Schneier: Internet has delivered a 'golden age of surveillance'

"Anonymisation of data is surprisingly difficult - it's really, really hard"

"Information is power," has been true for so long that it has become a cliché.

But the Internet has increased the power to collect, store and analyze information by such an order of magnitude that we are now in what Bruce Schneier called "the golden age of surveillance", in his keynote address at SOURCE Boston.

That would be golden for those doing the surveillance, not the subjects of it.

Schneier, author, security guru, blogger and CTO of Co3 Systems, said the expectation that the Internet would mainly empower the powerless - grassroots groups, hackers, minorities and other relatively fringe groups - did come true for a number of years. But governments around the world have now caught up, he said. And they are better prepared to use power than small, disparate groups.

"Technology magnifies power, but adoption rates are fundamentally different," he said. "The small and powerless are more nimble and quicker to adopt it. But, a decade later when the already powerful institutions discover it, they can make use of power more effectively."

He noted that social networking had helped make the Arab Spring possible, but more recently, in Syria, "the protesters used Facebook to organize, and then government used it to arrest them."

Data, the inevitable byproduct of computers, is nothing new. "But, as more of our human interactions become mediated by computers, that creates a fundamental change," he said. "I had an IM conversation this morning on the way over here, and it produced data -- both the conversation and the metadata about it."

Enabling that fundamental change, he said, is that endless amounts of data are now, "increasingly stored and searchable," which means, "a lot that was thrown away, now can be saved. We're reaching the point where we're saving everything."

An example is his own email. "Starting in '06, searching it became cheaper than sorting it," he said. "And we're now there with all data, which is fundamentally surveillance data."

Reassurances from government officials that they are just collecting metadata, rather than listening to phone conversations or reading emails in real time, are a diversion, he said. "Metadata is far more intimate than our conversations. It shows where we go, our interests, our relationships -- it shows who we are," he said.

And, he added, it allows ubiquitous surveillance. "We'd never consent to the government telling us to carry a device that would let them track us 24/7, but we all carry cellphones," he said. "We'd never agree to government saying we have to tell them when we make a new friend, but we tell Facebook."

Schneier said he does not have a Google or Facebook account, but knows there is enough information about him online that, "if I sign up for Facebook, they will provide a reasonably accurate list of my friends."

Collection of data itself is not necessarily sinister, he said. In some cases, when commercial entities like Amazon pitch products to him based on what he has already bought, "I like it."

But the reality is that Internet users pay for "free" and convenient services with their data. "We are tenant farming for companies like Google," he said. "We are on their land producing data. It's all very seamless, but in exchange, you have to trust them with everything. Our email, contacts, etc. are no longer just on our computers -- they're on servers."

And that means, even after IMs disappear from his phone, "Apple has them forever."

It also means there are much more repressive uses of that data. "Government can tell if you attended a protest," through cellphone geolocation, he said. "You can map people as they move around city. You can track people moving together who turn off their geolocation, and then turn on later. They can even tell if one phone is turned off permanently, but then another one is turned on in similar location and used similarly."

It makes mass surveillance much cheaper and easier. While it would take five FBI agents to conduct human surveillance of a single car, technology enables the tracking of thousands of cars at far less expense. "Instead of, 'follow that car,' it's 'follow every car,'" he said.

All this, he said, points to the tension between the value of data and the privacy implications. "There is value in me telling Google where I am, because we get better traffic information," he said. "If you give the NSA all your data, they'll keep you safe from the bad guys. There is enormous social value in putting medical information in a database and letting researchers study it. But it's very personal information.

"And anonymisation of data is surprisingly difficult - it's really, really hard," he said.

One of the ways to achieve a balance between those competing interests, he said, is to demand, "more data privacy for individuals and more transparency from organisations that collect our data. We know when we give government power over us we need some way to know it's being used responsibly."

That, he said, "is the issue by which we will be judged when our grandkids read about the early days of the Internet. We are amazed today that our ancestors ignored pollution at the start of industrial age.

"They will ask if we realised the toxins and poisons in data collection. That is way bigger than what is happening with the NSA."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about 24/7Amazon Web ServicesAppleEnablingFacebookFBIGoogleNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place