Authors: Bruce Schneier
AID GOVERNMENT SURVEILLANCE
A call to help the government in its surveillance efforts might seem out of place
in this book, but hear me out.
There are legitimate needs for government surveillance, both law enforcement and intelligence
needs, and we should recognize that. More importantly, we need to support legitimate
surveillance, and work on ways for these groups to do what they need to do without
violating privacy, subverting security, and infringing upon citizens’ right to be
free of unreasonable suspicion and observation. If we can provide law enforcement
people with new ways to investigate crime, they’ll stop demanding that security be
subverted for their benefit.
Geopolitical conflicts aren’t going away, and foreign intelligence is a singular tool
to navigate these incidents. As I write this in the late summer of 2014, Russia is
amassing forces against Ukraine, China is bullying Japan and Korea in the South China
Sea, Uighur terrorists are killing Han Chinese, Israel is attacking Gaza, Qatar and
Turkey are helping Gaza defend itself, Afghanistan is a chaotic mess, Libya is in
decline, Egypt is back to a dictatorship, Iran’s nuclear program might be resuming,
Ebola is sweeping West Africa, North Korea is testing new missiles, Syria is killing
its own people, and much of Iraq is controlled by a nominally Islamic extremist organization
known as ISIS. And this is just the stuff that makes the news. When you read this
book, the list will be different but no less serious. I assure you that no one in
the White House is calling for the NSA to minimize collection of data on these and
similar threats. Nor should they.
Additionally, governments around the world have a pervasive fear of cyberattack. A
lot of this is overreaction, but there are real risks. And cyberdefense is mired in
a classic collective action problem. Most of the infrastructure of cyberspace is in
private hands, but most of the harm of a major cyberattack will be felt by the population
as a whole. This means that it’s not going to work long-term to trust the companies
that control our infrastructure to adequately protect that infrastructure. Some sort
of government involvement is necessary. In 2013, NSA director General Keith Alexander
said, “I can’t defend the country until I’m into all the networks.” That’s the prevailing
view in Washington.
Yes, we need to figure out how much we want the NSA in all of our networks. But we
also need to help the NSA not want to get into all of our networks. If we can give
governments new ways to collect data on hostile nations, terrorist groups, and global
criminal elements, they’ll have less need to go to the extreme measures I’ve detailed
in this book. This is a genuine call for new ideas, new tools, and new techniques.
Honestly, I don’t know what the solutions will look like. There’s a middle road, and
it’s up to us to find it.
This isn’t a task for everyone. It’s something for industry, academia, and those of
us who understand and work with the technologies. But it’s an important task, and
not one that either the intelligence or the law enforcement communities will do for
us. If we want organizations like the NSA to protect our privacy, we’re going to have
to give them new ways to perform their intelligence jobs.
CHOOSE YOUR ALLIES AND ENEMIES
Our laws are based on geographical location. For most of human history, this made
a lot of sense. It makes less sense when it comes to the Internet; the Internet is
just too international.
You’re obviously subject to the legal rules of the country you live in, but when you’re
online, things get more complicated. You’re going to be affected by the rules of the
country your hardware manufacturer lives in, the rules of the country your software
vendor lives in, and the rules of the country your online cloud application provider
lives in. You’re going to be affected by the rules of the country where your data
resides, and the rules of
whatever countries your data passes through as it moves around the Internet.
The PATRIOT Act, for example, compels US companies to turn data over to the US government
when asked, no matter where it is stored. You might be a French citizen living in
France, and Microsoft might store your e-mail solely on servers in Ireland. But because
Microsoft is a US company, the US maintains that it is compelled to produce your data
on demand. The UK wants similar access.
This means you have to decide: which countries do you trust with your data, and which
companies do you trust with your data?
Corporations are not all equally bad. You can get your e-mail, calendar, and address
book from either Google or Apple. They will both protect your data from bulk government
collection, but will give your data to many of the world’s governments when legally
compelled. Google is embarking on a major project to improve the security of its users
against government surveillance. But Google is in the business of collecting your
data and using it for advertising, whereas Apple’s business model protects its customers’
privacy.
Do you trust a company in the US that is unfettered in what it can do with your data
and is also subject to NSA and FBI legal requests? Or do you trust a company in Europe
that is tightly regulated by the government with regard to corporate surveillance,
but is also subject to unfettered surveillance by both its own government and that
of the US, and whose use means your data crosses international borders? If you don’t
buy networking equipment from Cisco because you are concerned about NSA backdoors,
whom will you buy it from? Huawei? Remember my feudal analogy from Chapter 4; which
lord do you trust more?
It is hard to know where to start. In today’s cloud computing world, we often have
no idea which companies actually host our data. An Internet company like Orbitz might
host its infrastructure on a provider like Atlassian, which in turn hosts its infrastructure
on a provider like Rackspace. Do you have any idea where your Orbitz data actually
is?
We need to be able to know where our data is stored, and to specify which countries
we want our data stored in, and which countries we want our data never to go near.
In the meantime, we have to do the best we can. And recognize that in most cases we
simply don’t know.
But when it comes to governments, unhappy as I am to say it, I would rather be eavesdropped
on by the US government than by many other regimes.
AGITATE FOR POLITICAL CHANGE
In 2014, the European Court of Justice struck down the EU’s data retention rules,
which required service providers to save e-mail and information about phone calls
for two years. In response, the UK government rushed through a new law that reinstated
the data retention requirement and also gave the police new surveillance powers over
its citizens. It was an ugly political railroad job, but what’s interesting is how
Prime Minister David Cameron justified the law on a radio program: “I am simply not
prepared to be a prime minister who has to address the people after a terrorist incident
and explain that I could have done more to prevent it.”
That’s fear talking, but it’s not fear of terrorists. It’s political fear of being
blamed when there’s a terrorist attack. The career politician wants to do everything
possible, regardless of the cost, regardless of whether it actually makes anyone safer,
regardless of the side effects, to avoid blame for not having done enough. This fear
explains most post-9/11 anti-terrorism policy, and much of the NSA’s mass-surveillance
programs. Our politicians are scared that we’ll blame them because they didn’t do
everything the intelligence agencies said they could have done to prevent further
terrorism.
We have to convince them—and our fellow voters—that they should do the right thing
anyway.
Most of the solutions offered in the preceding two chapters require the government
to either enforce existing laws or change the law. By and large, neither of these
things will happen unless we demand them. Politicians are reluctant to engage in these
debates, and even more reluctant to enact meaningful constraints on government surveillance.
Legislatures are naturally deferential to law enforcement demands, and the vast surveillance-industrial
complex employs a powerful lobbying force to back them up. No one wants to be painted
as being soft on crime or terrorism. And today, when US intelligence agencies are
caught breaking the law, the only ones threatened with jail time are the whistleblowers.
On the corporate side, throngs of lobbyists are doing their best to ensure
that there’s no meaningful reform of corporate surveillance. Free markets are held
up as a justification to continue to do nothing. And the police and the national security
apparatus are also pushing to ensure that all of our data remains available to them
for their own use.
If we want our legislators to vote against the powerful interests of the military,
law enforcement, and lobbyist-laden corporations (both the ones that supply the government
and the ones that spy on us directly), we’re going to have to make ourselves even
more powerful. And that means we have to engage in the political process. I have three
specific recommendations here.
Notice Surveillance.
This is the first step. Lots of surveillance is hidden, but not completely invisible.
The cameras might be small, but you can still see most of them if you look. You can
notice when someone scans your ID when you enter a bar. You can install a browser
plug-in and see who’s tracking you online. You can pay attention to news stories about
surveillance. There are online sites that identify surveillance cameras. The more
you know, the more you’ll understand what’s going on.
Talk about Surveillance.
This is the next step. The more we talk about it, the more people realize what’s
going on. And the more they realize what’s going on, the more they’re going to care
about it. And the more we talk about it publicly, the more our elected representatives
will realize that we care about it.
I mean this very generally. Talk about surveillance with your family, friends, and
colleagues. Don’t be one of those annoying people who never posts about anything else,
but share interesting news stories on social media. Attend rallies and sign petitions.
Write to your elected representatives. Give copies of this book to all your friends
as gifts. Make your opinions known. This is important.
Talk about the laws in your country. What kinds of government surveillance are legal
in your country? How are your country’s businesses complicit in this, and what sorts
of surveillance are legal for them to conduct? What rights do people have to use privacy
enhancing technologies? Find out.
One of the most surreal aspects of the NSA stories based on the Snowden documents
is how they made even the most paranoid conspiracy theorists seem like paragons of
reason and common sense. It’s easy to forget
the details and fall back into complacency; only continued discussion of the details
can prevent this.
Organize Politically.
This is our most effective strategy. There are many good recent examples of people
organizing against surveillance: South Korean teachers objecting to new student databases,
German consumers opposing RFID-enabled shopping carts, Facebook users objecting to
new terms of service, US airline travelers objecting to airport full-body scanners.
The campaigns are not always successful and the outcomes are imperfect, but the significance
of collective action can’t be overstated. We need to see these problems as common
to us all, and the solutions as general.
This isn’t a book about political organizing, and there are far better people than
me at advising how to agitate for political change. I do know that politics isn’t
just something that happens at election times. It’s a continual process that involves
engaging with legislators, protesting in public, and supporting relevant nonprofit
groups. Look at the Electronic Frontier Foundation, the Electronic Privacy Information
Center, the Center for Democracy and Technology, Privacy International, the Open Technology
Institute, and others. They’re all fighting for more privacy and less surveillance.
Help them.
There’s nothing we can do about much of the world, of course, but we can push for
change where we can. And then we can slowly move outwards. It’s how worldwide change
happens.
DON’T GIVE UP
Fatalism is the enemy of change. Fatalism as in: governments and large corporations
are both all-powerful, and the majority of politicians have no desire to restrain
either of them, so there’s nothing we can do to change things. And fatalism as in:
mass surveillance is so ubiquitous that there’s nothing we can do to resist it, and
resistance only makes us more interesting to them anyway.
The assertions have some truth to them, but the conclusions are false. Good computer
security and pervasive encryption make mass surveillance difficult. Choosing companies
to do business with on the basis of their privacy policies makes companies more likely
to have good privacy policies. Political organization is effective. Our infatuation
with big data and our irrational fear
of terrorism will both wane over time. Laws will eventually constrain both government
and corporate power on the Internet.
The policy shifts I advise are major, and they’re going to take work. Every major
policy shift in history looked futile in the beginning. That’s just the way of it.
We need to fight for political change, and we need to keep fighting until we prevail.
And until then, there are lots of little battles we can win along the way.
There is strength in numbers, and if the public outcry grows, governments and corporations
will be forced to respond. We are trying to prevent an authoritarian government like
the one portrayed in Orwell’s
Nineteen Eighty-Four
, and a corporate-ruled state like the ones portrayed in countless dystopian cyberpunk
science fiction novels. We are nowhere near either of those endpoints, but the train
is moving in both those directions, and we need to apply the brakes.