Book Review: Data and Goliath, by Bruce Schneier

This book has been difficult to review. It has proved tricky not because I didn't enjoy the book or because it was boring or badly written, but because it was so pertinent. Every time I went to write about it, a news story would emerge referencing the subject and I would find that my opinions of the news were influenced by the book and my opinions of the book were influenced by the news. This is an important topic and everyone should make up their own minds based on a decent knowledge and understanding of the issues. This book provides an excellent basis for a discriminating reader to do just that (as such, you should probably stop reading this review and just buy the book!).

Data and Goliath is a large book divided into four parts, the last of which consists of notes and an index of the entire book. In fact, the notes take up one third of the book and I'd go as far as to say that the notes alone are worth the sticker price ($27.95 USD). I am going to have to go back into student mode and read the book again, delving into the notes to further grok the subject.

In the introduction, the author states that the book is primarily about the US and that it takes a mainly US-centric view of the issues. However, the other Five Eyes countries and the European Union also feature heavily. The issues discussed are global — intentionally or not, the US, Five Eyes countries and Europe are more open about them, but the principles are still valid for the rest of the world. With the treasure trove of the NSA leaks now in the public domain (Schneier reviewed some of them before they were published), data collection, at least by the NSA, is in the news.

Part one of the book describes the known (at the time of writing) state of surveillance. Questions such as: 'What data?', 'How is it used?', 'How much?', 'Who uses it?', 'What governments collect?' and 'What corporations collect?' are posed and answered. This section of the book is fact-based, while the other two, while fact-heavy, are more opinion-based.

Part two of the book discusses the potential harm of data collection and the differences between the potential harm caused by government collection and that caused by corporate collection. Part three of the book looks at what can be done at governmental, corporate and individual levels. Sub-headings in this part include: 'Less secrecy, more transparency', 'More — and better — oversight', 'Regulate data use' and 'Agitate for political change' — indicating that we may need a whole gamut of solutions, but the last will be the most effective. We got into this scenario with the technical elite giving the issues full consideration. Open discussion on the harms, potential or otherwise, needs to take place.

The Pandora's box of data collection has been opened. It may be that 'hope' can be found, but we will need knowledge of the (ab?)use to find that hope. This book has made me think about data collection, and for such a book to have made me think is high praise indeed.

Categories: Book Reviews, Data and Goliath, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.