Review: Data and Goliath by Bruce Schneier
Bruce Schneier, Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World. New York, NY: W.W. Norton., 2015. Pp. 400. £ 17.99, ISBN: 978-0-393-24481-6.
If you’re not familiar with the Information Security community in the IT industry, it’s worth knowing that Bruce Schneier has earned the reputation of a prophet, sage and action hero combined. As a renowned cryptologist and technologist, Schneier has been a leading critic of the US government’s attempts to limit the global spread of encryption and recently of the NSA’s ‘bulk collection’ program of communication records of US citizens, following the disclosures by Edward Snowden in 2013. Data and Goliath, his latest book, addresses the challenge posed to privacy and individual liberty posed by both government ‘mass surveillance’ and the exponential amounts of personal information collected by the private sector for profit.
One of the strongest insights to come from Data and Goliath is the symbiotic relationship between the commercial data gathering on users from private businesses and the arms of government security. Some of the more hysterical attacks on government surveillance perpetrated by crypto-anarchist campaigners like Julian Assange and Jacob Appelbaum have suggested that the Snowden revelations are evidence of the US government as an all-powerful police state with no physical or legal restrictions on its capability to reach into the lives of every person utilising digital communications around the world. Schneier suggests that many governments actually depend on private companies for data on their customers they gather for their own benefit in any case, and then either pay them for the privilege of collecting it or require it in return for market access. For example, telecommunications provider Vodafone provides approximately 29 countries direct access to internet traffic passing through their borders. In return, private companies are paying for more access to government records on citizens, such as drivers license data or anonymised health records, to enhance their own services. One of the results of the digital communication era has been the commodification of personal data, both as a means of national security and for private profit.
The crucial point of contention is whether the collection of customer data, often referred to as ‘metadata,’ constitutes “mass surveillance”. One of the problems of establishing the nature of surveillance is the many different forms of metadata, which can vary considerably in the amount they tell you about the life of the individual. Schneier gives the example of telephony metadata, better known as call records. These do not give the collector the content of the call but instead the number dialed, the date of the call and the length of the call. A Stanford University study quoted by Schneier was able to establish considerable detail about the private lives of the anonymous participants from their call records alone, such as whether they were planning an abortion or growing marijuana in their own home. CIA director Michael Hayden, who is quoted in the book, is unequivocal about its value to US security; “we kill people based on metadata.”
However, this definition of metadata varies from jurisdiction to jurisdiction; while in the US, the terms used in Google searches are treated by the NSA as metadata, in the UK they are treated under surveillance laws as ‘content’ which requires a warrant from the Home Secretary to access. The changing nature of many online services also masks them from government bulk collection. For example, if the UK government was monitoring your Facebook activity on a passive bulk collection basis, rather than actively spying on you, in theory they would only be able to see that your IP address logged on to Facebook’s online website. Without a warrant, they would not be able to see your friends list, any messages you made within your Facebook network or which group pages you visited. Facebook, on the other hand, would have full access to your personal data, which they can utilise to sell advertising to you and would be obliged to hand over were they issued with a warrant. Messages from users outside the UK to users in the UK could qualify for bulk collection, but only if they were deemed ‘necessary and proportionate’ under surveillance laws. Other jurisdictions such as Russia and China make no such nice distinctions and seek the ‘full take’ of a user’s internet activity, legalistic niceties be damned.
This results in a confusing picture, particularly as the proportion of metadata collected and analysed by governments remains to be national secrets. The recent backlash against bulk collection of telephony metadata in the US has resulted in the fall of the Patriot Act, of one of the pillars of the post 9/11 national security state. Bruce Schneier’s book is an excellent contribution to the debate over internet surveillance and is an ideal education as to how the processes of personal data collection work. However, it is clear that this debate is far from over and that ultimately users will have to come to terms with how much of their personal lives they are willing to disclose to others.