As author of a dozen books plus hundreds of shorter works on security and privacy, security technologist Bruce Schneier, Chief Technology Officer of Resilient Systems, is one of the better known -- and frequently quoted -- experts in these areas. His "Schneier on Security" blog and Crypto-Gram monthly newsletter are read by an estimated quarter-million people. You can follow him on Twitter @schneierblog.
Schneier's most recent book -- a New York Times bestseller -- is "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World", which, Schneier said in his blog, "is a book about surveillance, both government and corporate. It's an exploration in three parts: what's happening, why it matters, and what to do about it."
I recently interviewed Mr. Schneier for this blog, by email.
DERN: What led you to write DATA & GOLIATH?
SCHNEIER: I was thinking about the relationship of data and power: how the powerful use data against the powerless, and how the powerless can use data to even the score. This led me to think about how data is collected and used, which naturally led to surveillance.
I was also thinking about the benefits of big data, and -- more generally -- all of our data in one place. Balancing these benefits with the risks of giving away our personal data is one of the most important issues of the information age, and it's something I wanted to explore.
DERN: What can companies do? Where do they start? Is it doable, or a lost cause?
SCHNEIER: That's too general a question.
Against government surveillance, companies need to fight back to the full extent the law allows. They need to fight back, and -- more importantly -- they need to fight back legally.
Against corporate surveillance, they need to pay attention to the data they're giving away.
Against their own tendencies to collect data on their customers and users: they need to think about the potential liabilities that come from having all of this data.
Against hackers and cybercriminals: they need good cybersecurity.
DERN: What are one or two easy-enough things that non-tech individuals can/should do? Should we be investing in RFID blockers for our credit cards, passports, smartphones, etc?
SCHNEIER: Encrypt your computer and smart phone. Use privacy tools with your browser, like HTTPS, Everywhere and AdBlock. Pay attention to what data you're giving away. That's about it.
The problem with this advice is that it's all around the edges.
We give our data to third parties all the time. Our email is stored at Google. Our cellphone tracks our location whenever it is on. We make purchases with credit cards. We chat with our friends on Facebook. These companies all use this data for surveillance purposes, and the government routinely gets itself a copy of a lot of it. We can't secure that data -- it's not under our control.
I could recommend that people not carry cell phones, not have an e-mail address, or not be on Facebook, but that would be dumb. These are essential tools for living a complete life in these early decades of the 21st century.
This is why the real solutions are political.
So if there are two things I could have every individual do, it's to observe surveillance when it happens, and to talk about it. For this to become an issue in the next election, we need to make it an issue. And this is how we do it.
DERN: What's your favorite computer security-related movie or TV episode? (not necessarily because of accuracy or inaccuracy)
SCHNEIER: I rarely watch TV or go to movies. I know this makes me a freak, but also highly productive. So I'm not up on the various abominations that pass for computer-security plot devices. I have heard a lot about CSI:Cyber, though. This means that my favorites are old: Sneakers, Wargames.
I do read books, and can recommend two. The first are a pair of novels by Reece Hirsch: "The Insider" and "The Adversary." The second is, believe it or not, "The Sting of the Drone" by Richard Clarke. It's actually a very powerful argument against drone warfare.
DERN: If you could make one change to the data environment -- technical, legal/regulatory, etc -- to improve data privacy, what would it be?
SCHNEIER: Comprehensive data privacy laws, that protect us against both government and corporate surveillance. It's a big change, and will upend a lot of things, but it's the only thing that will protect us in the end. Pass strong laws, and technology to enforce those laws will follow. It's the only way. And I believe this will happen. Probably not this decade, but certainly in the next.
DERN: Thank you.