Part 2: Bruce Schneier on the Hidden Battles to Collect Your Data and Control Your World
Part 2 of our discussion with Bruce Schneier about about the golden age of surveillance and his new book, “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.”
AMY GOODMAN: This is Democracy Now!, democracynow.org, The War and Peace Report. I’m Amy Goodman, with Juan González. Our guest is Bruce Schneier. He is a leading security technologist. He has a new book out, has just hit number six on the New York Times best-seller list; it’s called Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. He’s a fellow at Harvard’s Berkman Center for Internet and Society.
You’re sitting in Minneapolis, Bruce. We’re in New York. So, the way it works in an insert studio is you’re sitting in front of a very large camera, and you’re staring into the lens. That’s really interesting, because at least you know you’re being recorded right now. Can you take us through a day of an everyday person and talk about how, from the minute we wake up and before to the end, our lives are being documented?
BRUCE SCHNEIER: You know, I’ll probably miss some things. There are so many. When we wake up, we probably pick up our smartphone. But that smartphone knows where we are; otherwise, it couldn’t ring. Actually, that smartphone is a tracking device. It will track us throughout our day. It will know where we live, where we work, where we go. That phone will know who we talk to, either whether it’s calls or text messages. It’s also a computer. That computer is going track us, if we use the Internet.
There are lots and lots of web devices that are tracking us as we go about our day, what we read, what sites we visit, what we’re interested in. Google tracks us. Facebook tracks us. All those things track us. If we go out into our car, there are computers there that are tracking what we’re doing. Sometimes they’re connected to the manufacturer; sometimes they’re not. If we make payments, we use a credit card that records what we’re purchasing, who we are. All of the things we do involve computers. Think of the cameras. There might be thousands of security cameras we walk by. There are cameras collecting our license plate and putting that into a database. There are cameras collecting our face.
The way to think of it is, computers produce data, and every time we interact with a computer, data about that transaction is produced. That’s surveillance data about us. That data is increasingly saved, increasingly stored. And as we go about our day, we interact with thousands of computers. And that’s all surveillance data.
JUAN GONZÁLEZ: Well, in our earlier segment, you were talking about that it’s now more of a political and social problem in terms of being able to protect privacy. What are the kinds of—if you were to say the most important kind of law that would need to be passed to be able to get back some of our individual autonomy, what would that be?
BRUCE SCHNEIER: Yeah, it’s never one thing. The problem with privacy in data is there’s so many interconnected things. So we need protection for data collection, data use, data storage, data transfer—you know, buying and selling—and then data deletion. That’s the chain of our data, and we need protections in every place. So it’s not a matter of saying, “We’ll let them collect it, and we’ll regulate use,” because now what happens, you know, we saw, past year or so, all these great data breaches—Target Corporation, Home Depot, Anthem Health. All right, this is our data being stored by somebody else that’s stolen by criminals. So we need protections against collection. We need protections against use. And we need proof that we can look at our data, correct it if it’s wrong. It’s a whole slew of things that have to work together—you know, and technologies and laws. This is not a simple problem with a simple solution. Unfortunately, it makes it harder.
JUAN GONZÁLEZ: Well, there was a recent article, I think in The New York Times, about school systems now confronting the fact that as they are bringing in more private companies to provide online education and sources into their school systems, sometimes individual teachers are given the opportunity to bring in a particular software company and use it in their class, that these companies now are basically shredding the privacy rights of students, because they’re collecting data on how students are progressing, individual students on particular subject matter, and they now have a trove of data that they in turn can sell, but there’s basically very little protection of student rights now in this new information age.
BRUCE SCHNEIER: Yeah, there is some. There’s protections of students for their schools collecting data. It doesn’t really transfer well to third parties. That’s an enormous difference. And the student data collection isn’t different than the collection of you or I. If we go to a medical site, there are going to be advertisers watching what we look at. We’re going to have ads following us. And yes, that happens in the classroom, too. If you think about it, when we were students, we read our textbooks in book form. Now students are reading textbooks online. They’re reading them on their iPads. And the owner of those textbooks, the websites, know exactly what students are reading, how fast they’re reading, what they’re going back and re-reading, how they’re studying. This is powerful information, but it’s incredibly intimate. Right? Amazon knows that about the books you read. You know, if you download Fifty Shades of Grey, Amazon’s going to know which parts you read and re-read.
AMY GOODMAN: Bruce, can you talk about the whole controversy around Hillary Clinton’s email and put it into the context, the lens through which you see it, right? Her email, she did not use the State Department email system, that had actually a law just been passed. She would be the first secretary of state to have used it, but she didn’t. Now John Kerry is the first. The front page of The New York Times today is about New York state, and it says that Governor Cuomo had—has put into place a policy of automatically deleting state workers’ emails after 90 days, and now this is being stopped, because there’s been an uprising around this. But talk about what you found interesting about the controversy around her keeping it on her own email address with a server based at her home in Chappaqua, New York.
BRUCE SCHNEIER: So, I have two main things that interest me. The first one is I have a lot of sympathy for her, that government email systems tend to be antiquated, hard to use, and I know when I go into companies, I want to use my own email system. I have my system. I know it works. I don’t want to use the corporate email system because it’s annoying. And it’s just like anybody within a company: They want to get something done, they jump on Gmail, because it’s easy, because it works, because it bypasses sort of all of the problems in the institutions. And I don’t know if that’s what she’s thinking, but that’s what I would be thinking when I came in.
Second thing I’m interested in is: Who’s controlling the email? In the beginning, there was a little tension between Clinton and Obama. And possibly, Hillary Clinton recognized that she might not have friends in IT, and she wanted more control of her email. And again I have sympathy with that. On the other hand, government email is government records, and that needs to be preserved, and that needs to be collected by government, by the National Archives, for the people. And I want to make sure that happens, and I want to make sure her email is not deleted. So those are my two thoughts. I have sympathy for her position, because I also want control over my system, and I have a lot of sympathy for the position of, you know, “That’s government property. You shouldn’t be taking it home.”
AMY GOODMAN: I mean, that’s the—I mean, the fact of the matter is she is not Hillary Clinton, she’s the secretary of state. So, for all time, she will decide what record of history we have.
BRUCE SCHNEIER: Right, and that shouldn’t be. Right? It should be that history should be the raw data. We save it in—you know, maybe in—we protect it for 50, 100 years, and then it becomes history and all exposed. And I think we’re seeing that problem everywhere. It’s not just Hillary Clinton. It’s history in general. Right? Is everything going to be saved? What’s going to be deleted? What data will be preserved in old formats? And I do worry about history and data and whether history can read our stuff, whether we’re going to delete stuff, whether we’re going to save stuff, whether we’re going to save too much. I mean, there’s emails of mine I don’t think history needs, and I’m happy to delete. All that surveillance data I’m not sure is valuable. But, yes, when you are secretary of state, when you are the president, when you are a government official, the data you produce has value to the country and needs to be preserved. We need to make sure that happens, that government officials can’t scrub their record in an effort to decide how they are viewed by history.
JUAN GONZÁLEZ: And what—and this decision of Governor Cuomo to institute a 90-day deletion process whereby every employee would decide affirmatively which emails to preserve beyond a 90-day period?
BRUCE SCHNEIER: I mean, I don’t like that. But think of what’s going on here. Email is weird. It’s not correspondence, which we would obviously save. And it’s not conversation, which we would obviously delete. It’s somewhere in the middle. And I have had conversations on email that don’t deserve saving. And I’ve had official correspondence on email that I do need to save. And if you think about some of the big court cases that have involved emails, it’s very easy to pull a sentence here, a sentence there, out of context and make the emails say whatever you want. That’s because we can be very, very informal on email. We can just chat on email in a way that we don’t believe is preserved, is archival. So email occupies that middle ground. And you could easily see deciding either way, that it counts as correspondence or doesn’t count, it’s just conversation.
AMY GOODMAN: Bruce, can you talk about data being bought and sold?
BRUCE SCHNEIER: Well, in the United States, there’s not a lot of protection for our data, that data generated by us, collected by third parties. So, your cellphone company collects data of everybody you call, when you call. Your credit card company knows when you make purchases, where and how much. Google knows what you search on. All that data is collected by third parties, and those parties basically own that data. They have the right to buy it, to sell it, to use it however they like.
I don’t know if you remember, last year, Uber, the taxi company, used the data they had of people’s rides to figure out who’s going—who’s using Uber to go and have sex. They looked for rides happening in the evening to a place and rides happening the next morning away from that place. Right? They had searched their database for that. And they produced aggregate statistics of that—what cities were good for it, what neighborhoods, what days of the week. They thought it was all in good fun. They didn’t expose personal information. But they had that. They had the list of people who were using Uber in that way. They, if they wanted to—
AMY GOODMAN: Wait, how did know what places where they were going?
BRUCE SCHNEIER: —could sell it.
AMY GOODMAN: What places were they going?
BRUCE SCHNEIER: Uber collects the route. When you get a receipt from Uber, it includes a map of the route you took. So it knows exactly where you started and where you ended. It’s not like a taxi ride that happens when you pay cash. The data is there. The surveillance data is there.
AMY GOODMAN: So could that, for example—could that data be subpoenaed in a case, in a court case?
BRUCE SCHNEIER: The data could be subpoenaed. Uber could publish it because it was fun. Uber could decide, “We’re going to release the names of these people.” There’s nothing stopping them except that it would be really creepy, and they would probably get a lot of bad press for it. But legally, they have no obligations to keep that secret. And that’s the point. This data is owned by those third parties, who can sell it at will. And if they want to sell a database of people who use Uber to have sex to some company that wants to market some sort of product, it is within their rights to do that.
AMY GOODMAN: So, if you could, once again, tell us the simple ways—you may consider them so simple, as a security technologist, you wouldn’t even raise them, but for everyday people, people have no way to know how to protect themselves—the simple, maybe, steps you take in a day to protect your privacy?
BRUCE SCHNEIER: I mean, the simple things tend to be around the edges. So there are programs to secure email, to secure chats. There are encryption programs for voice. There are ways to protect the things we say to each other. Using cash is a way to protect ourselves. The problem is that a lot of the data is collected—it’s metadata. It’s collected by the systems we use. So being careful what you say on Facebook, not using Google search, if you’re worried. There’s a search engine called DuckDuckGo that doesn’t track you.
But, by and large, we are tracked because of what we do in our day, and it’s very hard to opt out. Not having a credit card, not having an email address, not being on Facebook is really dumb advice to give people. So what I want people to do is to observe surveillance and talk about surveillance, to make this a political issue. This really isn’t something we can install some tech and opt out of. It’s not that easy. We really have to make it that lawmakers care that we care. And that’s difficult. I mean, that is the hard solution that’s going to be the good solution.
AMY GOODMAN: Bruce Schneier, thanks so much for being with us, security technologist, author of the new New York Times best-seller, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.