Bruce Schneier wants to make surveillance costly again

At the USENIX conference, security expert Bruce Schneier urged the technical audience to make government eavesdropping more difficult

The ongoing revelations of governmental electronic spying point to a problem larger than National Security Agency malfeasance, or even of security weaknesses. Rather the controversy arising from Edward Snowden's leaked documents suggest we face unresolved issues around data ownership, argued security expert Bruce Schneier.

"Fundamentally, this is a debate about data sharing, about surveillance as a business model, about the dichotomy of the societal benefits of big data versus the individual risks of personal data," Schneier told attendees of the Usenix LISA (Large Installation System Administration Conference), being held in Washington this week.

"We might not buy [it], but the basic NSA argument is 'You must give us your data because it is keeping you safe.'"

Schneier has been an outspoken critic of the NSA since Snowden, a former NSA contractor, first leaked documents showing the many ways in which the intelligence agency had tapped into the Internet and data centers to collect data en masse about people's activities.

"The NSA has turned the Internet into a giant surveillance platform," Schneier said via Skype.

But for most of his talk, Schneier urged the audience to think beyond the present controversy of the NSA, and think about ways we generate data, and the ways large companies make money from such information.

What the NSA leaks show is that "we have made surveillance too cheap. We have to make surveillance expensive again," Schneier said. "The goal should be to force the NSA , and all similar adversaries, to abandon wholesale collection in favor of targeted collection."

Such costs of making our personal data available are easy to ignore. Schneier admitted to using the Google service Waze, which collects travel data from all of its users to show alerts of traffic jams. Users of the service freely give up data about their locations in exchange for the potentially valuable knowledge of which roads to avoid.

The chief business model of the Internet has been surveillance, Schneier noted, though it's companies such as Google and Facebook that are collecting data on our activities, rather than secretive government agencies. Schneier noted that because the cost of computing and storage continues to plummet, it is easier for most people and organizations not only to create a lot of data but also to keep all of the data that is being generated.

This business model, however, makes it very relatively easy for the NSA, or any adequately government sponsored intelligence agency, to tap into such data sources.

"How do we design systems that benefit society as a whole, while protecting individuals? This is the problem we must solve," Schneier said.

The way to thwart such invasions of privacy is to raise the cost of collecting data en masse, he argued. In some ways, the Snowden documents have already started this process. Fear of NSA snooping has already soured some European companies from using U.S. cloud services, which, in turn, have started putting pressure on Congressional representatives to reign in NSA. Schneier noted that Google has become one of the top lobbyists in Washington D.C.

It is now become more expensive, in terms of public relations, for technology companies to cooperate too readily with the NSA. "It used to be there was no cost to cooperating with the NSA. Now there is," he said.

Better use of encryption is another way to keep surveillance in check, Schneier noted. "The more we enable encryption, the safer everyone is," he said. The heavily encrypted Tor network, for instance, has been immune to eavesdropping, to much to the NSA's annoyance.

Schneier did speculate as to what, if any, methods that the NSA might have to break today's encryption algorithms. The vast number of mathematicians the NSA has hired suggests that the agency could be a few years ahead of academic researchers in terms of finding flaws in these algorithms. He also noted that, despite the use of encryption, the communication endpoints of most communication systems are not very secure, giving the NSA easier access to data. Still, these advantages help more in personal targeting, rather than in information collection across an entire population.

Getting people interested in issues of privacy can be a challenge, even after the NSA revelations, Schneier admitted. At the end of the presentation, one attendee asked how Schneier would respond to someone claiming not to be bothered by government snooping because he or she did not have anything to hide.

Schneier suggested asking that person what his or her salary is. Or to ask about details of sexual fantasies.

"You could remind them that Google knows the sexual fantasies of everyone in the room. That is quite creepy," he said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionGovernment use of ITNational Security Agencysecurityencryptiongovernmentdata protectionprivacy

More about FacebookGoogleIDGNational Security AgencyNSASkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place