Bruce Schneier - Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

SELECTEDBOOKSBYBRUCESCHNEIER

CarryOn:SoundAdvicefromSchneieronSecurity(2013)

LiarsandOutliers:EnablingtheTrustThatSocietyNeedstoThrive(2012) SchneieronSecurity(2008)

BeyondFear:ThinkingSensiblyaboutSecurityinanUncertainWorld(2003) SecretsandLies:DigitalSecurityinaNetworkedWorld(2000)

AppliedCryptography:Protocols,Algorithms,andSourceCodeinC(1994and1996) ToKaren:DMASC

Contents

Ifyouneedtobeconvincedthatyourelivinginascience-fictionworld,lookatyourcell phone.Thiscute,sleek,incrediblypowerfultoolhasbecomesocentraltoourlivesthat wetakeitforgranted.Itseemsperfectlynormaltopullthisdeviceoutofyourpocket,no matterwhereyouareontheplanet,anduseittotalktosomeoneelse,nomatterwherethe personisontheplanet.

Yeteverymorningwhenyouputyourcellphoneinyourpocket,youremakingan implicitbargainwiththecarrier:Iwanttomakeandreceivemobilecalls;inexchange,I allowthiscompanytoknowwhereIamatalltimes.Thebargainisntspecifiedinany contract,butitsinherentinhowtheserviceworks.Youprobablyhadntthoughtaboutit, butnowthatIvepointeditout,youmightwellthinkitsaprettygoodbargain.Cell phonesreallyaregreat,andtheycantworkunlessthecellphonecompaniesknowwhere youare,whichmeanstheykeepyouundertheirsurveillance.

Thisisaveryintimateformofsurveillance.Yourcellphonetrackswhereyouliveand whereyouwork.Ittrackswhereyouliketospendyourweekendsandevenings.Ittracks howoftenyougotochurch(andwhichchurch),howmuchtimeyouspendinabar,and whetheryouspeedwhenyoudrive.Ittrackssinceitknowsaboutalltheotherphonesin yourareawhomyouspendyourdayswith,whomyoumeetforlunch,andwhomyou sleepwith.Theaccumulateddatacanprobablypaintabetterpictureofhowyouspend yourtimethanyoucan,becauseitdoesnthavetorelyonhumanmemory.In2012, researcherswereabletousethisdatatopredictwherepeoplewouldbe 24hourslater,to within20meters.

Beforecellphones,ifsomeonewantedtoknowallofthis,hewouldhavehadtohirea privateinvestigatortofollowyouaroundtakingnotes.Nowthatjobisobsolete;thecell phoneinyourpocketdoesallofthisautomatically.Itmightbethatnooneretrievesthat information,butitisthereforthetaking.

Yourlocationinformationisvaluable,andeveryonewantsaccesstoit.Thepolice wantit.Cellphonelocationanalysisisusefulincriminalinvestigationsinseveraldifferent ways.Thepolicecanpingaparticularphonetodeterminewhereitis,usehistoricaldata todeterminewhereithasbeen,andcollectallthecellphonelocationdatafromaspecific areatofigureoutwhowasthereandwhen.Moreandmore,policeareusingthisdatafor exactlythesepurposes.

Governmentsalsousethissamedataforintimidationandsocialcontrol.In2014,the governmentofUkrainesentthispositivelyOrwelliantextmessagetopeopleinKiev whosephoneswereatacertainplaceduringacertaintimeperiod:Dearsubscriber,you havebeenregisteredasaparticipantinamassdisturbance.Dontthinkthisbehavioris limitedtototalitariancountries;in2010,Michiganpolicesoughtinformationaboutevery cellphoneinservicenearanexpectedlaborprotest.Theydidntbothergettingawarrant first.

Theresawholeindustrydevotedtotrackingyouinrealtime.Companiesuseyour phonetotrackyouinstorestolearnhowyoushop,trackyouontheroadtodetermine howcloseyoumightbetoaparticularstore,anddeliveradvertisingtoyourphonebased onwhereyouarerightnow.

Yourlocationdataissovaluablethatcellphonecompaniesarenowsellingittodata brokers,whointurnresellittoanyonewillingtopayforit.CompanieslikeSense Networksspecializeinusingthisdatatobuildpersonalprofilesofeachofus.

Phonecompaniesarenottheonlysourceofcellphonedata.TheUScompanyVerint sellscellphonetrackingsystemstobothcorporationsandgovernmentsworldwide.The companyswebsitesaysthatitsagloballeaderinActionableIntelligencesolutionsfor customerengagementoptimization,securityintelligence,andfraud,riskandcompliance,

withclientsinmorethan10,000organizationsinover180countries.TheUKcompany Cobhamsellsasystemthatallowssomeonetosendablindcalltoaphoneonethat doesntring,andisntdetectable.Theblindcallforcesthephonetotransmitonacertain frequency,allowingthesendertotrackthatphonetowithinonemeter.Thecompany boastsgovernmentcustomersinAlgeria,Brunei,Ghana,Pakistan,SaudiArabia, Singapore,andtheUnitedStates.Defentek,acompanymysteriouslyregisteredin Panama,sellsasystemthatcanlocateandtrackanyphonenumberintheworld

undetectedandunknownbythenetwork,carrier,orthetarget.Itsnotanidleboast; telecommunicationsresearcherTobiasEngeldemonstratedthesamethingatahacker conferencein2008.Criminalsdothesametoday.

Allthislocationtrackingisbasedonthecellularsystem.Theresanotherentirely differentandmoreaccuratelocationsystembuiltintoyoursmartphone:GPS.Thisiswhat provideslocationdatatothevariousappsrunningonyourphone.Someappsuselocation datatodeliverservice:GoogleMaps,Uber,Yelp.Others,likeAngryBirds,justwanttobe abletocollectandsellit.

Youcandothis,too.HelloSpyisanappthatyoucansurreptitiouslyinstallon someoneelsessmartphonetotrackher.Perfectforananxiousmomwantingtospyonher teenageroranabusivemanwantingtospyonhiswifeorgirlfriend.Employershave usedappslikethistospyontheiremployees.

TheUSNationalSecurityAgency(NSA)anditsUKcounterpart,Government

CommunicationsHeadquarters(GCHQ),uselocationdatatotrackpeople.TheNSA collectscellphonelocationdatafromavarietyofsources:thecelltowersthatphones connectto,thelocationofWi-Finetworksthatphoneslogonto,andGPSlocationdata fromInternetapps.TwooftheNSAsinternaldatabases,code-namedHAPPYFOOTand FASCIA,containcomprehensivelocationinformationofdevicesworldwide.TheNSA usesthedatabasestotrackpeoplesmovements,identifypeoplewhoassociatewithpeople ofinterest,andtargetdronestrikes.

TheNSAcanallegedlytrackcellphonesevenwhentheyareturnedoff.

Ivejustbeentalkingaboutlocationinformationfromonesourceyourcellphone

buttheissueisfarlargerthanthis.Thecomputersyouinteractwithareconstantly producingintimatepersonaldataaboutyou.Itincludeswhatyouread,watch,andlisten to.Itincludeswhomyoutalktoandwhatyousay.Ultimately,itcoverswhatyoure thinkingabout,atleasttotheextentthatyourthoughtsleadyoutotheInternetandsearch engines.Wearelivinginthegoldenageofsurveillance.

SunMicrosystemsCEOScottMcNealysaiditplainlywaybackin1999:Youhave zeroprivacyanyway.Getoverit.Heswrongabouthowweshouldreacttosurveillance, ofcourse,buthesrightthatitsbecomingharderandhardertoavoidsurveillanceand maintainprivacy.

Surveillanceisapoliticallyandemotionallyloadedterm,butIuseitdeliberately.The USmilitarydefinessurveillanceassystematicobservation.AsIllexplain,modern-day electronicsurveillanceisexactlythat.Wereallopenbookstobothgovernmentsand corporations;theirabilitytopeerintoourcollectivepersonallivesisgreaterthanithas everbeenbefore.

Thebargainyoumake,againandagain,withvariouscompaniesissurveillancein exchangeforfreeservice.GoogleschairmanEricSchmidtanditsdirectorofideasJared Cohenlaiditoutintheir2013book, TheNewDigitalAge.HereImparaphrasingtheir message:ifyouletushaveallyourdata,wewillshowyouadvertisementsyouwantto seeandwellthrowinfreewebsearch,e-mail,andallsortsofotherservices.Its convenience,basically.Wearesocialanimals,andtheresnothingmorepowerfulor rewardingthancommunicatingwithotherpeople.Digitalmeanshavebecometheeasiest andquickestwaytocommunicate.Andwhydoweallowgovernmentsaccess?Because wefeartheterrorists,fearthestrangersabductingourchildren,fearthedrugdealers,fear whateverbadguyisinvogueatthemoment.ThatstheNSAsjustificationforitsmasssurveillanceprograms;ifyouletushaveallofyourdata,wellrelieveyourfear.

Theproblemisthatthesearentgoodorfairbargains,atleastastheyrestructured today.Wevebeenacceptingthemtooeasily,andwithoutreallyunderstandingtheterms.

Hereiswhatstrue.Todaystechnologygivesgovernmentsandcorporationsrobust capabilitiesformasssurveillance.Masssurveillanceisdangerous.Itenables discriminationbasedonalmostanycriteria:race,religion,class,politicalbeliefs.Itis beingusedtocontrolwhatwesee,whatwecando,and,ultimately,whatwesay.Itis beingdonewithoutofferingcitizensrecourseoranyrealabilitytooptout,andwithout anymeaningfulchecksandbalances.Itmakesuslesssafe.Itmakesuslessfree.Therules wehadestablishedtoprotectusfromthesedangersunderearliertechnologicalregimes arenowwoefullyinsufficient;theyarenotworking.Weneedtofixthat,andweneedto doitverysoon.