Review: Choking on Digital Exhaust

Mass surveillance by governments and corporations is comparable to child labor or environmental pollution. That is the largely persuasive claim of security expert Bruce Schneier in his new book "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World." Resistance is not futile, Schneier thinks, although it will be tricky to fight overreaching securocrats and snooping online advertisers without giving up at least some of the genuine advantages of Big Data.

Much of the problem lies in excessive expectations about what mass surveillance can achieve, writes Schneier, who is chief technology officer at security firm Resilient Systems and a fellow at Harvard Law School's Berkman Center for Internet and Society. It might seem that the combination of huge amounts of collected data and sophisticated data-mining could have prevented the 9/11 attacks or the Boston Marathon bombing. But Schneier says this approach is both very expensive and downright ineffective.

Such attackers are different from consumers or even credit card fraudsters. Mining large data pools works for targeting ads online or detecting aberrant purchases. The inevitable error rates are acceptable in those spheres, and fraud is common enough to provide a clearly detectable signal amid the digital noise.

Would-be bombers and hijackers are far less common, and have less in common with each other. "There is no scientific rationale for believing that adding irrelevant data about innocent people makes it easier to find a terrorist attack, and lots of evidence that it does not," Schneier writes.

He criticizes intelligence chiefs and politicians who insist such programs are necessary. Schneier sees an irrationally exaggerated fear of attacks and a fear of blame for not having done enough if attacks occur. But indiscriminate scooping up of data, he says, amounts to watching everyone, which means seeing no one.

Indefinite retention of data is also a topic of great concern for Schneier, whether carried out by intelligence agencies or by corporations. It is too easy to abuse detailed and easily searchable records of average citizens' behavior—where they go, who they frequent, what they look at on the internet, what their political views are, how they spend their money.

Not all future governments may honor even the questionable protections in place now. Abuse by insiders at the U.S. National Security Agency such as spying on people they know is already common enough to have its own name—LOVEINT.

At the heart of "Data and Goliath" is the chilling effect on freedom of thought caused by knowing one is being watched, and of having no control over what is done with the information. As Schneier examined more fully in his "Liars & Outliers" in 2012, defectors—those who secede from the established order—are crucial to keeping societies free. In his new book, he says: "There is value in dissent. And, perversely, there can be value in lawbreaking."

Schneier focuses primarily on the United States because of the trove of information on its surveillance activities released by whistleblower Edward Snowden, a former NSA contractor. He also examines privacy issues in Europe, commending EU data protection laws as a possible model for America, and he warns against the repressive nature of Chinese and Russian surveillance activities against their own populations.

If the threat is great, why is there so little popular indignation? To start, Schneier recognizes that powerful businesses and government departments have vested interests in the status quo and so often fudge exactly what it is they are up to. Then there is the fear of terrorism, which terrorism itself seeks to generate. And there is also something like greed. Many people are smitten with free online services. They do not realize that they may eventually pay for providing their data to advertisers by having less freedom.

Schneier is undaunted. He ends his book with a rousing yet measured plan of action. It includes detailed recommendations for reining in spooks, regulating corporations and defending individual privacy, while maintaining effective vigilance against attack. It may take decades, but in half a century, he believes, people will look at the data practices of today as immoral, like child labor and company stores.

He calls opposing these practices "Snowden's legacy." The tone is somewhat utopian, but the book is a valuable reframing of the question—more useful than fear alone.

Categories: Book Reviews, Data and Goliath, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.