An Interview with Bruce Schneier, Renowned Security Technologist
Bruce Schneier is an internationally renowned, award-winning public-interest technologist who serves as Chief of Security Architecture at Inrupt, a company working to bring Sir Tim Berners-Lee's distributed data ownership model into the mainstream. Mr. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the author of over a dozen books—including one of the quintessential cryptography texts, Applied Cryptography—as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. Before joining Inrupt, Mr. Schneier served as CTO of Resilient Systems and Counterpane Internet Security.
The NSA's phone program cost $100 million over four years and only twice generated unique information for the FBI. What's your takeaway? Does that say more about the program's inefficiency or about how much data the NSA already collects?
Collecting data is easy; analyzing it is hard. Gathering actionable intelligence from mass surveillance data is often described as finding a needle in a haystack. The obvious extension of that metaphor is that piling more hay onto the pile doesn't help. What we know is that conventional investigative techniques—following the leads—is very effective. This means that targeted surveillance can be very effective. Mass surveillance, not so much. It's good at social control, which is why totalitarian governments like it so much. But despite the US government's insistence that it's essential for national security, it turns out that when you examine the actual evidence, it is not.
What kind of constraints are there on academics publishing cryptography papers? Does the NSA restrict academic freedom at all?
No, they do not. That's a very 1970s way of limiting the spread of cryptographic expertise around the globe. It worked for a while, until the establishment of cryptography as an academic discipline in the 1980s. Around then, the NSA switched to export controls as a way to regulate the use of strong cryptography worldwide. That collapsed with the rise of the Internet and electronic commerce. Today, the NSA relies on its superior cryptographic expertise and hacking skills, and somewhat on its ability to slip backdoors into commercial products and standards. How effective this all is, we don't know, but the Snowden documents showed us that it was all very effective in the early 2010s. My guess is that it's no less effective today.
Whether and what security precautions someone should take seems largely contextual, but are there any baseline precautions that you think most people would benefit from?
Keep your software updated, run an anti-virus program (I don't care which—they're all equally mediocre), and back up everything regularly. That will protect you against most common threats. Also, use two-factor authentication for your important accounts, and a password manager so you don't have to remember the ridiculously complicated passwords you need to use to remain secure.
After that, it's harder to give advice. Most of the data that is important to you isn't under your direct control. It's not on your computers. It's on computers owned by Google, and Apple, and your credit card company, and your cell phone provider. The security precautions that they take are much more critical than anything you do, and you have no control over them. You mostly don't even have any visibility into what they are.
How about specifically for journalists and authors dealing with medium-high sensitivity information?
First and most important: do not rely on security advice from Q&A interviews in random college magazines. The threats you face are probably much more serious than that. There are resources out there for you. Check out Security Planner. The Electronic Frontier Foundation maintains a "Surveillance Self Defense" guide. And the Committee to Protect Journalists has a security guide. Section 3 is all about maintaining security and privacy in the face of a variety of digital threats.
One of the things I tell activists working in authoritarian countries is that their best option is a fully tricked out Chromebook. Google is likely to protect their data better than they could. Sure, their stuff is being spied on by Google and will be turned over to the US government with a court order, but that's probably not part of their threat model. For truly at risk individuals, Google's Advanced Protection Program is worth seriously considering.
How much of a threat are hardware backdoors? Given the CIA's secret acquisition of Crypto AG, quite a lot seems possible. Could you foresee secret contracts between the U.S. government and hardware manufacturers? Are they already in place?
Of course there have been secret contracts, or more likely secret verbal agreements, between the US government and hardware manufacturers to keep their products insecure. The story of Crypto AG selling backdoored encryption hardware to governments around the world has made the news recently, but it's not the only story that has become public. During the Cold War, it's reasonable to assume the US government did that all the time. It's harder today, because the tech industry is much more public and global. Still, while Apple has refused to make its iPhone insecure at the request of the US government, it has not encrypted its iCloud backups, possibly because of pressure from the US government.
This story will play out in all countries. We believe that Chinese communications infrastructure companies have put backdoors into their products at the request of their government. The Chinese believe Cisco has done the same at the request of the US government. My guess is that—unfortunately—everyone is right and that there are backdoors in pretty much everything.
I don't really worry about spying. If Huawei routers had a backdoor that sent copies of all Internet packets back to China, we would easily detect that. More worrisome is a secret embedded command that would allow China to disable the routers in the event of hostilities. That's easy to do and next to impossible to detect.
The Solid server prototype was born out of the work conducted by Sir Tim Berners-Lee and his team while at MIT. Inrupt's mission is to catalyze this work and help apply Solid to real-world use cases. The promise of realizing Tim's true vision for the web has prompted a pretty amazing array of global organizations to engage with us on truly transformational projects. To make all of that happen, we at Inrupt have been building our own software based on the open and public Solid protocol. Some of this, like our SDK, is already available to the open-source community. Other products are starting to make their way into the public domain. At this point we can't talk about our customers/partners or their projects because of various confidentiality agreements—and they're in charge of their own schedules and timelines.
Relatedly—how long would it take for me right now to create a WebID, establish a Pod with Inrupt, and begin storing my data?
Assuming you're an individual user visiting inrupt.net, the literal answer is "like 20 seconds": the time it takes you to sign up for any kind of online account. But remember that inrupt.net is not intended as a mainstream commercial offering. It's a test system: a way to let people explore the basic functionality of Solid and to provide open-source application developers with Pods to test and use. This is a critical element of seeding Solid throughout the developer community. Inrupt's core focus is working with organizations to explore the powerful opportunities for innovation at enterprise-scale. That's still coming.
How are for-profit companies—especially social networks like Facebook—incentivized to develop using Solid if they can no longer hyper-target advertising to their users at their current level?
Companies like Facebook, with a business model built entirely around surveillance capitalism, are not going to be the first movers here. If they come around to Solid at all, it will be late in the adoption curve. I would expect a potential Facebook competitor—assuming it's not squashed by Facebook's monopoly power—would be much more likely to adopt Solid because it would let it scale its system quickly without the liability around collecting everyone's data. It would still be able to use the data, and market to users based on it, but it wouldn't be in its servers on its networks. Google and Facebook notwithstanding, most companies do not build their business models around targeted advertising. We have projects underway in industries like finance, healthcare, insurance, and more. A lot of companies understand that they can have a better relationship with their customers by rethinking who gets control—and also the ultimate value—of that data.