Surveillance, Bulk Data Collection and Intelligence: an Interview with Bruce Schneier
Bruce Schneier is an internationally renowned security technologist and the author of 13 books—including 'Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World'—as well as hundreds of articles, essays, and academic papers. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient Systems, Inc. You can follow him on Twitter @schneierblog
Christy Quinn: As of Tuesday, President Obama has just signed the USA Freedom Act into law, banning the NSA's bulk collection of telephony metadata. Do you think this marks the acceptance amongst security officials and policymakers in the US that there need to be limits to metadata collection?
Bruce Scheier: It's certainly a watershed moment, because it's the first time the US government has placed limitations on the NSA's metadata collection. The limitations are minimal, and won't have much actual effect on the surveillance of Americans by the NSA. But symbolically, it's huge. The question now is whether the members of Congress will pat themselves on the back for a job well done, or actually take the next steps and examine the vast array of domestic government surveillance programs.
The British Security Services have made the argument that they are struggling to cope with the growth in internet metadata produced by UK citizens and they need greater powers of mandated metadata collection to maintain their current surveillance capabilities. Do you think there is any value in this position?
I'm not sure it even makes sense. If an organization is struggling to cope with all the metadata its gets from its surveillance operations, how does giving it the ability to collect even more metadata make its job easier? How does giving it more surveillance data mean that it maintains the current surveillance levels? The governments of both the US and the UK make all sorts of claims about their surveillance capabilities and what they need, but they never back those claims up with any real data. The extreme secrecy surrounding these capabilities precludes substantive policy debates, but the extreme danger in allowing governments to conduct massive surveillance operations means that we must have those debates.
What is your response to the view that bulk collection by security services does not constitute mass surveillance, as no one is actively looking at all the collected data and is it is only examined selectively?
It's a nonsense argument, and we all know it. Surveillance occurs when our actions are recorded, not when they're examined. "We're going to install a camera in your bedroom and record everything, but it's not surveillance because we won't look at the footage unless we want to." "Yes, your cell phone will keep a constant record of your location, but it's not surveillance, because we won't access the information unless we think you're doing something wrong." These statements make no sense, because we know that once the data is collected and saved, it could be examined; therefore, we have to act as though it will be examined.
In 'Data and Goliath' you recommend measures to your readers of how to avoid their metadata being collected, such as using anonymisation services like Tor. Do you think there is a public interest in people maintaining their privacy, or that it should be a matter of choice how much personal information you provide?
It's a little of both. Privacy should be treated as a right, and not solely as a commodity that can be sold or bartered.
Do you believe there should be limits to encryption, just as there are limits to privacy?
The two are very different. Encryption is a technology; privacy is a human value. We trade off human values with each other all the time; that's what many of our political debates are about. That has nothing to do with the current debate about limiting the strength of encryption. The debate is about whether we want to all be insecure from criminals, foreign governments, and everyone else because the police find that insecurity useful; or whether we should make our systems as secure as possible from all attackers, even though that inconveniences the police.
Do you agree with former GCHQ Director and Professor Sir David Omand that encryption could lead to 'ethically worse behaviour' by intelligence agencies by forcing them to compromise privacy in more intrusive ways?
It's hard to imagine those words coming from a legitimate government agency; the only thing GCHQ is "forced" to do is follow the law. To threaten people in this manner is loathsome, and illustrates the extent to which these intelligence agencies consider themselves above the law. Encryption makes everyone more secure. And if that security means that GCHQ has a harder job, that's okay.