Wanted: Slingshots

Bruce Schneier has built a career explaining the principles of security in plain English, helping the uninitiated to think clearly and critically about managing risk, and exposing the nonsense peddled by government spokesmen and high-tech hucksters. He is at once a great popularizer and a great debunker.

Schneier's new book, Data and Goliath, examines the prevalence, mechanisms, uses, and dangers of mass surveillance.

This book scared the hell out of me.

That doesn't happen very often. Having spent 20 years writing about political repression, police brutality, counterinsurgency, and torture, I've come to expect the worst as a matter of habit. Schneier's book, however, shows that the present state of mass surveillance—its scale, intrusiveness, and implications—surpasses what I could have imagined. It was not the big stuff, like the National Security Agency's goal of total global omniscience (epitomized in the slogan 'Collect it all'), but the smaller details that gave me chills. 'It's less Big Brother,' Schneier writes, 'and more hundreds of tattletale little brothers.'

Three quotations may help show what I'm talking about:

1) 'Through a program called Isolation Control and Tracking, the U.S. Postal Service photographs the exterior, front and back, of every piece of mail sent in the U.S.'

2) 'Even though I never post or friend anyone on Facebook… Facebook tracks me. It maintains a profile of non-Facebook uses in its database. It tracks me whenever I visit a page with a Facebook ‘Like' button. It can probably make good guesses about who my friends are based on tagged photos, and it may well have the profile linked to other information it has purchased from various data brokers.'

3) 'Using public anonymous data from the 1990 census… 87% of the population in the United States… could likely be uniquely identified by their five-digit ZIP code combined with their gender and date of birth. For about half, just a city, town, or municipality name was sufficient…. Researchers have been able to identify people from their anonymous DNA by comparing the data with information from genealogy sites and other sources.'

What these and many similar developments mean for our society is this: Data is accumulated about each of us at an unprecedented scale, and the scale changes the significance of otherwise trivial information. The outside of an envelope, on its own, indicates nothing compromising, but if you examine every envelope, you could learn quite a lot about a person, or a society. You'd see who writes letters to whom and how often, who subscribes to which magazines, and who sends and receives packages—and bills. Now add in the same type of information—the 'metadata'—available from telephones (dialed numbers, duration of calls), GPS locators, email, Facebook, and on and on.

What troubles me most about the three examples I mentioned is that they show that there is no opting out, that the possibilities for anonymity are disappearing. As the surveillance architecture expands, low-tech exits are blocked. Previously opaque barriers become transparent, and those that cannot be seen through, such as those protecting anonymous social-science surveys, can simply be peeked around using other sources. Even if you don't have Facebook, Facebook has you.

The problem, as Schneier makes clear, is both technological and political. It requires, therefore, both technological and political solutions. Data and Goliath supplies three chapters' worth of recommendations, addressed to governments, corporations, and individuals. Though Schneier mentions some things you and I can do to protect ourselves in minor ways, most of his recommendations concern matters of law and public or corporate policy. That is strange, for several reasons. First, an otherwise provocative and insightful book suddenly becomes a techno-wonky White Paper, only to inform us that the recommendations it makes are politically 'unrealistic,' perhaps at present impossible. 'I'm not living in a country where the majority of people want these changes,' Schneier admits, 'let alone a country where the will of the people easily translates into legislative action.'

Data and Goliath is itself is useful intervention against the first of these problems. It details both the scope and the significance of mass surveillance, and makes a persuasive case for the social, political, psychological, and moral importance of privacy. It may, in other words, help to generate some of the demand for change. But what can become of that demand? Given the second problem—the absence of real democracy—the answer is not promising. On the corporate side, of course, it is even worse. Schneier says repeatedly that 'surveillance is the business model of the Internet.' As long as there's money to be made and no effective public control, corporations are going to continue to spy—for advertisers, for governments, for Rupert Murdoch, for pornographers. Besides which, given that many of the examples Schneier cites violate laws already on the books (to say nothing of constitutional principles), it is not at all clear that better laws and policies are what we need.

The trouble is that Schneier harbors a strange naiveté about the American system. That prevents him from pushing his arguments through to their logical conclusions. He notes the dangers of China using mass surveillance to suppress dissent, but tacitly assumes that the U.S. is only interested in combating terrorism. He thus treats our mass surveillance as a kind of tactical mistake.

Sociologically, that is backwards. If you want to understand the purpose of some government program, rather than trust the pronouncements of politicians, it makes far more sense to look at the real consequences of its implementation. At present the US is investing billions of dollars in mass surveillance—the collection, storage, and analysis of huge quantities of personal information about every single one of us. That approach is, as Schneier rightly argues, practically useless for finding or stopping terrorists. But it serves quite well for political control. Schneier refuses to parrot government talking points about 'security,' but argues as if the politicians, generals, and bureaucrats believe their own press releases. In that sense, too, his proposed countermeasures are unrealistic. They can't be implemented, they wouldn't solve the problem if they were, and they don't correspond to the situation we are facing.

We cannot, unfortunately, solve the problem of surveillance without also confronting the relations of power within which it is embedded. That means radically changing, if not eliminating, the institutions involved—up to and including corporations and the state. (At moments, Schneier motions toward this sort of radicalism. He advocates, for example, treating the Internet as a commons. But why stop with the Internet?) Of course it is just such a shift in power that the coercive uses of surveillance are meant to prevent. The question then becomes: What possible changes are necessary to make the necessary changes possible? The answer may cause us to pursue reforms like those Schneier recommends, but it must also lead us to look beyond them.

Categories: Book Reviews, Data and Goliath, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.