Book Review: Data and Goliath by Bruce Schneier
How many times have you heard the “Nothing to Hide” argument? If you don’t have anything to hide, then you don’t need to worry about anyone watching you or collecting information about your thoughts and behaviors. Consider the impact to those that have nothing to hide. Depending on who is watching, people will curtail open discussion on many topics which stifle new thinking, innovation and even market disruption. Furthermore, it becomes easier to categorize and, therefore, discriminate against individuals. Privacy in our communications is much more important than most people think. And, a lack of information transparency in collection and use of data keeps this issue off the radar for most everyday people.
I’ve worked on ways to protect sensitive data while enabling it’s use for research and development. As such, data privacy is an important area of concern for me. I’ve always respected the work of Bruce Schneier, a Harvard Law fellow and important figure in the information security world. Schneier’s latest book, Data and Goliath, is a comprehensive look at contemporary issues of data privacy.
Schneier provides a large number of examples with a full bibliography to cite his sources. His information is much too extensive to list here. Instead, I’ll describe the high-level framework for his views on data privacy.
In the first part of the book, Schneier shows how extensively our lives are being tracked.
First, the extensive collection of data, these days, has transformed into a form of surveillance. Most traditional surveillance has been targeted to individuals where there is no evidence available before surveillance starts. With data collection across anyone using the internet, telephony, automobiles or just walking around public places that have video cameras, surveillance now can reach far back into personal history.
Second, even if only collecting meta-data on communications such as source/destination addresses, time of day and location, those with access to the data can ascertain very specific characteristics of people. In many cases, it would be easy to determine if you have a specific medical condition, your sexual orientation or whether you own an automatic weapon, to name a few. It is important to realize that meta-data is all that is needed to map our complex set off relationships and associations that define who we are as individuals.
Third, removing the user’s identity or anonymizing data that is connected to the user such as personally identifiable information (PII) will not protect the user’s identity. Schneier provides very convincing evidence that the user’s identity is discoverable using a finite number of unique attributes found in user data that is correlated with disparate sources.
Collected data is used by private companies to categorize and manipulate users. And, it is used by governments as a form of surveillance. A lot has been written about both cases. However, Schneier provides a bit more depth to this discussion by describing the great lack of transparency in both sectors. He describes internet companies as being feudal lords that do not provide any real option to us users other than handing over our private information without providing any real statement as to what information is being given or how it will really be used. And, using various sources including data released by Edward Snowden, he describes the extensive collection methods employed by the NSA including stockpiling exploits and forcing complicit companies to provide backdoors in their products.
A great deal of the problem, especially in the US, is due to weak laws governing data privacy. The NSA obtains warrants via the FISA court which barely ever denies a warrant. And, it is apparent that there have been many cases of overreach in scope of collection or targeting. There are no effective checks and balances implemented to stop overreach or abuse of power derived from collected data. And, data is shared across a great many companies and governments. Most of these steps are taken with little or no transparency to the user.
The latter part of this book suggests ways to bring data collection and the resulting surveillance and manipulation under control while not sacrificing the bottom lines of companies and the security of nations. One important point made is that NSA data collection has hurt businesses by degrading customer trust in these products that may very well provide collected data to the government. And, Schneier also argues that ubiquitous data collection and algorithmic detection of terrorist activities is quite ineffective.
I would encourage anyone interested in privacy rights and privacy technology to read this book. I can tell you that it has had a great impact on my own thinking.