“Privacy is not a luxury that we can only afford in times of safety. Instead, it’s a value to be preserved. It’s essential for liberty, autonomy, and human dignity. We must understand that privacy is not something to be traded away in some fearful attempt to guarantee security, but something to maintain and to protect in order to have real security. None of this will happen without a change of attitude. In the end, we’ll get the privacy we as a society demand and not a bit more.” (Data and Goliath)
Author: Bruce Schneier
Publication Date: 2015
Origin: I’m a longtime subscriber of Schneier’s Crypto-Gram newsletter, from my days working in/with network security products, and I find his commentary on information security, privacy, and related matters to be informative. I’m also quite concerned and dismayed with the general population’s ignorance or apathy towards these subjects, so I thought that this book might provide me with valuable information and messaging that I could use to increase awareness; consequently, I pre-ordered Data and Goliath just about as soon as I could.
Summary: Data and Goliath is an exhaustively researched and clearly presented examination of our mass surveillance reality.
The book is divided into three parts:
- Part One, The World We’re Creating, describes the surveillance society in which we already live (i.e., today, now, already) and explains that, “ubiquitous mass surveillance is fundamentally different from just a lot of individual surveillance, and it’s happening on a scale we’ve never seen before.” This section examines the business models at play, how and why governments are involved, and how business and governments are working together.
- Part Two, What’s at Stake, explores the interrelated harms that are a consequence of mass surveillance in its various forms, from political discrimination and control, to manipulation by corporate interests, to economic harm from international backlash, to loss of privacy, to (perhaps counterintuitively) the harm to security.
- Part Three, What to do About It, outlines steps and actions we can take to protect ourselves from government and corporate surveillance, and suggests policy recommendations that balance legitimate surveillance needs with legitimate privacy rights.
My Take: Data and Goliath explains the surveillance world in which we live in clear, accessible language. I went into it with a pretty solid understanding of the issues and familiarity with the subject matter, but came out with a much more comprehensive appreciation of the complexities (and perhaps even a little more concerned).
Importantly, I also emerged with at least a little hope, because Schneier makes it clear that solutions are possible; unfortunately, getting those solutions implemented will take a much wider awareness than we have today, and people will need to do a little research to understand what’s really going on (as opposed to blithely listening to the lies of our politicians).
Rather than being an idealist’s commentary, or being an attempted technical examination by an amateur, Data and Goliath is a practical, pragmatic examination of Schneier’s subject of expertise. We should listen to his warnings, rather than dismiss them as the ravings of an alarmist, and heed his advice.
As Schneier says on p157, “Our goal shouldn’t be to find an acceptable trade-off between security and privacy, because we can and should maintain both together.”
Read This Book If: …you’re a human alive today.
Notes and Quotes:
Part One: The World We’re Creating
- p1 sets the stage by reminding readers that we already live in a science-fiction world of constant surveillance (it’s worth reminding folks that this excerpt is not speculative – it is fact, today): “Your cell phone tracks where you live and where you work. It tracks where you like to spend your weekends and evenings. It tracks how often you go to church (and which church), how much time you spend in a bar, and whether you speed when you drive. It tracks – since it knows about all the other phones in your area – whom you spend your days with, whom you meet for lunch, and whom you sleep with. The accumulated data can probably paint a better picture of how you spend your time than you can, because it doesn’t have to rely on human memory. In 2012, researchers were able to use this data to predict where people would be 24 hours later, to within 20 metres.”
- p4: “The bargain you make, again and again, with various companies is surveillance in exchange for free service… The problem is that these aren’t good or fair bargains, at least as they’re structured today. We’ve been accepting them too easily, and without really understanding the terms.”
- p17 (I especially like the last sentence): “This smog of data we produce is not necessarily a result of deviousness on anyone’s part. Most of it is simply a natural by-product of computing. This is just the way technology works right now. Data is the exhaust of the information age.”
“Data is the exhaust of the information age.”
- p23, since metadata’s been in the news a bunch and the layman doesn’t know what it means (and so might just erroneously believe certain misleading politicians): “One way to think about it is that data is content, and metadata is context. Metadata can be much more revealing than data, especially when collected in the aggregate. When you have one person under surveillance, the contents of conversations, text messages, and emails can be more important than the metadata. But when you have an entire population under surveillance, the metadata is far more meaningful, important, and useful. As former NSA general counsel Steward Baker said, ‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.’ In 2014, former NSA and CIA director Michael Hayden remarked, ‘We kill people based on metadata.'”
- This little bit from p55, in a section on targeted advertising, just caught my eye because I haven’t seen anyone express this conclusion before – as obvious as it is in retrospect: “As advertising saturates our world, the value of each individual ad falls. This is because the total amount of money we have to spend doesn’t change.”
Part Two: What’s at Stake
“Surveillance puts us at risk of abuses by those in power, even if we’re doing nothing wrong at the time of surveillance. The definition of ‘wrong’ is often arbitrary, and can quickly change.”
- p92: “Surveillance puts us at risk of abuses by those in power, even if we’re doing nothing wrong at the time of surveillance. The definition of ‘wrong’ is often arbitrary, and can quickly change. For example, in the US in the 1930s, being a Communist or Socialist was a bit of an intellectual fad, and not considered wrong among the educated classes. In the 1950s, that changed dramatically with the witch-hunts of Senator Joseph McCarthy, when many intelligence, principled American citizens found their careers destroyed once their political history was publicly disclosed. Is someone’s reading of Occupy, Tea Party, animal rights, or gun rights websites going to become evidence of subversion in five to ten years?”
- Perhaps even going on record as having purchased and read this book will come back to haunt me, who knows? p93: “This is wrong. We should be free to talk with our friends, or send a text message to a family member, or read a book or article, without having to worry about how it will look to the government: our government today, our government in five to ten years, or some other government.”
- p98, while talking about social advances and human rights, and the chilling effects of the perfect enforcement that comes with ubiquitous government surveillance: “This is an important point. Freedoms we now take for granted were often at one time viewed as threatening or even criminal by the past power structure. Those changes might never have happened if the authorities had been able to achieve social control through surveillance. This is one of the main reasons all of us should care about the emerging architecture of surveillance, even if we are not personally chilled by its existence.”
“Freedoms we now take for granted were often at one time viewed as threatening or even criminal by the past power structure. Those changes might never have happened if the authorities had been able to achieve social control through surveillance. This is one of the main reasons all of us should care about the emerging architecture of surveillance, even if we are not personally chilled by its existence.“
- After reading some stories about surveillance abuse on p104, it strikes me that one way to shift the perceived cost/benefit analysis is to mobilize citizens to sue en masse when abuses happen.
- p106, under the subtitle Curtailing Internet Freedom; file it under Oops! “In 2010, then secretary of state Hillary Clinton gave a speech declaring Internet freedom a major US foreign policy goal. To this end, the US State Department funds and supports a variety of programs worldwide, working to counter censorship, promote encryption, and enable anonymity, all designed ‘to ensure that any child, born anywhere in the world, has access to the global Internet as an open platform on which to innovate, learn, organize, and express herself free from undue interference or censorship.’ This agenda has been torpedoed by the awkward realization that the US and other democratic governments conducted the same types of surveillance they have criticized in more repressive countries.”
- p107, I couldn’t agree more: “Internet freedom is a human rights issue, and one that the US should support.”
- p108 quickly describes a real-world example where a company (in this case, Accretive Health) abused its surveillance powers…so don’t go thinking, “Oh, this kind of thing is speculative and would neeeever happen.”
- p109: “In a fundamental way, companies use surveillance data to discriminate. They place people into different categories and market goods and services to them differently on the basis of those categories.”
- p109…wow, “weblining” (the practice of denying certain opportunities to people due to observations about their digital selves) is awful. “Oh, but that would never…” Too late, here’s an example: “In 2000, Wells Fargo bank created a website to promote its home mortgages. The site featured a ‘community calculator’ to help potential buyers search for neighborhoods. The calculator collected the current ZIP code of the potential customers and steered them to neighborhoods based on the predominant race of that ZIP code. The site referred white residents to white neighborhoods, and black residents to black neighborhoods.” Schneier continues, “Weblining…has the potential to be much more pervasive and much more discriminatory than traditional redlining.” and a 2014 White House report on big data concluded that, “…big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education, and the marketplace.”
- p127 really struck me: “Through most of history, our interactions and conversations have been ephemeral. It’s the way we naturally think about conversation. Exceptions were rare enough to be noteworthy: a preserved diary, a stenographer transcribing a courtroom proceeding, a political candidate making a recorded speech. That has changed.” p128 continues, “Science fiction writer Charles Stross described this as the end of prehistory.”
“Through most of history, our interactions and conversations have been ephemeral. It’s the way we naturally think about conversation. Exceptions were rare enough to be noteworthy: a preserved diary, a stenographer transcribing a courtroom proceeding, a political candidate making a recorded speech. That has changed. Science fiction writer Charles Stross described this as the end of prehistory.”
- p140, the messages we hear from politicians are lies (whether knowingly or not), and there are more effective alternatives: “This is a critical point. Ubiquitous surveillance and data mining are not suitable tools for finding dedicated criminals or terrorists. We taxpayers are wasting billions on mass-surveillance programs, and not getting the security we’ve been promised. More importantly, the money we’re wasting on these ineffective surveillance programs is not being spent on investigation, intelligence, and emergency response: tactics that have been proven to work.”
- p144, on why we should all be using encryption: “Remember the economics of big data: just as it is easier to save everything than to figure out what to save, it is easier to spy on everyone than to figure out who deserves to be spied on. Widespread encryption has the potential to render mass surveillance ineffective and to force eavesdroppers to choose their targets. This would be an enormous win for privacy, because attackers don’t have the budget to pick everyone.”
- There’s a whole sub-chapter, starting on p146, about the idiocy of maintaining an insecure Internet (stockpiling vulnerabilities, inserting backdoors, undermining encryption algorithms and standards, etc.).
Part Three: What to Do About It
- p157: “More generally, our goal shouldn’t be to find an acceptable trade-off between security and privacy, because we can and should maintain both together.”
“More generally, our goal shouldn’t be to find an acceptable trade-off between security and privacy, because we can and should maintain both together.”
- p171: “We have to design systems that keep us safe even if their details are public and known by the enemy. Secrets are harder to keep today, so we’re better off limiting their numbers.”
- I scrawled a note in the margin of p186, which comes after many pages of practical proposals, saying, “Shows that it is possible, if we’re willing.” That is, we can – as a society – achieve what Schneier is advocating, with effort; he’s not proposing wild ideas or unattainable goals.
- p198 has an interesting idea: “One intriguing idea has been proposed by University of Miami Law School professor Michael Froomkin: requiring both governments agencies and private companies engaging in mass surveillance to file Privacy Impact Notices, modeled after Environmental Impact Reports. This would serve to inform the public about what’s being collected and why, and how it’s being stored and used. It would encourage decision makers to think about privacy early in any project’s development, and to solicit public feedback.”
- p215 lists a number of browser plug-ins (examples of PETs, or privacy enhancing technologies) that can protect your data; I’m a longtime user of Ghostery, but Schneier also lists Lightbeam, Privacy Badger, Disconnect, and FlashBlock.
- This excerpt from p218, talking about the power of deception techniques, sounds pretty Art of War-ish: “If you close off all the enemy’s intelligence channels, you close off your ability to deceive him.”
- p223: “Talk about surveillance. This is the next step. The more we talk about it, the more people realize what’s going on.”
- p223, what seems to have been forgotten about the Snowden revelations: “One of the most surreal aspects of the NSA stories based on the Snowden documents is how they made even the most paranoid conspiracy theorists seem like paragons of reason and common sense. It’s easy to forget the details and fall back into complacency; only continued discussion of the details can prevent this.”
“Talk about surveillance. This is the next step. The more we talk about it, the more people realize what’s going on. One of the most surreal aspects of the NSA stories based on the Snowden documents is how they made even the most paranoid conspiracy theorists seem like paragons of reason and common sense. It’s easy to forget the details and fall back into complacency; only continued discussion of the details can prevent this.”
- p232-3: “Privacy is not a luxury that we can only afford in times of safety. Instead, it’s a value to be preserved. It’s essential for liberty, autonomy, and human dignity. We must understand that privacy is not something to be traded away in some fearful attempt to guarantee security, but something to maintain and to protect in order to have real security. None of this will happen without a change of attitude. In the end, we’ll get the privacy we as a society demand and not a bit more.”