Bruce Schneier on bridging the gap between policy and tech
by Michael Fey on
Last week on Random But Memorable, renowned security technologist Bruce Schneier joined me to discuss surveillance capitalism and internet security policy. Read the interview, or listen to the full podcast.
Michael: Bruce, you don’t need an introduction, but I’m going to give you the opportunity to give one anyway. Welcome to the show.
Bruce: Hi. People might not know that I now teach internet security policy at the Harvard Kennedy School. I’m trying to teach a little bit of tech to policy students, and internet policy to techies. I’m trying to bridge the gap between policy and tech. Our serious problems are how do we govern tech, and what is the governance of tech. We need people who can speak both languages.
Michael: So often these days we have rules and laws being put in place that aren’t necessarily based in reality or practical matter.
Bruce: Did you watch the Facebook hearings? If legislators ask questions like “How does Facebook make money?” we’re not going to get good internet security policy.
Michael: It seems like every company these days is creating and selling data and metadata about us. Then other companies are buying it up, or it’s being made public through accidental breaches. Do you think this notion of companies trading and being careless with our data makes us more careless as consumers?
Bruce: Shoshana Zuboff calls this “surveillance capitalism.” It’s a new way businesses are monetizing information about us. It’s both companies that do it as a primary revenue source – the Facebooks and Googles, and all the other companies that sell you appliances, toys, and other services. They realize they have a data revenue stream. It is everywhere. It seems like the new form of capitalism.
I’m not sure it makes us more careless. I think a lot of us are resigned to it. Companies go out of their way to make it not salient, so we don’t think about it. Certainly, when we think about it, we’re concerned. It seems like from surveys, it’s less that we care less or are careless. It’s that we think it’s inevitable and don’t see viable alternatives.
If I tell people, “If you want to protect your privacy, you should not have an email address, carry a cell phone, or use a credit card,” that’s fundamentally dumb advice. You can’t live in the 21st century, first-world countries without engaging in those technologies. So people are deleting their Facebook accounts more and more, but for a lot of people, they need to be on Facebook for socialization. A lot of people are resigned to it. That’s where I look at government as the missing link, because it’s not going to be consumer rebellions that change surveillance capitalism. It’ll be rules and laws.
Michael: I don’t think people deleting their Facebook accounts in 2019 is necessarily going to hurt Facebook’s bottom line.
Bruce: Especially if they use Instagram instead.
Michael: I would think most people don’t even realize that Instagram is owned by Facebook.
Bruce: Facebook doesn’t keep it a secret, but they don’t advertise it. I think they’re playing that game.
Michael: Do you think it’s possible to opt out of this type of life?
Bruce: You can build a cabin in the woods, be off the grid, and not have any communications. It’s possible. It’s just not reasonable to expect.
If you were interviewing me five or ten years ago, we would talk about protecting your data on your computer, and how you could have better security. But now our data isn’t even on our computers. Our mail is on Google’s computers. Our photos are on someone else’s site. When these security breaches happen, they don’t happen to us. They happen to companies like Marriott, and our information is lost or stolen, and there’s nothing we can do about it.
Even if you try to opt out, your data is not under your control anymore. That makes it even harder. My email is not on Google’s servers, but probably about half of my email is, because everybody else’s email is on Google’s servers. So here I am opting out from Gmail, but I’m not really opting out because I can’t.
Michael: And we’re beyond opting out of social media. You can not be on Twitter, Facebook, or Instagram, but these breaches go well beyond that data that you would voluntarily share.
Bruce: Social media is really how we interact with our colleagues. I am not on Facebook, and I notice the lapse socially. I occasionally find businesses who don’t have a website – just a Facebook page. There is a cost for not being on these platforms. Sometimes you’re willing to pay it, and sometimes you’re not.
Michael: If you look at 1Password, we handle people’s data like nuclear waste. We limit who touches it, and we only ask for what we need. We treat our customers’ data with as much care as humanly possible. But this is not the trend.
Bruce: No, because it’s expensive. Password management is inherently, “We want to be more secure because it’s the things that secure other things.” But you move to other data, and you’re not going to make those kinds of tradeoffs.
You can go further. I have a password manager, and I deliberately don’t let anybody put anything in the cloud ever. But I’m sacrificing a feature, because if your data is in the cloud, you can sync over different devices. We’re all making these tradeoffs of usability versus security.
Michael: Where do you draw that distinction?
Bruce: You draw it where you make it. A typical business is going to draw the line where it makes financial sense. Let’s use your typical retailer as an example. If they are not going to lose customers because of bad security, they’re not going to worry about it too much.
Yahoo is pretty famous for skimping on security because it didn’t matter to them financially, but if you look at a program that advertises security, it’s going to be more of a reputational thing. For a bank, security is going to be money. They’re going to spend more to protect the money they would lose otherwise. Everybody is making their tradeoffs based on usability, profits, and regulations.
Michael: Do you think there’s a way to set a new baseline in people’s mindsets for what security should be when it comes to handling personal data?
Bruce: Maybe, but it’s pretty opaque. You could call Facebook and ask, “How do you handle my data,” and they’re not going to tell you. None of these companies will, because they don’t want to make that public.
I don’t see a consumer-led push to increase security, just like you don’t have consumer-led pushes to increase safety in pretty much anything. It is a government-led push because that’s where you have the information to make intelligent decisions that ratchet up safety. I think you might have a generic, “We want more security for our data,” that will lead to government regulation. We saw that in Europe with GDPR. The government set the rules because there was the political will to do that.
Michael: You can debate the merits of having government involved in setting those types of laws.
Bruce: You can, but I’m not sure what the alternative is. The alternative is nothing. The alternative is what we have today in the U.S. – an absolute free for all.
Michael: What do you think are some of the best ways to improve password habits?
Bruce: We know that people are terrible at choosing passwords. We’re at the point where pretty much anything you can remember can be hacked, so we want people to choose unmemorable passwords. I think a password manager is essential because we need some system that will remember them for you.
There is also a system for choosing unbreakable passwords that you can remember. Basically, I tell people to craft a sentence and use it as a way to generate the password. Take the first letter of every word, and then add some number and letter substitutions, extra punctuation, or weird capitalization. You remember the sentence— it’s something memorable from your life that’s personal. I suggest a sentence that you’d be embarrassed to write down, because they are easier to remember, and you’re less likely to write it down. Then you remember the production rule of how to turn that sentence into the password. Use that for high-value passwords, like the password for your password manager.
Also, turn on two-factor authentication whenever you can and it matters. Anything where there’s money, your reputation, or personal information involved, you want to turn those features on.
Michael: One last thing to wrap it up here. What do you think we need to see as a societal change in regards to security or privacy? What’s something you’re hoping we see in our lifetime?
Bruce: The thing that is missing for security and privacy writ large, whether it’s our data privacy, internet of things security, or our national cybersecurity is involvement of government. That is who has abdicated their role. This will only work if everybody is working together, pushing against each other to figure out optimal strategies. We have corporations running the show, so it’s optimized for profit and not security. If you want to fix that, you have to bring government back.
I think it’s inevitable. Governments regulate dangerous things. Once the internet starts killing people, government will be involved, but it really shouldn’t take that. We’re starting to see some movement in that direction, most notably in Europe, but the U.S. is so anti-government involvement that we are hurting ourselves and producing very suboptimal solutions.
Michael: And that brings us back to where we started, which is your efforts to educate future policymakers.
Bruce: And to convince technologists to become part of policy. It’s not just a matter of making sure legislators and regulators understand tech. It’s getting people who do understand tech to take a couple of years in their career and work on policy, advise, speak, or write. There are lots of ways we can engage, and we’re just not doing it.