• United States




Security guru Bruce Schneier: Your privacy is already gone

Mar 17, 20154 mins
Data and Information SecurityPrivacySecurity

In 'Data and Goliath,' one of the world's foremost security experts piles on the evidence that privacy is dead -- and proposes a detailed plan to restore it

privacy eye look
Credit: CSO staff

You can’t help but get a little depressed as you read Bruce Schneier’s latest book, “Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World.” It confirms over and over how all our supposed guaranteed personal privacy, digital or otherwise, is nothing but a façade. Here are some examples from the book:

  • It doesn’t take much metadata to specifically identify and track anyone.
  • “We kill people based on metadata.” — General Michael Hayden, former director of the NSA and the CIA
  • The U.S. Post Office photographs (and keeps) the exterior back and front of every piece of mail sent in the United States, and this data is available to other agencies.
  • “… man who complained to a Target store that had sent baby-related coupons to his teenage daughter, only to find out later that Target was correct.”
  • In 2011, a man forced Facebook to turn over all data it had on him. Facebook responded with 1,200-page PDF, which included every piece of content he had ever viewed in Facebook.
  • The United States, which has more controls on government data collection than any other country in the world, spends more on intelligence collection and analysis than the rest of the world combined.

One of my favorite quotes from the book: “If something is free, you’re not the customer, you’re the product.” That is, most of the world’s biggest free sites and services make their money by selling behavior-specific, targeted advertising.

This is Schneier’s most readable, well-cited book to date. He not only shows us the problem but gives us the solution in three sections. Part one discusses the true severity of corporate and government privacy intrusion, which includes the examples above. As you read this section you’ll shake your head in disbelief over and over.

Many of my friends and coworkers have an unreasonable trust in our government’s intentions. Part two is for them. It discusses what’s at stake and why we don’t want to behave like mindless sheep. Again, Schneier provides example after example of the harm caused while the supposed true goals are rarely met.

George Orwell would be stunned to see the extent to which his most famous work, “1984,” has come true — except for one major difference. In the book, overt coercion and oppression gave people no choice other than to accept constant surveillance; in our society, we’ve knowingly acquiesced.

At this point in Schneier’s book, you can’t help but feel hopeless, as if the game were rigged and already lost. But Schneier says: “Don’t give up. Fatalism is the enemy of change.” Part three of his book discusses the ways you can fight invasion of privacy. Chapter 12 covers the basic principles that should guide our privacy expectations, policies, and laws — transparency, oversight, and accountability among them. The next few chapters recommend privacy guidelines and laws explored by various governments and organizations.

Schneier ends the book by saying: “I am long-term optimistic, even if I remain short-term pessimistic.” That’s a powerful statement of hope by one of the world’s foremost authorities on privacy and security. If he can remain optimistic and stay in the fight, so can I!

Probably the only deviation is in how he sees it proceeding. He sees multiple privacy battles proactively fought by individuals and privacy organizations on our behalf, extracting the right concessions over the long run.

I see things getting much worse, with few battles won, until some sort of glaring global overreach enrages and engages us all. Many people thought the NSA leaks were the start of the tipping point, but so far the only laws actually passed merely made some of the NSA’s illegal acts retroactively legal. That’s not progress, but perhaps it’s the one step back before we take the two steps forward.

Where Schneier and I agree is that we don’t blame “the government” — at least not in our democracy. The government is us. We are both data and Goliath. We have only ourselves to blame, and only we can pull ourselves out of the privacy invasion we now find ourselves in. Schneier’s book gives us a road map to more intelligent polices that better balance security and privacy. I already consider it my bible when discussing privacy issues.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author