• United States



by Anthony Caruana

AISA 2016: Privacy will be solved as infosec matures

Nov 01, 20164 mins
Application SecurityBackup and RecoveryBusiness Continuity

Bruce Schneier has been advocating for personal privacy for many years. He’s a well known cryptographer and writer, and even has a “law” named after him: Schneier’s law, which was coined by Cory Doctorow, states “Any person can invent a security system so clever that he or she can’t imagine a way of breaking it”.

Schneier recently spoke at the AISA Conference in Sydney. We chatted shortly before he gave the conference’s closing address.

I started by asking him what he saw as the big challenges around infosec today.

“The challenges are not much technical, there more social. It’s about making security work in context. I worry a lot about organisations and security practices. I worry about catastrophic risk in the Internet of Things. There’s a fundamental difference between crashing your spreadsheet and losing your data and crashing your car and losing your life. Those are so extraordinarily different, yet it’s the same software”.

I was somewhat prescient that just a few days after Schneier’s comments that a massive DDoS attack, involving IoT devices was perpetrated and took out a massive number websites in the US.

As the risks become focussed on life and property, rather than just data, Schneier says this will change everything


He says the proliferation of computers and things that affect the world in a direct physical manner, that are much lower cost, and designed with less security in mind, that are unpatchable and not prefaced very often will open us to extreme vulnerabilities.

“It’s all the vulnerabilities of computers without any of the fences we’ve built for the past 20 years”.

When it comes to privacy, I asked Schneier whether he thought the privacy genie could ever be put back into the bottle.

“I think, fundamentally, yes,” he says. “It’s not the case that our species has lost privacy till the end of time. That’s just ridiculous”.

Schneier says all technology can be controlled through non-technical means such as laws. However, he says countries and companies are currently “punch drunk” on our data.

“Surveillance capitalism is the thing that is driving our economy. Governments are glomming on getting themselves a copy of everything. That’s going to have to change. I think it will. It’s a very long term thing. Privacy is too central to human dignity to say it’s over”.

The challenges, says Schneier, are around policy. The big challenges aren’t the illegal use of data but the legal ones in his view. And he sees the leadership in privacy coming from Europe. For example, new laws passed there have deemed internet addresses to be Personally Identifiable Information.

Although it sometimes seems people give up data voluntarily, Schneier says, it’s his view, they give up data either because they are coerced or because they don’t understand what they are giving up.

In order to get people to understand what they are doing there’s no need to delve into a technical explanation of how privacy systems work. He likens this to the effects of pharmaceuticals. We don’t necessarily have to understand their mechanism. But we do understand they improve our health when our body is compromised.

”We need governments to take charge and regulate companies that want to make a profit at all costs and people being harmed”.

As it may be difficult for people to correlate the use of their data with personal injury, we need governments to step up with regulation he says. Data use is already regulated in many cases such as stock exchanges and insurance. But those needs to go further.

“The whole point of society is that you don’t have to be an expert in everything. Society takes care. I don’t have to know anything about building construction but I know, without any doubt, that the ceiling will not fall on my head. There’s some building code somewhere that someone adhered to when they built this building”.

Such a system means people don’t need to know everything to trust systems. But as information security and privacy are so new, we’ve not yet reached that level of maturity.

“As we mature as an industry, you start to realise we need those controls in place”.

Another significant issue is that technology is moving faster than the law. Schneier says this is a relatively new phenomenon. The adoption cycles of radio and the telephone were so low enough that laws could be made in a timely way. But the rapid pace of change in technology means the law is often years behind and getting worse.