Data and Goliath:  The Hidden Battles to Collect Your Data and Control Your World
By Bruce Schneier
W. W. Norton & Company, New York, 2015

Whether you know it or not, whether you like it or not, you’re being watched. Everywhere. All the time. When you use your cell phone or access the Internet, when you use the GPS in your car, when you swipe your credit card or your ATM card, you’re being watched, tracked and analyzed.

In his latest book, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, Bruce Schneier helps us watch the watchers.

We live in an era of “ubiquitous, cheap, mass, hidden surveillance,” Schneier says. In this book he explores the nature of mass surveillance, how it’s done and how it’s used. He discusses important consequences, mainly the threats to our liberty, privacy and security. And he makes a comprehensive set of recommendations for governments, business and individuals to reform and respond to mass surveillance.

Bruce Schneier is one of the world’s leading experts on Internet security. He’s published numerous books and articles and he blogs regularly at https://www.schneier.com. It was Schneier who coined the term “security theater” to describe security procedures and technologies that give the appearance of improving security but in fact do no such thing. (Many post-9/11 airport security measures are often criticized as security theater.) I’ve heard him speak a few times at various industry conferences and I’ve always been impressed with his balanced and pragmatic approach to security.

“Data is the exhaust of the Internet age,” Schneier says. Everything you do leaves behind a trail of data. Unlike car exhaust that just spews into the atmosphere, data exhaust is valuable. It’s collected, stored, combined with other data about you and people like you and then mined for patterns, trends and signals.

We don’t usually think of this data collection as “surveillance” let alone as sinister or improper surveillance. If we think about it at all, we might think of it as a trade or a bargain. We give information about ourselves to corporations in return for services, and especially in return for convenience. Our search queries tell Google, Yahoo or Microsoft what we’re interested in. (I work for Microsoft.) We tell Facebook and other social media companies who our friends are and what we like and don’t like. Amazon and other online retailers know about our purchase habits. In return we get more relevant search results, connection with friends old and new, and recommendations for products we might like to buy. And above all, we get ads. Lots of ads.

Governments collect a ton of information about us too, usually without our explicit knowledge or consent, and in some cases with questionable legal authority. It doesn’t matter that the government may not be reading your email or listening to your phone calls, they collect enough metadata – who you’re speaking with, for how long, at what number or address – that they can build a complete profile of you and your associates. As former NSA and CIA director Michael Hayden famously said, “We kill people based on metadata.” In return for this data we’re supposed to get security, in particular, security against terrorist attacks.

In Data and Goliath, Schneier argues these are bad bargains. By trading surveillance for services we’re giving up too much of our personal information and our privacy to corporations who profit handsomely from using and selling our information. And by trading surveillance for security we’re giving up too much of our liberty to governments whose activities reduce rather than improve our security.

I found this last point to be one of the most interesting and worrying in the book. Schneier argues that mass surveillance and related activities of the US and other governments are making the Internet less secure for everyone. This includes

• Stockpiling so-called zero-day vulnerabilities. These are unpatched vulnerabilities in commercial software. By failing to report these and instead collecting them, governments make the Internet less secure for us all since, of course, there’s no way to prevent attackers, be they criminals or foreign powers, from finding and exploiting them too.
• Introducing backdoors into widely available hardware and software products. Backdoors give government officials the ability to secretly access and tap into these systems. Here again, there’s no guarantee these backdoors will remain secret so they make all of us less safe.
• The NSA has used its influence with Internet companies and standards bodies –the organizations that write and ratify the technical specifications that govern how the Internet works – to weaken the specifications for certain key technologies, especially encryption.

These activities might make it easier for the NSA to carry out mass surveillance but at the expense of everyone’s security. This is one of the key points of the book.

“In addition to the extreme distrust that all these tactics engender amongst Internet users, they require the NSA to ensure that surveillance takes precedence over security. Instead of improving the security of the Internet for everyone’s benefit, the NSA is ensuring that the Internet remains insecure for the agency’s own convenience.” [p. 149]

And yet collecting all that information doesn’t seem to be yielding much benefit. The NSA’s “collect it all” approach scoops up overwhelming amounts of irrelevant data about innocent people. Data mining techniques that might be effective for targeting advertisements turn out to be useless for detecting terrorist attacks.

“Because terrorist attacks are so rare, false positives completely overwhelm the system, no matter how well you tune. And I mean completely: Millions of people will be falsely accused for every for every real terrorist plot the system finds, if it ever finds any.” [p. 137]

Schneier argues, convincingly in my opinion, that mass surveillance and data mining are simply ineffective means of detecting terrorist attacks and are no substitute for proven investigation and intelligence methods.

Unsolicited Feedback

Data and Goliath is a terrifically pertinent book. It takes a broad and discerning look at a vitally important issue. Anyone who wants to understand both the technical and policy aspects of mass surveillance will learn a lot from the book.

I found the middle section of the book about the implications of mass surveillance to be the most rewarding. I think Schneier does a really good job of framing the issues around both government and corporate mass surveillance. I was already pretty familiar with a lot of the material in the opening section on how mass surveillance is actually done. However, the information is still useful and well-explained.

If there’s a weakness in the book it’s in the last section containing policy recommendations. I’m not blaming Bruce Schneier here. He does propose some interesting ideas like breaking up the NSA. And he’s not calling for the abolition of mass surveillance, but wants greater transparency, accountability and oversight. All very sensible. It just seems unlikely many of these recommendations will ever get implemented. Corporations are making too much money and politicians are too scared of missing the next terrorist attack for either of them to voluntarily reduce or restrict mass surveillance. So it falls to individuals and organizations like the Electronic Frontier Foundation and the Center for Democracy and Technology to advocate for change. I think it’s an uphill battle, although recent passage of the USA FREEDOM Act, which scales back the NSA’s bulk data collection, is a step in the right direction.