a traffic surveillance camera. Almost all will modify their speech or their behavior depending on who is listening or watching. The book is particularly good at exploring the ramifications of such surveillance-induced changes in the way we behave and interact, and the risks they pose to an open society.

In the latter portions of the book, Schneier presents an action agenda for curbing inappropriate surveillance including steps that can be taken by government, by corporations, and by concerned members of the public. The proposals are principled and thoughtful, though he admits not all are readily achievable.

Schneier's core objective is to preserve, or to restore, a domain of personal privacy that is impervious to unwanted intrusion or monitoring.

He acknowledges the necessity of surveillance for valid law enforcement and intelligence purposes. Among other things, he calls for the development of privacy-respectful innovations in these areas of security policy.

"If we can provide law enforcement people with new ways to investigate crime, they'll stop demanding that security be subverted for their benefit." Similarly, "If we can give governments new ways to collect data on hostile nations, terrorist groups, and global criminal elements, they'll have less need to go to the extreme measures I've detailed in this book…. If we want organizations like the NSA to protect our privacy, we're going to have to give them new ways to perform their intelligence jobs."

Along these lines, a 2009 study performed for the Office of the Director of National Intelligence that was released last month raised the somewhat fanciful possibility of "crowdsourcing intelligence":

"The intelligence community has a unique opportunity to engage the public to help filter and solve a multitude of difficult tasks…. For example, consider a citizen-driven Presidential Daily Brief and its potential to enable truly democratic communication to the highest levels in the United States." See Mixed Reality: Geolocation & Portable Hand-Held Communication Devices, ODNI Summer Hard Problem (SHARP) Program, 2009.

Anyway, for many people the erosion of personal privacy has arrived abruptly and overwhelmingly. They might reasonably conclude that the changes they've experienced are beyond their ability to control or influence. Schneier insists that that is not necessarily the case—but that the future of privacy depends on how much the public cares about it. This challenging book explains why privacy matters, how it is threatened, and what one can do to defend it.

"In the end, we'll get the privacy we as a society demand and not a bit more," he concludes.

Categories: Book Reviews, Data and Goliath, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.