In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.
In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.
To assess the internet landscape, the Gazette interviewed cybersecurity expert Bruce Schneier, a fellow with the Berkman Klein Center for Internet & Society and the Belfer Center for Science and International Affairs at Harvard Kennedy School. Schneier talked about government and corporate surveillance, and about what concerned users can do to protect their privacy.
GAZETTE: After whistleblower Edward Snowden’s revelations concerning the National Security Agency’s (NSA) mass surveillance operation in 2013, how much has the government landscape in this field changed?
SCHNEIER: Snowden’s revelations made people aware of what was happening, but little changed as a result. The USA Freedom Act resulted in some minor changes in one particular government data-collection program. The NSA’s data collection hasn’t changed; the laws limiting what the NSA can do haven’t changed; the technology that permits them to do it hasn’t changed. It’s pretty much the same.
GAZETTE: Should consumers be alarmed by this?
SCHNEIER: People should be alarmed, both as consumers and as citizens. But today, what we care about is very dependent on what is in the news at the moment, and right now surveillance is not in the news. It was not an issue in the 2016 election, and by and large isn’t something that legislators are willing to make a stand on. Snowden told his story, Congress passed a new law in response, and people moved on.
GAZETTE: What about corporate surveillance? How pervasive is it?
SCHNEIER: Surveillance is the business model of the internet. Everyone is under constant surveillance by many companies, ranging from social networks like Facebook to cellphone providers. This data is collected, compiled, analyzed, and used to try to sell us stuff. Personalized advertising is how these companies make money, and is why so much of the internet is free to users. We’re the product, not the customer.
GAZETTE: Should they be stopped?
SCHNEIER: That’s a philosophical question. Personally, I think that in many cases the answer is yes. It’s a question of how much manipulation we allow in our society. Right now, the answer is basically anything goes. It wasn’t always this way. In the 1970s, Congress passed a law to make a particular form of subliminal advertising illegal because it was believed to be morally wrong. That advertising technique is child’s play compared to the kind of personalized manipulation that companies do today. The legal question is whether this kind of cyber-manipulation is an unfair and deceptive business practice, and, if so, can the Federal Trade Commission step in and prohibit a lot of these practices.
GAZETTE: Why doesn’t the commission do that? Why is this intrusion happening, and nobody does anything about it?
SCHNEIER: We’re living in a world of low government effectiveness, and there the prevailing neo-liberal idea is that companies should be free to do what they want. Our system is optimized for companies that do everything that is legal to maximize profits, with little nod to morality. Shoshana Zuboff, professor at the Harvard Business School, invented the term “surveillance capitalism” to describe what’s happening. It’s very profitable, and it feeds off the natural property of computers to produce data about what they are doing. For example, cellphones need to know where everyone is so they can deliver phone calls. As a result, they are ubiquitous surveillance devices beyond the wildest dreams of Cold War East Germany.
GAZETTE: But Google and Facebook face more restrictions in Europe than in the United States. Why is that?
SCHNEIER: Europe has more stringent privacy regulations than the United States. In general, Americans tend to mistrust government and trust corporations. Europeans tend to trust government and mistrust corporations. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does. U.S. law has a hands-off way of treating internet companies. Computerized systems, for example, are exempt from many normal product-liability laws. This was originally done out of the fear of stifling innovation.
“Google knows quite a lot about all of us. No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.”
—Bruce Schneier, cybersecurity expert
GAZETTE: It seems that U.S. customers are resigned to the idea of giving up their privacy in exchange for using Google and Facebook for free. What’s your view on this?
SCHNEIER: The survey data is mixed. Consumers are concerned about their privacy and don’t like companies knowing their intimate secrets. But they feel powerless and are often resigned to the privacy invasions because they don’t have any real choice. People need to own credit cards, carry cellphones, and have email addresses and social media accounts. That’s what it takes to be a fully functioning human being in the early 21st century. This is why we need the government to step in.
GAZETTE: You’re one of the most well-known cybersecurity experts in the world. What do you do to protect your privacy online?
SCHNEIER: I don’t have any secret techniques. I do the same things everyone else does, and I make the same tradeoffs that everybody else does. I bank online. I shop online. I carry a cellphone, and it’s always turned on. I use credit cards and have airline frequent flier accounts. Perhaps the weirdest thing about my internet behavior is that I’m not on any social media platforms. That might make me a freak, but honestly it’s good for my productivity. In general, security experts aren’t paranoid; we just have a better understanding of the trade-offs we’re doing. Like everybody else, we regularly give up privacy for convenience. We just do it knowingly and consciously.
GAZETTE: What else do you do to protect your privacy online? Do you use encryption for your email?
SCHNEIER: I have come to the conclusion that email is fundamentally insecurable. If I want to have a secure online conversation, I use an encrypted chat application like Signal. By and large, email security is out of our control. For example, I don’t use Gmail because I don’t want Google having all my email. But last time I checked, Google has half of my email because you all use Gmail.
GAZETTE: What does Google know about you?
SCHNEIER: Google’s not saying because they know it would freak people out. But think about it, Google knows quite a lot about all of us. No one ever lies to a search engine. I used to say that Google knows more about me than my wife does, but that doesn’t go far enough. Google knows me even better, because Google has perfect memory in a way that people don’t.
GAZETTE: Is Google the “Big Brother?”
SCHNEIER: “Big Brother” in the Orwellian sense meant big government. That’s not Google, and that’s not even the NSA. What we have is many “Little Brothers”: Google, Facebook, Verizon, etc. They have enormous amounts of data on everybody, and they want to monetize it. They don’t want to respect your privacy.
GAZETTE: In your book “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World,” you recommend a few strategies for people to protect their privacy online. Which one is the most effective?
SCHNEIER: Unfortunately, we live in a world where most of our data is out of our control. It’s in the cloud, stored by companies that may not have our best interests at heart. So, while there are technical strategies people can employ to protect their privacy, they’re mostly around the edges. The best recommendation I have for people is to get involved in the political process. The best thing we can do as consumers and citizens is to make this a political issue. Force our legislators to change the rules.
Opting out doesn’t work. It’s nonsense to tell people not to carry a credit card or not to have an email address. And “buyer beware” is putting too much onus on the individual. People don’t test their food for pathogens or their airlines for safety. The government does it. But the government has failed in protecting consumers from internet companies and social media giants. But this will come around. The only effective way to control big corporations is through big government. My hope is that technologists also get involved in the political process — in government, in think-tanks, universities, and so on. That’s where the real change will happen. I tend to be short-term pessimistic and long-term optimistic. I don’t think this will do society in. This is not the first time we’ve seen technological changes that threaten to undermine society, and it won’t be the last.
This interview has been edited for length and clarity.