Data and Goliath: The Hidden Battle to Collect Your Data and Control Your World (Review)
Reviewed by Annie Millar1
Summary: Data and Goliath:The Hidden Battles to Collect Your Data and Control Your World describes a world in which surveillance has become a part of our everyday life, a world we are currently living in. Schneier describes what we know as a result of Edward Snowden and his disclosure of confidential NSA information. He outlines three main concepts: the surveillance society we live in, the harms that arise from mass surveillance, and what we need to do to protect ourselves. This book review will focus on one of the two major surveillance parties in the world, the government.
About the Author: Bruce Schneier has a background in science and technology, writing specifically on how security technology affects people around the world. It is important to note that Schneier is not anti-technology, but rather believes it necessary to keep the public informed on the rise of surveillance and the risks it may pose.
It is important to note at the outset that “the [United States] serves as a singular example of how things went wrong, and is in a singular position to change things for the better.”2 The United States is in a position to change surveillance in both a social and legal context. As it currently stands, the world is now a surveillance society; a society that is blindly accepting. The question then becomes how to fight back.
Imagine a world where technology becomes more than a luxury; it becomes essential to live. Although it seems like science fiction, it may be closer than expected. A riveting Netflix series, Black Mirror, makes this technological reality seem a bit too close for comfort. Black Mirror depicts a future where social media controls how people act, computer technology that controls who and what people see, and memory storage that makes it possible to replay events of the past repeatedly. Although it may seem far-fetched, this is essentially how metadata surveillance works. A massive amount of information is stored, accessible when necessary, or even desired. Although automatic playback may not currently be at our disposal, it may be closer than anticipated. It may be appealing to be able to retrieve and play back memories at any time, but memories are in the past for a reason. They are depressing, scary, or even criminal. Keeping this in mind, understanding the surveillance society of today is essential.
There are three main concepts that Bruce Schneier addresses in Data and Goliath: the surveillance society, the potential harms arising from this surveillance, and what needs to be done for protection. The surveillance society has clear implications on the social structure, the legal structure, foreign relations, and trust of the government.
Since Edward Snowden, these issues have come to the forefront, and it is now time to address them.
The Surveillance Society
Before 2013, Americans knew nothing about the surveillance they were under.3 Without Edward Snowden, society would still be blind to this surveillance. Snowden was a contractor for the National Security Agency (NSA) who collected tens of thousands of documents that described the NSA’s extensive surveillance activities of both foreign countries and individuals within and outside the United States.4 These documents demonstrated that the NSA used at least three different programs to collect user metadata (emails, cell phone records, internet conversations) and eavesdrop for the United States government.5 As a result of releasing this information, Snowden is being sought by the United States government and has been forced to stay off the map.6 With his disclosures, United States citizens have gained an amazing tool that must now be utilized -knowledge.
Surveillance and Data Collection
Before getting into how exactly the surveillance society works, it is essential to understand what surveillance is. According to the United States military, surveillance is “systematic observation.”7 Surveillance is a tool the government has relied on for hundreds of years in order to tail and track suspect criminals, spy on foreign nationals, and keep tabs on enemies. But, with the Internet and metadata collection comes a new and different type of surveillance. In order to understand that surveillance, an understanding of the evolution of data is necessary.
In the world of surveillance, information is stored as data and metadata.8 Data is a way in which to store computer information, and metadata is a way to store that data.9 “One way to think about it is that data is content, and metadata is context.”10 While data are the messages and the content of those messages, metadata are the overall account information, such as who sends and receives messages, on what date, and at what time.11 In the early days, most data and metadata were not stored because it was expensive.12 Now, with decreasing costs for storage, it has become easier to save data than attempt to organize it all and decide what to delete.13
Some may wonder why it matters that the government and companies store this metadata, because it is simply times, dates, and general sender information. There are a few key concepts that should make users wary about metadata collection. First, individuals have no power to delete anything they do not want stored.14 Second, according to former NSA and Central Intelligence Agency (CIA) director Michael Hayden, “we kill people based on metadata.”15 Third, many would argue that privacy is a fundamental right that should not be infringed by governmental action.
How Personal Data Is Generated
Most people in the United States use computers, laptops, or tablets. Most walk around will a cell phone in their pocket all day long. As technology continues to grow, some even sport fitness trackers, attached to their wrist for sixteen hours a day. With all of that technology people generate data.
Computers are essential for communication in today’s day and age. Computers document what users do, what websites users visit, what advertisements users click, what words users type.16 Beyond the laptop or desktop, computers are making their way into all aspects of life, including kitchen appliances.17 “Even our pets and livestock are now regularly chipped: my cat is practically a computer that sleeps in the sun all day.”18 On top of all that collection, it is likely people carry a miniature computer with them everywhere they go—a cell phone. A cell phone constantly tracks location and all the information transmitted through that phone.19 From messages to phone calls, application usage to GPS tracking, a cell phone is constantly creating data.
With computers and cell phones a network is created, what can be viewed as a web. That web flows from communications with others.20 That web is built from shared documents, emails, and text messages. Those communications create connections. Connections between cell phones, connections between computers, and connections between people. Once that web is spun, there is no way out and the spider can crawl out and collect what has been stuck in the web. The spider in the web of security is the NSA.
These webs are created by something called “hop” searches.21 Hop searches work to further develop the connections created in the web by collecting metadata on one person, then everyone that person communicates with, then everyone they communicate with.22 The intent is to strengthen and map the connections in order to find information, such as conspiracies or connections between criminals.23 Once that metadata web is created, the NSA can conduct “about” searches.24 These searches allow the NSA to search a specific name or key phrase and generate communications where it may be mentioned.25 Finally, attempting to escape the web is likely to end in failure. The NSA targets people who search for information on popular privacy and anonymity tools.26
What is worse than the fact that this surveillance occurs? The fact that it is tolerated.27 People tolerate electronic surveillance more than they would allow in the physical world because it is not noticed.28 Often times people have no idea it is happening because “it just happens, quietly and constantly.29 It is an inevitable bargain people accept because of the value gained from it.30 It is both a matter of convenience and a lack of any real choice.31 If people refuse to accept the surveillance, they are essentially giving up computers, cellphones, online shopping, fitness trackers, television, and the use of credit cards.
This metadata web is kept and monitored by the NSA, acting as the main eavesdropping organization for the United States.32 Formed in 1952 by President Truman, the agency rose in importance during the Cold War.33 At that time the goal was to collect information on enemies of the United States.34 After the fall of communism, surveillance shifted.35 During the 1960’s and the 1970’s, the NSA and FBI spied on thousands of Americans for antiwar activism, civil rights leadership, and even involvement in nonviolent political groups.36 Then, in the late 1980’s and early 1990’s surveillance moved towards defending communications.37 Finally, after 9/11 surveillance shifted to the metadata web that encompasses everyone today; the one in which the NSA put the entire world under surveillance.38
After the NSA, the FBI is the next biggest surveillance body.39 Although the FBI generally has to jump through a few more hoops, they can perform surveillance with judicial oversight through the warrant process.40 Through the judicial process, the government uses National Security Letters (NSLs) to obtain information from third parties.41 This is known as the Third-party Doctrine.42 This doctrine came from a 1976 case where Michael Lee Smith robbed a Baltimore woman.43 There had been a “pen register” placed on Smith’s phone to receive the numbers he dialed.44 Smith attempted to get the information thrown out because it was received without a warrant.45 The Supreme Court said a warrant was not necessary because there was no legitimate expectation of privacy in information voluntarily turned over to third parties.46 Essentially, technology has helped the government conduct surveillance without warrants, which can be detrimental to privacy.47
The general practice of collecting and saving all different types ofmetadata is called “big data.”48 That metadata is then “data mined,” when science and engineering is used to extract useful information from the metadata.49 Essentially, big data gets value from the inferences that can be derived from it.50 In the marketing world, patterns are searched for that indicate when someone is about to do something expensive, like buy a car or take a vacation.51 These patterns then allow marketers or the NSA to draw inferences and conclusions about people.52 The data people are willing to share may imply conclusions that they do not want to share.53
The NSA analyzes and uses this metadata to perform certain tasks. Some examples include tracking associations between people, checking whether anyone is tailing oversea spies, tracking “burner phones,” and tracking secret meetings.54 In addition, the agency works to link identities across different data sections to draw inferences, known as data correlation.55
The Public-Private Surveillance Partnership
Corporate and government surveillance are not separate. In fact, they are part of a partnership which relies on both entities to function efficiently.56 The NSA relies on United States corporations to monitor the internet, mainly through the use of their PRISM program.57 Through this program the NSA legally compels companies like Microsoft, Google, Apple, and Yahoo to provide metadata on individuals of interest, often times in secret.58 In this way, the government gets companies to act for them so it is “less Big Brother, and more hundreds of tattletale little brothers.”59
Due to this relationship governments do not want to hinder surveillance conducted by corporations and it is clear that governments are not above forcing corporations to spy for them.60
Although many corporations thrive on this surveillance metadata for purposes of advertising, not all of them have the desire to give this information over to the government.61 Sometimes, providers boast their product based on the security they provide, such as Lavabit, a company focused on secure communications.62 Lavabit went to the extreme when the government attempted to force them to hand over information -they chose to shut the service down completely.63 The problem is that companies who cannot simply shut down when they feel threatened and do not want to turn over
information really have no choice, they essentially lose control of that part of their business.64 There are more examples of this within the United States all showing how persuasive the government can be.65 As long as the NSA is permitted to operate using secret court orders and secret interpretations ofthose orders, no changes will occur.66
Harms Arising From Surveillance
The biggest loss through surveillance is liberty, which is an issue in the legal field.67 Essentially, if there is enough data about someone, there is sufficient evidence to find that person guilty of something.68 This is the exact reason the constitution prohibits general warrants.69 Ubiquitous surveillance means that anyone can be convicted of law breaking when the police set their mind to it.70 This constant surveillance is wrong.71 People should not be forced to monitor their every move. Rather, people should be free to read, speak, and amass knowledge without fear of how it appears in the eyes of the government.72
Harms by Government Surveillance
The largest harm arising from government surveillance is the loss of freedom of speech.73 When people know that the government is watching they are less likely to speak and read about topics they may consider touchy, even if not incriminating.74 This issue has probably come to the forefront for many law students when conducting research on topics that are essential to learn and grow. Constant consideration of the potential risks, or even fear of what may happen, results in self-censorship.75
A major concern with this is whether it may change the relationship of government and citizens.76 For example, surveillance may lead to an increase in discrimination by the government.77 Those in certain religious, social, ethnic, and economic groups will be affected more than the ruling elite, and some already have been.78 The NSA and FBI spy on Muslim Americans who have no affiliation with terrorism.79 After DEA agents permissibly searched an Albany woman’s phone, they saved intimate photos and created a fake Facebook using those photos.80 The court decided she opened herself willingly to fraud and ruled against her.81 In 2009, at a school outside Philadelphia students were given laptops with spyware installed so administration could watch them.82 These actions interfere with a free society. As a society, people derive value from dissent and law breaking.83 It may seem odd to think criminal activity can benefit society, but if old laws could have been perfectly enforced through surveillance, society could not reach a point where they viewed certain activities as okay, such as homosexual relationships and marijuana use.84 Sometimes, deviating from the norm is essential for progress and a perfect surveillance structure can hinder that progress.85
Even though the government has amassed knowledge about citizens, the reverse is not true. The government keeps their surveillance secret from both the citizens and other government agencies.86 By keeping the knowledge, the government is able to keep the power.87 The government goes so far as to completely attack whistleblowers, people who disclose wrongdoing by the government.88 The Espionage Act of 1917 precludes anyone charged with whistleblowing to explain why they leaked the information; they cannot defend themselves.89
Harms to Privacy
There is a common implication that privacy only aids wrongdoers.90 In fact, “[t] he most common misconception about privacy is that it’s about having something to hide.91 That misconception makes no sense.92 Rather, privacy is an inherent human right that people have so they do not lose control of their present selves.93 It is human nature to be irritated or feel threatened when that privacy is invaded.94 By allowing surveillance, humans are forced to feel like prey, animals in the natural world being stalked by a predator.95
The constant surveillance created a world in which people have no control over memories and how they are retrieved.96 Much like an episode of Black Mirror, people will be able to retrieve and replay memories. Nothing will be history anymore. Although it may seem appealing to replay happy memories one may have, having constant access to memories can have a detrimental effect on the human psyche.97
Besides potential psychological issues, storage and access to this metadata gives the holder massive power. Companies and governments try to argue that a simple computer algorithm collecting data is no big deal.98 A Google executive even went so far to say “worrying about a computer reading your e-mail is like worrying about your dog seeing you naked.”99 That analogy is false.100 A dog cannot process the sight, will not base future decisions on that person, and the dog cannot tell anyone else what it sees.101 A computer, on the other hand, stores that metadata, and even if someone is not looking at what the computer collects, they have the option to.102
Due to this mass amount of collection, it becomes extremely difficult to remain anonymous on the massive Internet.103 Retaining anonymity protects privacy, empowers individuals, and is fundamental to liberty.104 A lack of anonymity means an intrusion on privacy.
Harms to Security
The issue with furthering protection is that security tends to be driven by fear and a focus on rare threats.105 People allow fear to get in the way of smart security.106 People also dive in to the assumption that data mining helps to connect the dots to show who may be behaving oddly, allowing the government to find terrorists and people of interest.107 In reality, millions of people behave strange enough to attract the FBI, yet most are harmless.108 The problem is that the system is flawed.109 Error rates are too high, all attacks are unique, and the people who need to be found are trying to avoid detection.”110
The NSA is actually creating an environment where citizens are less secure in order to fuel its own personal surveillance needs. First, the NSA stockpiles vulnerabilities in the software citizens use everyday, rather than making sure those vulnerabilities are fixed.111 Any unpatched vulnerability is risky because anyone can find it, including criminals.112 Second, the NSA inserts back doors into widely used computer hardware and software products, making access inevitable and products less secure.”113 Finally, the NSA hacks the Internet, making sure it remains insecure for the convenience of the agency.”114 Although these techniques may not be geared toward collecting information on everyday people, they become collateral damage.115
What Needs to be done for Protection
The issues with surveillance and privacy are a present concern and something needs to be done to ensure change occurs. Some universal truths should guide that search for change.”116
The debate is often characterized as security versus privacy, but that is a false trade-off”117 Always pitting security against privacy is not logical because the two fundamentally align.118 Not all security measures require people to give up privacy.119 In fact, a lack of privacy often makes people feel insecure.120 Noticing this is key to determining how the problem should be approached because “[the] goal [should not] be to find an acceptable trade-off between security and privacy, because we can and should maintain both together.121
Security versus Surveillance
Recognition that security is more critical than surveillance can help society approach that goal.122 Although on occasion surveillance is a necessity, it makes more sense overall to design the system to protect the majority of citizens who need Internet protection.123 Systems should be designed in a minimalist fashion, only conducting the surveillance necessary for the system to function.124 When surveillance is a necessity, information gathering should be minimal and all information retained should be given an expiration date.125
With that said, “transparency is vital to any open and free society.”126 Given how the system is currently set up, transparency only seems to travel in one direction.127 The big fish (governments and corporations) want to see everything the people do, but do not want the people seeing what they do.128 The resistance by governments and corporations to be transparent creates an imbalance that needs to be changed.129 The only way to ensure that transparency occurs is to increase the oversight and accountability of these governments and corporations.130
In addition, a decision has to be made whether a vulnerable infrastructure or a secure user infrastructure should be created.131 The issue is not only a domestic one, but also how the United States interacts with foreign governments.132 Foreign governments can also access the information we allow the United States government to collect.133 The question is whether the United States designs a vulnerable system to appease their own surveillance needs, or a secure infrastructure to protect all users.134
Government surveillance may at times be a necessity, but for a majority of the time it is not. A balance needs to be struck between giving government agencies what they need to solve crime, without giving them the power to abuse it.135 Implementation of these solutions can be short-term or long-term, and routes such as executive orders, congressional approval, and the passage of legislation will all need to be used.136
As indicated previously, transparency is a necessity and it can be implemented in more areas.137 Currently, the functions of police and crime-fighting are almost all accessible to the public.138 Budgets, capabilities, and effectiveness of police forces is all accessible knowledge, and the police still seem to have a working system.139 That transparency prevalent in the crime-fighting system should carry over to counterterrorism because “the current level of secrecy we have in counterterrorism is excessive.”140 Meeting minimal transparency goals is simple. The government should make descriptions of the scope and scale of the intelligence gathering public knowledge.141 This is not an issue that would hinder the ability of agencies to perform their duties just as efficiently as before, but rather lets the public know the government is operating in a manner that is not deceptive. The desire to keep names secret is an acceptable need, but the “rules under which organizations operate” should be public knowledge.142
In addition, there needs to be more oversight for the NSA.143 Currently, even Congress is unsure of how the NSA operates, which is a problem.144 The NSA uses three authorities to justify its surveillance activities.145 First, Executive Order 12333, authorized in 1981, is extremely permissive.146 This order permits the NSA to monitor conduct outside the United States, while also collecting metadata on American citizens.147 Second, section 215 of the PATRIOT Act has been stretched to authorize mass surveillance, even though that was never the intention.148 Third, section 702 of the FISA Amendments Act was created to solve a problem allowing eavesdropping of information of foreign terrorists that was passing through the United States.149 Because these authorizations have been abused by government agencies, some rules need to be made.150 More members of Congress need to commit to meaningful reform, there needs to be comprehensive oversight by independent government agencies, there needs to be transparency, and there need to be meaningful rules to govern how metadata collection is governed and how long it is saved.151
Protection of Whistleblowers
The next step is to protect whistleblowers because “leaks and whistleblowing are themselves security mechanisms against an overreaching government.152
Essentially, whistleblowers act as a random surprise inspection and there need to be more laws to protect them, such as allowing them to use the fact that there was official wrongdoing within the government entity as a defense.153 “We encourage individuals to blow the whistle on violations of law by private industry, we need to protect whistle blowing in government as well.”154
Limitation of Metadata Collection
Metadata collection also needs to be limited drastically. A return to targeted surveillance is essential.155 Essentially, the NSA is allowed to monitor people without having to go through the warrant process.156 In addition, the bulk surveillance allows law enforcement to watch everyone and develop their own grounds for suspicion.157 Luckily, there have been steps taken in the right direction. In 2013 the Supreme Court required police officers to obtain a warrant before attaching a GPS tracking device to a suspects car.158 In 2014, the Supreme Court required officers to obtain warrants before searching cell phones.159 The next step is to recognize that information should still be and can still be private when entrusted to an online service provider, while the police will still be able to perform their job adequately.160
The vulnerabilities the NSA has allowed to go unkempt need to be fixed.161 Putting security ahead of surveillance is a necessity which is a step in the right direction.162 Relatedly, systems need to be built so they are trustworthy and effective, rather than purposefully insert backdoors into products.163 The technical community is outraged about the NSA’s subversion of these products and the trust behind American built products has weakened throughout the world.164
Finally, espionage and surveillance need to be separated.165 Espionage and surveillance are two very different things, with government espionage focusing on targeting others, rather than collecting as much as possible for no real designated reason.166 Targeted monitoring is actually focused and stabilizing, while mass surveillance is almost never justified, whether it be foreign or domestic.167
As the world of technology has advanced, so has the world of government surveillance. This means two main things. One, people are watched, metadata is collected, and privacy is subverted in order to fuel the surveillance agenda of the government. Two, the people are the ones who must act to ensure privacy and walk away from the life of surveillance they have blindly accepted and become accustomed to. The hidden battles to collect data and control the world are here, “and we need to fight back.”168
1 Syracuse University College of Law Juris Doctor Candidate 2018
2 Bruce Schneier, Data and Goliath: The Hidden Battle to Collect Your Data and Control your World 10 (2015).
3 Schneier, supra note 2, at 99.
4 Id. at 23.
5 Id.at 73.
6 Id. at 99.
7 Id. at 4.
8 Schneier, supra 2, at 20.
10 Id. at 26.
11 Id. at 20.
12 Id. at 21.
13 Schneier, supra note 2, at 22.
14 Id. at 26.
15 Id. at 27.
16 Schneier, supra 2, at 15.
17 Id. at 18.
19 Id. at 16.
20 Id. at 36.
21 Schneier, supra note 2, at 44.
24 Id. at 45.
26 Schneier, supra note 2, at 45.
27 Id. at 33.
30 Id. at 55.
31 Id. at 58.
32 Schneier, supra note 2, at 73.
33 Id. at 74.
36 Id. at 75.
37 Id. at 74.
39 Schneier, supra note 2,at 79.
41 Id. at 80.
44 Schneier, supra note 2, at 80.
46 Id. at 80.
48 Id. at 39.
49 Schneier, supra note 2, at 39.
50 Id. at 40.
53 Id. at 41.
54 Schneier, supra note 2, at 46 (Burner phones are phones used for short periods of time and then are thrown away in an attempt to maintain secrecy).
55 Id. at 47.
56 Id. at 92.
58 Id. at 92-93.
59 Id. at 54.
60 Schneier, supra note 2, at 98.
61 Id. at 99.
65 Schneier, supra note 2, at 100 (The government forced Skype to make changes to facilitate eavesdropping, and in 2008 the government threatened Yahoo with a $250,000 per day fine if they did not join the PRISM
66 Id. at 102.
67 Id. at 107.
68 Id. at 108.
70 Schneier, supra note 2, at 108.
71 Id. at 110.
73 Id. at 111.
74 Id. at 112.
75 Schneier, supra note 2, at 112.
77 Id. at 114.
78 Schneier, supra at 114.
79 Id. at 122.
80 Schneier, supra note 2, at 123.
83 Id.at 115.
85 Schneier, supra note 2, at 115.
86 Id. at118.
87 Id. at 119.
90 Schneier, supra at 147.
93 Id. at 148.
94 Id. at 149.
95 Schneier, supra note 2, at 149.
96 Id.at 151.
98 Id. at 153.
100 Schneier, supra note 2, at 153.
102 Id. at 154.
103 Id. at 157.
105 Schneier, supra note 2, at 158.
107 Id. at 159.
109 Id. at 160.
110 Schneier, supra note 2, at 160.
111 Id. at 172.
113 Id. at 173.
115 Schneier, supra note 2, at 177.
116 Id. at 181.
117 Id. at 182.
120 Schneier, supra note 2, at 182.
121 Id. at 183.
123 Id. at 184-85.
124 Id. at 185.
125 Schneier, supra note 2, at 185.
127 Id. at 187.
130 Schneier, supra note 2, at 189.
131 Id. at 192.
132 Id. at 193.
134 Id. at 192.
135 Schneier, supra at 197.
136 Id. at 198.
138 Id. at 199.
140 Schneier, supra note 2, at 199.
141 Id. at 200.
144 Id. at 201.
145 Schneier, supra note 2, at 202.
148 Id. at 202-03.
149 Id. at 203.
150 Schneier, supra note 2, at 206
152 Id. at 208.
153 Id. at 209.
155 Schneier, supra note 2, at 209.
156 Id. at 210.
160 Schneier, supra note 2, at 209.
161 Id. at 211.
162 Id. at 212.
163 Id. at 213.
165 Schneier, supra note 2, at 215.
168 Id. at 11.