Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Review)
“We may not like to admit it, but we are under mass surveillance.” So says Bruce Schneier, in his book Data and Goliath, for a popular audience. Schneier is a well-known writer in cryptography, and more recently a public figure in discussions of computer and network security.
The first fifth of Data and Goliath establishes his thesis: we are entering a world of ubiquitous surveillance, by both governments and businesses. He presents numerous anecdotes and stories, many from the Snowden documents (where we learned of the many forms of electronic data collection used by the NSA) and others from the popular press (e.g., the family that found out about their daughter’s pregnancy by the targeted advertising she was receiving). The second fifth explains what is at stake: limits to our freedom of expression (for fear of being attacked with our own secrets), chilling effects on expressions of dissent, discrimination in commercial dealings, as well as a host of abuses. For example, the backdoor built by Ericsson into Vodafone products to support legal wiretaps was abused by unknown third parties in 2004 and 2005 to wiretap members of the Greek government. But surveillance is not all bad: the phone company needs to monitor the location of your mobile phone to direct calls to you.
The next fifth of the book gives Schneier’s ideas for how to fight back. He starts by presenting some principles: we are more secure if we have less surveillance, and security is more important than surveillance. If we design systems that support surveillance by appropriate authorities, those systems will also be vulnerable to attack by others. It is better to build systems that are secure for all users. When surveillance is necessary (e.g., for mobile phones), it should be minimal. There is no need to retain records of your mobile phone location, and so companies should not normally do that. (Targeted surveillance in response to a judicial warrant should allow these records to be kept.) Another principle is transparency: individuals should know what is being collected about them, and how it is used. Related to this is that we need oversight and accountability: are we establishing the right rules to allow appropriate surveillance, and are they being followed? The contradiction between privacy for individuals and openness for governments and corporations is explicit (and led to the title Data and Goliath)’. The institutional Goliaths have so much more power than individuals that this counterbalance is needed.
The presentation of principles is followed by prescriptions for improvements. Governments should follow the “International Principles on the Application of Human Rights to Communications Surveillance” (listed on necessaryandproportionate.org). Government agencies like the NSA should help companies to fix vulnerabilities in software and hardware, not introduce new ones. (In fact, the author suggests that the NSA should be split into two agencies, one involved in targeted espionage, and the other in promotion of communications and net work security.) Corporations should follow the OECD’s Privacy Framework (from 1980), and should be liable for costs when there is a privacy breach. They should also fight when governments aim to access their data. Individuals should take political action to promote privacy, and private action to avoid being tracked.
The final two fifths of the book is filled with references. I reviewed a preprint of the electronic version of the book where the references were not well integrated with the text and navigation was difficult, but I was told the final version would be better.
I came to the book having read many of Schneier’s essays on his blog (“Schneier on Security” at https://www.schneier.com/). Many of the anecdotes in the first two parts had been reported there, and I had heard of them—but often had forgotten the details or never seen them, so I learned a (depressing!) lot. I don’t really like Schneier’s writing style—too many lists of anecdotes—but his content is informative. I think the third part of the book is the best, with specific, reasoned proposals. I encourage others to read this book.
TABLE OF CONTENTS
PART ONE: The World We’re Creating
1. Data as a By-product of Computing
2. Data as Surveillance
3. Analyzing Our Data
4. The Business of Surveillance
5. Government Surveillance and Control
6. Consolidation of Institutional Control
PART TWO: What’s at Stake
7. Political Liberty and Justice
8. Commercial Fairness and Equality
9. Business Competitiveness
PART THREE: What to Do About It
13. Solutions for Government
14. Solutions for Corporations
15. Solutions for the Rest of Us
16. Social Norms and the Big Data Trade-off