Book Review: Data And Goliath By Bruce Schneier

9 minute read

Posted by: Jon Southurst

March 11, 2015

Ubiquitous surveillance offends our humanity and making us less secure, but all is not lost… yet.

Security and cryptography guru Bruce Schneier warns us of the many consequences the data trails our lives leave in his newly-released book Data and Goliath, but one is particularly alarming:

In many parts of the world, your metadata can actually get you killed, without anyone knowing (or needing to know) your actual identity.

Over 50% of all drone kills by US operations in Pakistan in the period 2009-10 were so-called ‘signature strikes‘ – that is, the targets were never selected or identified by name, but by metadata that detailed patterns of behavior. This included apparent ages and genders, their location, and what the targets ‘appeared to be doing’.

Information on how accurate those data patterns are in targeting actual threats, the book notes, is not readily available.

It would be alarmist to suggest metadata-based drone strikes are coming to a developed-world neighborhood near you soon. But the fact they occur at all suggest we should all be conscious of the data we produce, and the fact it will likely be on record indefinitely as storage capacity costs become negligible.

Schneier also asks us to imagine how this data may potentially be used–not just in the present, but years into the future where we cannot predict what laws or even authorities will rule our lives.

Educating the masses on total surveillance culture

Schneier said his goal in writing Data and Goliath was to make ‘ordinary’ people aware of how they produced such reams of data simply by going about their daily business, and how it could potentially be used by governments, corporations, and an “unholy alliance” between the two.

Whistleblower Edward Snowden referred to the book in his recent AMA session on Reddit. Schneier had previously assisted journalists Glenn Greenwald and Laura Poitras in sorting through the wealth of information Snowden lifted from the NSA before fleeing to Hong Kong and then Russia.

A long-term major figure on the security and cryptography scene, Schneier has said he wants this book to take his ideas to a more mainstream audience. Some revelations, such as drone signature strikes and the usefulness of metadata, may sound old-hat to regular tech and security readers, yet the general public remains mostly ignorant of the details.

This, Schneier suggests, is dangerous. Even now that people are aware their data is being recorded, they do not understand how it is being used–in or against their interests.

He argues that the problem gets worse when we understand that such data-collecting does little to keep us secure–and may actually leave us less so.

Unfair deal

In using modern communications technology you are making a pact with its creators, Schneier writes, and that pact is an unequal one. You have no say in what data is collected or what is done with it.

“Data is the exhaust of the information age.”

You produce it with cell location and GPS use, credit cards and store loyalty points, mobile apps, social networks, word processors, web browsing, driving your car and simply walking around. It is collected, analyzed and stored by automated processes that often obviate any need for active monitoring by humans.

“We tolerate a level of electronic surveillance online that we would never tolerate in the physical world, because it’s not obvious or advertised.”

Or it’s made fun of. Jokes about President Obama listening to your phone calls are often counter-productive to the debate, as a glib and inaccurate portrayal of how modern surveillance is done. ‘Data correlation’ and pattern recognizing algorithms can paint a disturbingly accurate portrait of your life, your interests, work, illnesses and weaknesses. It can also be trivial to identify you as an individual.

This is coupled this with a certain set of people in society who don’t seem to see anything wrong with tracking everyone all the time, even to the point of photographing high school students in their bedrooms (like the Lower Merion School District near Philadlephia did in 2009) to produce a chilling vision of the future.

Schneier lays out the specific legal basis for most surveillance today. Emboldened by broad interpretations of sections 215 of 2001’s USA PATRIOT Act and section 702 of 2008’s Foreign Intelligence Surveillance Act (FISA) Amendment Act, in addition to Ronald Reagan’s Executive Order 12333, intelligence services are vacuuming up an increasing amount of data on our lives and behavior.

Given the clandestine nature of surveillance and the fact its extent has only been discussed after Snowden’s revelations and numerous other leaks, readers of Data and Goliath might wonder if law has any impact at all on security agency and law enforcement surveillance–or whether they are pushing the boundaries and then some with the technology available.

Protections under US law are little comfort to the majority of the world’s population who are not US citizens and thus are considered fair game. Laws have also done little to curtail massive surveillance by private corporations.

“Save everything you can, and someday you’ll be able to figure out some use for it all.”

The length of time your data is saved is more a matter of storage capacity then respect for your privacy. The NSA, through targeted searches and “hop searches” of its targets’ contacts-of-contacts, had had 117,675 “active surveillance targets” on just ONE DAY in 2013.

If you’ve ever searched for information on internet privacy or anonymity tools, Schneier writes, your data is more likely to be retained. If you actually use encryption, your data is collected and stored indefinitely, in case it becomes crackable and somehow relevant in future.

One can’t help but wonder if the mere act of buying this book will raise a red flag somewhere. Or reading this review, on this site.

By now, most are aware or at least suspect their activity online is recorded and stored, at the very least. This knowledge, he says, undermines our very being.

“Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect. It is about choice, and having the power to control how you present yourself to the world.”

It’s for our own good, right?

But should we worry? Is ubiquitous surveillance making us any more secure than we would be otherwise?

Schneier is adamant it does not. With a wealth of post-9/11 surveillance data at their disposal and suspects on watch lists, authorities were not able to prevent spectacular events like the Boston Marathon Bombing of 2013.

The terrorist attacks that governments like to tell us necessitate increased privacy intrusions are simply too rare to fit any pattern, leading to a majority of false-positives and idiotic law enforcement actions, such as the deportation of Irish tourist Leigh Van Bryan for tweeting he was about to “destroy America”–by partying.

Suspicious Activity Reports (SARs) produce “tens of thousands” of records, and no actual results. If there’s any signal at all, it’s drowned out by the noise.

Broad definitions of concepts like ‘terrorism’ and ‘weapons of mass destruction’ have led to harassment of activists and journalists, and often to self-censorship where topics relevant to a functioning society, or criticism of government agencies, are avoided completely.

Too-perfect law enforcement

“Without deviation from the norm, progress is not possible” – Frank Zappa

Imagine a world, Schneier says, with perfect law enforcement. No-one would ever have the chance to challenge an unjust law. Laws concerning homosexuality, drugs, and racial segregation would never have been tested for fairness.

Without real terrorists to catch, law enforcement has turned to political activists, religious figures and minor offenders instead. Information has been abused by authorities and used to entice and trap suspects, or stalk ex-partners. Abusers are rarely penalized.

“Complexity is the worst enemy of security, and our systems are getting more complex all the time.”

Then there is the “collateral damage” to the economy and security through subversion of security and encryption standards, and economic damage once large clients begin to avoid using US products and services, with an estimated $22-35bn loss of revenue for US companies over past three years as a result.

Solve the problem, or give up?

Reading through Schneier’s examples is enough to make anyone’s head spin, so the third part of Data and Goliath is devoted to what he recommends should, and can, be done.

This may lead some readers to further despair as Schneier recommends a series of fundamental policy and legal shifts for corporations and governments that even he admits are unlikely to occur in the current political climate. So far, these organizations’ actions seem bound only by what their technology allows.

Some of Schneier’s intellectual recommendations for change, however worthy, will likely prompt eye-rolling among readers familiar with most of the issues, or living under governments that have long squandered their people’s trust.

He reminds us the struggle, however, is not impossible. The Magna Carta proved from 1215 that even absolute monarchs can be turned into governments by and for the people by a people if there is enough will, even if it takes centuries.

Technology may save us from itself

For those not willing to wait centuries, the book offers some shorter-term hope. For starters, as surveillance technology improves, so do technologies to thwart it, like encrypted messaging. It’s a cat-and-mouse game, but at least there are two sides playing.

One hope for the future is that the very technology used to surveil us can also help us. Institutional secrets themselves are less secure, thanks to millions of people with clearance to view them and the technology to reproduce them. It was digital technology that helped whistleblowers like Snowden and Chelsea Manning smuggle out extraordinary amounts of information, compared to the months Daniel Ellsburg spent manually photocopying the far smaller collection of documents that became the Pentagon Papers.

It’s surprising and/or refreshing to see Schneier add a list of methods to “distort” or “break” surveillance to his more rational policy recommendations. While noting that acts of vandalism are illegal, he mentions dressing in drag to foil recognition software, severing the wires of automatic road speed traps, spray painting the lenses of security cameras, and hackers poisoning or deleting surveillance databases.

Ignorance is bliss

The total surveillance society has crept up on us, despite years of warnings, with its two-pronged attack of security promises and the friendly face of internet services.

Society breathed a sigh of relief when the year 1984 passed without the world having descended into a squalid totalitarian hellhole, not realizing the year was an arbitrary number and a panopticon world was still possible even without starvation, party rallies, and two-way telescreens.

While Winston and Julia had the Thought Police and Newspeak to keep them in check, they didn’t carry GPS-enabled smartphones or voluntarily contribute to their own doom with Facebook likes. These days their train ticket to the countryside would betray them as readily as the man renting them his spare room.

As Data and Goliath points out repeatedly, the main threat of today’s surveillance culture is our acceptance, or willing ignorance of it. And that alone should tell you to buy a few extra copies to hand out to friends and family.

Released 2nd March 2015 – 400 pages

Review by Jon Southurst

Updated: 2015-03-11