Dr Bruce Schneier is a world-renowned security expert and author.
Schneier’s work has been marked by a strong interest in the way that technology is used, with his Secrets & Lies a classic in the field. He is widely respected for his views on cyber-warfare and cyber-crime. Norbert Wiener had deep insights in this area, including his comment that “in the long run, there is no distinction between arming ourselves and arming our enemies”.
“Ubiquitous Surveillance and Security” – Bruce Schneier
I think Bruce really exemplifies many of the aims and qualities that we’ve sought in this conference. It gives me great pleasure to welcome him to present his keynote address entitled Ubiquitous Surveillance and Security. Thank you Bruce.
Thank you and good morning. I’m going to arrange things up here. Thanks for getting out of bed. I appreciate it. I want to talk for the next 45 minutes about relationship between data and power, and how the internet affects that. Who gain power? Who loses power? What the effects are, and then think about how to fix what I think is broken.
It’s common phrase that information is power. I think that’s a little simplified. I mean really it’s differential information that’s power, right, having more information than somebody else, and without getting into the philosophical details I think of data as unprocessed information, and more data is a potential for more power in a lot of different things. In negotiations, in persuasion, in control, and this is true for governments, for corporations, for individuals, for everybody. That’s what I want to look at.
The internet fundamentally changes our access to information. It renders dinner table conversations obsolete in some cases. Facts are no longer things we discuss. We just look them up. This makes us all more powerful. In some ways, nothing changes but of course, that’s not the whole story. There’s a lot more information out there, and those who have access to even more of it have even more power, and this kind of at meta level explains why everyone is trying to collect your information, and why there’s so much attempts to control us.
The way I think of this, and again, being very broad is that data is basically a byproduct of the information society, and everything we do on a computer produces a transaction record. Browsing the internet, making a phone call, paying for something in anything other than cash, a medical device. I woke up this morning, and I used an Uber to get here generating data. I bought breakfast with a credit card generating data. I had my cell phone with me the whole time, and I turned on my computer. I probably was photographed by any number of a dozen security cameras here and there all producing data about me.
Data is a byproduct of our information socialization. I had a very nice conversation with my wife this morning. We had it over IM, and data was produced about that conversation not just we had it but actually the content. It’s phone calls, emails, text messages, Facebook chatter all produces data. This data is increasingly stored and increasingly searchable, and there’s a change that [sorts it 00:03:43].
This is Moore’s law. Data storage drops to free, data processing drops to free, and the stuff we used to throw away we now save. This is the promise of big data. This is why everyone is building large data centers. It’s funny. I was thinking about my email, and I went and checked. Before 2006, I sorted all my mail. I had hundreds of email boxes, and I would carefully sort mail into where they belong by person, by topic, by time. 2006 I stopped. I didn’t have like one email box because for me for email in 2006 search become cheaper than sort.
It was easier to save everything and look for it later than to figure out what to save. You might have a different experience with email but that line has been crossed with pretty much all of our data. Right, storage is so cheap, search is so easy so why bother figuring it out? With that switch, the nature of our relationship with data changed. Right, we used to save data for historical reasons. To remember what we said or did. I call my email my offline brain. It’s a record of everything I did.
We stored data to recall stuff. We restored to verify our actions with some third party, think of our tax records. We stored things to let future generations know what we were doing. Those are all historical reasons. Now with all these data it more likely drives future decision making.
We stored data to decide things about the future. This again is the promise of big data that we’ll be able to make better decisions because of all of our data. Not just recall the past but drive the future. This data is largely surveillance data, and when Edward Snowden first started revealing the extent of NSA surveillance that was when the common refrains you heard from the president, from members of Congress that it’s only metadata. The president said something like no one is listening to your phone calls.
Metadata is fundamentally surveillance data. As computer scientists metadata is a weird thing because one programs metadata, another program’s data but at a much more social sense metadata is data that the system needs to operate. It’s not the contents of your phone but all the routing information, and the billing information. That’s basic surveillance data, and the way I think about it, imagine I hired a private detective to spy on this guy.
The techie will put a bug in his home, in his car, in his office and I’d get a report. I’d get a report of the conversations he had. That’s the data. That’s what we are told isn’t being collected on Americans, I guess on Americans. If you are not an American, all bets are off.
Imagine I hired a detective to put him under surveillance, and I’d get a different report, a report of where he went, who he spoke to, what he purchased, what he read, what he did. That’s all metadata. Metadata is surveillance data. It’s in a lot of ways a lot more important than conversation content. It tracks our relationships, our associations, what we are interested in, who’s important to us.
Metadata reveals who we are, and as an added bonus it’s much easier to store, to search and to analyze. Today, we are living in the golden age of surveillance, and it’s an interesting kind of surveillance. It’s incidental. It’s a side effect of all the computerized services we use. It’s covert. We don’t see it happening. There are hundreds of internet trackers that are tracking us on the internet. We don’t see any of them. It’s not like people are peaking behind curtains and looking at us. We’d notice that. We don’t see most of the cameras.
It’s hard to opt out of. You cannot not use a credit card. You can’t not have an email address. I don’t use Gmail. I don’t want Google having copies of all my mail but last time I checked Google has a third of my mail because you all use Gmail. It’s ubiquitous. It’s happening to all of us everywhere because everything is being computerized.
Ubiquitous surveillance is fundamentally different. We just had a Supreme Court ruling in the United States earlier this week about the collecting of data on someone’s cell phone at a police stop, and if you read the ruling judge Roberts makes a very interesting point that even though it’s the same as collecting anything that’s in your pocket, which is normal practice, the phone is different. A difference of scale means a difference of kind.
Right, ubiquitous surveillance isn’t follow that car, which we’ve all seen on cop shows. It’s follow every car, and when you can follow every car you can do different things. You can do surveillance backwards in time. Tell me where that car was last month. You can do what the NSA calls hop searches, and they talk about this, well, we know about this from Snowden documents on cell phone … On metadata surveillance for phone calls, and when they are looking at who’s calling who, they have a person of interest, look at who they are calling, who they are calling, and who they are calling.
They go three hops away from the individual. It’s something you couldn’t possibly do if you’re following one car, or something we are still trying to figure out what the NSA is doing with what they call about searches, which are other selectors than names. So selecting on topics, or locations. Again, you need the database of surveying everybody to make that work.
We are finding people that fit certain surveillance characteristics. For example, you know that your interest in three date time location combinations. Can you search the database, and look for anybody who’s been at those three points of space-time? There’s a flag on something is interesting based on some predefined criteria, or some criteria that’s not even predefined.
These are the sorts of things you can do when you have all the data. Again, give a couple of examples from cell phone location data. We know from NSA documents one is, and this is actually kind of clever. They will search the database, and look for phones that get turned off. When they find a phone that gets turned off they look for other phones that are turned off around the same time, and nearby that also get turned on around the same time nearby, elsewhere. Think about it. That’s looking for secret meetings.
They’ll look for phones that get turned off permanently, and then phones that get turned on permanently afterwards with similar calling patterns. They are trying to chain burner phones. Again, you need all the data to do this.
Even including the NSA, most of this data is being collected by corporations, and I think this is something we don’t see a lot of in the discussions of the NSA. Its surveillance is the business model of the internet. We built systems that spy on people in exchange for services. Initially, we did this for efficiency reasons but internet appears, for commercial purposes, mid-nineties there’s no obvious way to charge anybody. Creditor companies hadn’t yet figured out very cheap charges, and people expected the internet to be free.
The only place there was to exert money was advertising. There already a huge data collection industry in credit reporting, and direct marketing, which was able to flow right in, and now we have the major sites of the internet make their money by spying on you. This is Facebook. This is Google, New York Times. This is everybody.
You always have to remember, you are not the customer. You are the product, and actually, even when you are the customer you are also the product because now we are seeing on cell phones especially apps that charge a dollar a month, two dollars a month, a dollar permanently. These apps don’t take your money and then not spy on you. They take your money, and then they spy on you. The forces here I think are free and convenient. That’s why people are doing this.
The data of course is collected, you know why, for psychological manipulation. I usually call it advertising, which is the other business all over the internet, make propaganda, and in these things more data is more power. Right, personalized ads, personalized offers, personalized psychological manipulation, and we know a lot of this is going. The types of offers you see depend on your browsing history, which computer you use, time of day, your identity. This personalized advertising happens a lot.
Corporations know an amazing amount about us. Our cell phones is the single most invasive surveillance device ever invented, and if you think about it, it reveals where you live, where you work, who you spend time with during the day and at night, who you talk to, what you do, right. I used to say that Google knows more about me than my wife does but that’s true, certainly. It doesn’t go far enough. Google knows more about me than I do because Google remembers everything, and I don’t. Google knows what kind of porn all of you like, which is creepy but it’s the system we’ve built.
Government surveillance largely piggy backs on all these same capabilities. The NSA uses internet cookies, logins, cell phone location data. They use everything, and this piggybacking, this alliance lets governments get away with a level of surveillance we would never allow them otherwise. If the government said you must carry a tracking device with you 24/7, we would never allow it yet we happily carry our cell phones. If the FBI said, whenever you make a new friend, you must inform us but instead you inform Facebook. If the police said you must leave a copy of all your correspondence with local police office, right, we’d never do it but we leave it with Google.
We would never agree to government demands now all of our porn habits. We never would but we provide this data willingly, daily to corporations. Government collection is largely because of fear, depending on your country. In the US, it’s fear of terrorists, fear of criminals. You go to China it’ll be fear of the people but there is this fear that drives collection, and again, data is power.
It’s interesting in the past couple of decades the nature of collection has changed. Going back to the NSA, the NSA changed their model at about the same time we changed our relationship with all this data, producing all this data exhaust and I think it’s important to go back and look at the NSA’s mission and their history for a little bit.
NSA born out of the Cold War, and at that time a voyeuristic interest in the Soviet Union was normal. We collected a lot of data, some of it useful, a lot of it not, and there’s this notion of tactical facts versus strategic ideas, or secrets versus mysteries. It’s a lot easier to learn about the speed of the new Soviet battle tank than to figure what is Khrushchev thinking, or even now, what is Putin thinking. That kind of surveillance faded when the Cold War ended, and a lot less of it was going on, and I think the NSA budgets reflected that.
That got a new lease on life with the terrorist attack of September 11. The president of the United States gave the intelligence community an impossible mission, and that mission was never again. It’s completely ridiculous but if you think about it the only possible way of preventing something from ever happening is to know everything that does happen. That giant eye of the NSA was turned inward on ourselves, outward on the world. That changed the nature of the NSA’s collection.
Formerly, the collection targets were foreign governments. Nation on nation espionage, something as old as nations. This new NSA mission is nation on population surveillance because you’ve got an enemy that’s anyone, anywhere, so you have to watch everyone, everywhere. We move from espionage to surveillance, from targeted surveillance to ubiquitous surveillance.
At around the same time the nature of communications changed. Back to the Cold War, communications were isolated by communications circuits. If you wanted a spy in the Soviet military you listened to Soviet military communications channels and they were separate. You would never hear American citizens chatting on Soviet military communications networks. That changed. Now, everyone is using the same network. That IM conversation I had with my wife this morning could have very easily flowed through Europe, why? Because that’s the way the networks. It looks for the best routing regardless of geography.
You can’t isolate communications based on the physically of where the bytes are going. We have one global communications infrastructure, which is why it’s now very hard for the NSA not to spy on Americans even if it wants to … Even if it doesn’t want to because we are all using the same communications channels. We are all using the same protocols, and the same networks, the same everything.
The power of companies is also increasing information. Two other trends I want to mention in computing, which are more recent trends that really change the nature of us and data, and companies that have it. The first is the rise of cloud computing. Traditionally, our data was near … Physically near us. It was on our computers, in our homes, in our offices, and US law protecting privacy has fears of physicality. Things that are near us get more protection because they are perceived to be more intimate. Our homes, our cars, our persons.
The search rules are different than the stuff I have in the storage locker across town but data has changed. All of our data is now in the storage locker across town. Our emails, photos, calendars, address book, messages, documents they are not at our computers. They are on servers belonging to Google, Apple, Microsoft and everybody else. It might not be true for you guys but it’s true for everybody else. You talk to a young person today, and they actually don’t really get where their computer ends and the internet begins because the difference is irrelevant now. The rules have changed.
Secondly, we are accessing our data on devices that we have much control over. Think of iPhones, iPads, Android phones, Chromebooks. The old paradigm was you’d buy a computer, you’d take it home, and you’d have absolute control over it. What software you could install, how it worked, what you can do. That is not true on an iPhone. Every piece of software on an iPhone has been approved for sale by Apple, which is why certain types of applications are not available for iPhone, and you cannot install them. You could hack, and jailbreak it leaving that aside, there’s a much greater control because that device is online all the time.
Of course, companies are doing this because they want the revenue stream. Your Kindle, you can’t even control when a software update happens. You can’t control if Amazon decides to delete a book off your Kindle. You have basically no control over it. It’s almost back to the days of dumb terminals. This is being done for business reasons, and actually if you look at the new computer OSes, Windows 8, Apple’s Mountain Lion and Yosemite both of them are moving in that same direction.
There’s a company store, you are really pressured to do everything through that single interface. The result is actual control, like control of what we can see, what we can use, what we can do.
There’s a consolidation of power going on. I think of it as the public-private surveillance partnership. There’s a lot of back and forth between governments and corporations in surveillance. Governments leverage corporate collections. We talked a bit about that both surreptitiously, and by asking. we see examples of that in all countries. It works the other way too. Corporations will mine government databases, lots of places in the United States where license plate data is sold to corporations, stuff like that happens in the UK too.
Recently, there was a big issue with the government looking to sell health data until somebody noticed and put a stop to it. A lot of moving back and forth of data. In the US, we see a lot of corporations hiding behind government secrecy laws, a lot of things that used to be public are now not being made public because of the terrorists, and it’s things like environmental safety data. There are people writing about this calling it the Security Industrial Complex. This massive amount of private corporation supporting government surveillance. Lots of surveillance technology providers.
If you were paying attention this past week both Citizen Lab in Toronto and Kaspersky, a Russian antivirus company published reports on a piece of malware called RCS, Remote Control Systems developed by a company called Hacking Team in Italy, and they sell this to governments. It’s pretty amazing stuff that the software allows the person who buys it to hack, I think all major operating systems, and the new revelations about their attacks against mobile, against iOS, against Android, against Windows Mobile, and against Blackberry allowing them to remotely take over your phone, get all the data off it, turn the microphone on when you are making calls, when you are not making a call, have the camera snap pictures, and then send all that back.
This is for sale to governments. Hacking Geeks website says they only sell to good governments but we have evidence of it being used in Saudi Arabia, in Kazakhstan, in Ethiopia, in places you wouldn’t normally put on the list of good governments.
There’s a lot that’s going on. There are a lot of cyber weapons arms manufacturers. They’ve been some breaks in this partnership. Since Snowden in the United States we are seeing especially internet companies pushing back. Telephone companies have had decades of history of cooperating with NSA so when the NSA goes to AT&T in what? I think the year 2002 or so, and says we want spy on the entire internet, and AT&T will say great, put yourself in that closet over there. Lock the door, and don’t tell anybody.
Google doesn’t have that level of familiarity, and companies like Google, and Facebook, and Apple, LinkedIn, Yahoo are pushing back once more, much more against surveillance. Some have tried to fight it in court, some have tried to fight the gag orders. Some just demand payments to do it. What we are seeing more examples of this.
On the other hand, we are seeing a lot more forceful demands from government to make systems open to surveillance. We know for example that the government forced Microsoft to make some changes in how Skype works to make it easier to perform surveillance. We don’t know the details of them.
We know they happened. We know the government tried to get the master encryption key from an email provider called Lavabit. Lavabit was a secure email provider that had a couple of hundred thousand users, which was fine except one of them was named Edward Snowden, which turned out to be bad. The FBI went to Lavabit, and said, we want to read this person’s email. Lavabit said, we don’t have the system to do that. Here’s explaining how. The FBI went back and said, well you can give us the entire master key to everyone of your users, and that would do it.
Now Lavabit went to the court, and said, they can’t possibly be serious. That’s crazy. Court said do it. Lavabit responded by producing the master key printed out in 3 point type, court said, ha, ha. Not funny, and Lavabit closed down at that point.
An interesting story, the only reason that we know about it is that Ladar Levison ran Lavabit as a singular person, and he could do this kind of thing. He can perform a moral act in the face of a court order. It’s something Google could never do. There is no scenario where Google says, all right. I’ll shut Gmail down rather than comply. Never in a gazillion years would that happen. We don’t know where this is happening elsewhere. It’s unlikely this is the only case but it’s the only one we know about.
What’s going on here? As this advances, I think we are going to see more surveillance. There is a war against general purpose computing that’s coming. We saw it in the copyright wars, and the notion that people have general purpose computers that can do anything is very disturbing to lots of powerful corporations.
In the copyright wars it was computers that could play, or make copies of music, movies, videos, books that they hadn’t paid for, and lots of pressure to end physical security. Reasons, lots of reasons why this doesn’t work, open source software, computers can do anything. We saw lots of Draconian laws to try to enforce copyright, a lot of them enforced by surveillance.
I’ll spare you the history of the copyright wars but think of that as a precursor to a lot of things that are coming. Cory Doctorow writes about this. 3-D printers will make copyright wars look like child’s play, and it’s the same thing. I need a 3-D printer that will print anything except this list of prohibited objects. That list of objects will include things like guns, anatomically, correct interchangeable Barbie torsos. There are places in this country where sex toys are illegal so it’s copyright items. It’s dangerous items. It’s all the … It’s really big deal things.
Lawmakers will demand that they be not permitted to print those things. We’ll get that same thing with bio printers whether it’ll be viruses like physical virus not computer virus, real ones that kill people. You’ll that same thing in self-driving cars. The car has to not run any piece of software because then you can get, I don’t know, Knight Rider or something. It only has to run this approved list, or software defined radio. Right now, we have radio spectrum security by the fact the physical tuner doesn’t work on prohibited frequencies. That just fails in the world of software defined radio.
We are going to see a lot more surveillance, a lot more pushes to monitor everybody from governments because of these fears, and I think that’s coming very dangerous.
What do we do here, and I’m writing a book on this, so, I’ve been thinking about solutions, and ways to move forward. It’s actually very hard. I have principles that I think about. First one is security and privacy. The notion of security versus privacy makes fundamentally no sense. That privacy is part of security that we need both, to figure out how to get both.
The second is sort of the generic framework for all solution is transparency oversight, and accountability. That the way we deal with giving into these power over us is being able to know what they are doing. Right to have oversight over what they are doing, to give … To have them be accountable for what they are doing. A lot of the failures here both on the government secrecy side, and in the corporate side are failures of transparency, oversight and accountability. These are actually things market will not fix in many cases.
Certainly, in government surveillance, knowing what’s going on, deciding whether it’s the right thing to do is the way forward. In general, we need more openness over secrecy. That when we have to decide we should air on the side of openness. We should look to reduce power imbalances. A lot of the abuses come from inherent power imbalances. Assuming perfections in our systems, design systems from resilience, and less in the notion that there’s only one network here. One world, one network, one answer.
I’ll see this written in terms of us versus them. We have to spy because we don’t the Chinese will. That’s very much of an arms argument. It’s us versus them, and it shouldn’t be them so it might as well be us. That doesn’t work when it’s all or nothing. We are not trying to decide whether the US gets to spy or whether China gets to spy. It’s either does everyone get to spy or does nobody get to spy. The vulnerabilities that we have in our systems enables surveillance by anybody. We make our systems secure. We are secure from everybody’s surveillance. That’s a really important re-framing.
There’s a lot of details here. I could think of political solutions. I could think of legal solutions, technical solutions all of which do pieces, nice Patrick solution you can design but really in the end this is a social problem. This is what I want to end with.
Jack Goldsmith, law professor at Harvard. I was talking to him about this, and one thing he said was that if you ask for more Congressional oversight what you’ll get is a more permissive NSA. Which basically he is saying is as long as Congress is scared they’re not going to put limits on this. A major social change has to happen. We have to get over our fear. We need to … That’s on the government side.
On the corporate side, we need to value privacy. As long as we don’t value privacy and we happily tell Facebook everything about our lives because it’s convenient. Those two social changes bring about … We make those changes everything else is easy. You don’t make those changes everything else is impossible. There’s a fundamental issue here, and this will be my final, final point.
We have to figure out how to design systems that benefit society as a whole while at the same time protecting people individually. I think this is the fundamental issue of the information age. Our data has enormous value to us collectively and has enormous value to us individually. How do we extract both? Data in the group interest, data in self-interest. The societal benefits of big data, the individual risks of big data, and there are lots of manifestations of this problem.
Surveillance is just one of them. You could disagree with the ethicacy, and I certainly do but the basic bargain you are being offered by the NSA is tell me everything, and I will keep you safe. That’s the bargain. The bargain in behavioral advertising is tell me everything and I will show you ads you actually want to see.
I think of the same question in medical data. There’s enormous value in taking all of our medical data, putting it in one giant database, and letting the researchers at it. It’s incredibly valuable to us as a species yet that data is incredibly personal. I know a researcher at Purdue whose name is Rey Junco. He does work in student, and in student study habits, and he uses surveillance to monitor students reading textbooks. I didn’t know this that a lot of textbooks now available online, and you can monitor students. How often they open the textbooks, what they read, how fast they read, what they highlight, what they go back and reread. You can take all that data, correlate it with grades, and figure out what is effective way for students to engage with textbooks.
Junco has done that. He has produced as series of interventions, and tools, and tricks to help students study better, and learn better, really great research but incredibly invasive. He balances by having the students know they are part of an experiment, and really he doesn’t need everybody’s data. He just needs a sample but it’s the same deal.
Our movement data. When I got here my Uber used a the Google directions, and we were able to see real time traffic data on how the roads were clogged. That data is surveillance data. That’s because everyone using Google Maps sends back to Google how fast they are going, and Google can give us very valuable information, right. Getting there faster, Google knows where you are at all times.
This is it. This is the question. We have to design systems to deal both of those poles. Thank you very much.