//After appearing as the keynote speaker at Scholarship After Snowden, security expert and author Bruce Schneier had a conversation with CGCS about online security.//
CGCS: Were the Snowden revelations novel? What in the documents uncovered information that was unknown to surveillance and security scholars and experts?
Bruce Schneier: On the one hand, there was no real surprise. Anyone who has followed the NSA has assumed that they did this. What was surprising is the sheer extensiveness of the surveillance programs, which probably should not have been a surprise, either. I guess just seeing it in actual detail made it more real, and therefore different.
What is the greatest misconception the general public has about security online, especially in this post-NSA revelations environment?
I think people believe that their data is more secure than it is. And I’m not thinking about criminals and hackers, I’m thinking about the “good guys.” Google knows more about what I’m thinking about than my wife does. Google knows exactly what I’m thinking about when I start thinking about it. Google knows when I stop thinking about it. Google knows what related things I’m thinking about. And Google knows that about everyone. Google knows what kind of porn everyone likes. This kind of thing is inherently creepy, and people don’t think about it.
We don’t think about it because it’s not salient. We don’t wake up in the morning and think “I’m going to carry a tracking device around with me today.” We just grab our cellphone. People don’t think about this data, who has access to it, who buys and sells it, and who gives a copy to the government.
At Scholarship After Snowden, you commented that surveillance is too cheap and should be made more expensive to curb surveillance. Could this realistically be accomplished? What impact would it have?
It definitely can be accomplished. For example, we know that encryption works. We know this from the BULLRUN story; the NSA is forced to try and subvert encryption products, because it can’t break the encryption algorithms. We know this from the Tor story; the NSA can’t break Tor, and they really want to. We know this from the address book and buddy list collection story; the NSA got ten times as much data from Yahoo than from Google, even though Google has many more users than Yahoo, because Google uses SSL encryption by default and Yahoo does not. Encryption is the one thing we can count on.
Ubiquitous encryption has the effect of forcing the NSA, and all other similar adversaries, away from “wholesale” surveillance of everyone and everybody and into “retail” surveillance of just the few people they want to eavesdrop on. This would go a long way to making the world more secure.
Balkanization of the Internet is not a new idea, however, post Snowden we have seen countries such as Brazil push towards breaking from the US-centric Internet. Does this balkanization pose a threat?
If we believe that a free and open global Internet is a goodness for our society and species than Balkanization is a threat to that. It threatens to fracture the Internet along national lines, and gives the more authoritarian countries much more control over the Internet within their borders. I think it is vital for both US interests and the interests of humanity to fight this. And if I knew how, I would be doing it myself.
At the event you also mentioned that the NSA and other organizations will always find backdoors to circumvent encryption. Is there any hope for a secure Internet? Can people do anything to be “secure” online?
These questions never make any sense. To explain, think of the same question with regards to physical security. “We know that the police and other organizations can always circumvent building security. Is there any hope for a secure home? Can people do anything to be secure at home?” Of course they can, both at home and on the Internet. The NSA might have a bigger surveillance budget than anyone else on the planet, but they’re not magical. They’re subject to the laws of mathematics, physics, economics, and — although they have lots of wiggle room — the land. People can do lots of things to be secure online. They can use encryption. They can be careful of what data they store in the cloud. And, most importantly, they can fight for political change. In the end, this is a geopolitical problem, and the solutions will be political. Just like the security of your home, technology is important but it’s only a part.