Fixing the Surveillance-Industrial Complex
A couple of weeks ago, I mentioned that I was reading Bruce Schneier's new book, Data and Goliath, just published by Norton. The subtitle (which, as is the custom these days, is more or less an elevator pitch for the book) provides a hint of what's inside: The Hidden Battles to Collect Your Data and Control Your World. What's missing from this descriptive subtitle is the best part: And Here's How We Can Fix It. Because unlike a lot of books that focus on big scary issues, this one has lots of concrete recommendations and encouragement to think that we can actually make change happen.
This is, above all, a refreshingly rational book. The subject matter is frightening, but Schneier doesn't use our anxiety to dramatize the importance of his subject or to threaten us with doom if we fail to take his advice. His narrative voice is straightforward and patient, explaining complicated things about technology in terms that anyone can grasp, laying out what is at stake and what we can do to improve the situation without resorting to emotional appeals. Here's a sample of his calm, almost deadpan delivery.
The big question is this: how do we design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually? Or, to use a term from game theory, how do we find a "Nash equilibrium" for data collection: a balance that creates an optimal overall outcome, even while forgoing optimization of any single facet?
This is it: this is the fundamental issue of the information age. We can solve it, but it will require careful thinking about the specific issues and moral analysis of how the different solutions affect our core values.
He's not angry; he's not alarmist. He's utterly reasonable. He urges us to take on the work of solving these issues because right now governments and corporations are taking charge and their interests are not always the same as ours. Ultimately, he puts the responsibility on us as citizens who can fight back – and he has faith that we can strike a better balance between the benefits of using data and the need for privacy.
This faith in ordinary people is enormously valuable. In many ways, those who exploit our data depend upon us believing there is no alternative, that as individuals resistance is futile, that we can't really do anything about the non-stop intrusive surveillance that is a feature of our everyday lives. Schneier thinks we can turn things around and so devotes a third of the book to solutions, which I'll try to recap here.
First, he spells out principles. We can have security and privacy at the same time, contrary to common rhetoric. Security and surveillance are "conflicting design requirements" and weakening security of our systems to enable surveillance puts us all at risk. Transparency, independent oversight, and accountability are all necessary for society to function (and are all lacking in our surveillance regime). Resilient design will help us overcome imperfections in both technological and human systems. And finally, we need to think about our communications infrastructure as a global system, because when we drill holes in it so we can spy on our enemies (and our citizens), we make ourselves more vulnerable.
The government, he suggests, should target more narrowly, accept more oversight, be more transparent, protect whistleblowers who provide a service to us all, stop building trapdoors into software to enable spying, and fix vulnerabilities. Currently, the government discovers and hoards problems that make software vulnerable to attack, sometimes even buying vulnerabilities from hackers, stockpiling them in case we can find an opportunity to exploit them. Of course, every other country does this, too. Schneier argues we could restore trust in US technology and repair weaknesses in systems we rely on, perhaps more than any other country. He also has several recommendations for reorganizing government agencies that currently have competing or conflicting interests, argues that we should resist a "cyber sovereignty movement" (an attempt to build national internet infrastructures in part as a response to US dominance but also to secure control of citizens), and preserve a public commons: "We need places on the Internet that are not controlled by private parties – places to speak, places to protest . . . commons are vital to society. We should deliberately work to ensure we always have them in cyberspace." Yes, indeed.
Corporations also need to make changes which will probably require legislative and rulemaking action, which will in turn require public demand for such action. Corporations should be responsible for privacy breaches (because currently the cost falls on those whose data has been exposed, not on companies with sloppy security), data collection and use should be regulated, less data should be collected and it should be kept for a shorter period of time. People should have a right to their own data and know what data is being collected without parsing the fine print of a 55-page terms of service agreement - and have the right to opt out. Schneier also has the intriguing idea of establishing "information fiduciaries" – the opportunity for organizations to join a class of companies that have a "duty of care" to protect personal information that would make trust part of their brand. We also need to develop new business models that don't depend on monetizing personal information (one area in which he's short on specifics). Companies will need to compete for consumer trust which has been badly shaken as the link between corporate and government dragnet surveillance has surfaced. He endorses Tim Berners-Lee's notion of a new Magna Carta as well as Rebecca MacKinnon's idea of "the consent of the networked," an agreement that establishes the rights of people and limits the power of "digital sovereigns."
He closes with idea for "the rest of us" – encouragement to fight the good fight, resist surveillance, sort out the valuable uses of data from the unnecessarily intrusive, and demand change, understanding it will come slowly. We need to "recalibrate our fear" and our sensitivity toward the necessity of privacy. To a large extent, this is a new problem. We've never before seen the enormous amount of data generated through our digital interactions. We need to establish new social contracts that give people greater control over how it is collected and used.
In keeping with his unemotional, common-sense approach, Schneier acknowledges that this won't be easy, but he thinks we're beginning to see a worldwide movement emerge. He encourages us all to be part of it. Given the scale of the problem and the ubiquity of mass surveillance, I appreciate his clear explanation of what's going on, why it matters, and especially his conviction that we have the power to do something about it.