We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Steve Winterfeld: Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (2015) by Bruce Schneier
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is Bruce Schneier’s manifesto on what should be done about the amount, and controls around data being collected on us. If, like me, you have been focused on Information Security this book is a great exposure to the privacy issues our profession is facing. The book is more focused on policy than practical application, but worth the read for the background and ideas presented.
Data and Goliath is a call to action around two topics: first, the cultural acceptance of not owning our personal data or understanding how it is being used; and second, the difference between nation-state espionage and mass surveillance. Trying to reduce the themes of the book to just a couple of points is a gross oversimplification. This book belongs in the Canon due to the foundational and timeless issues it addresses for our industry. Finally, don’t let the 400-page length intimidate you, as the text of the book is only 238 pages with the rest being reference notes.
Schneier’s first books were all about cryptography, and he has been part of developing multiple cryptographic algorithms. Over time, he has moved to broader security issues (Secrets and Lies is still a relevant foundational book today). Now, he is addressing national policy, market economics, and privacy expiations around demographics like generational differences.
Data and Goliath is a call to action aimed at the U.S. While it addresses international issues and laws, Schneier acknowledges the fact that it is U.S.-focused. Some of this can be credited to Edward Snowden’s exposing of National Security Agency (NSA) documents. Schneier is a supporter of Snowden and his actions.
The book is organized into three sections: the world we are creating, what’s at stake, and what to do about it.
The world we are creating covers types, and the amount of personal data we are collecting -- mass surveillance, how is it is being used, and who is using it. This section provides the background and evidence for his positions and conclusions. He provides examples on cell phone providers tracking not just you, but who you are with; companies selling data on gullible seniors; and purchasing patterns revealing if you're pregnant. The last example was from when advertisements on the pregnancy were sent to family, which is how the father found out his daughter was pregnant. One of the more interesting points covered is how long data is stored. How long does your phone company need to know where you were? Should they have the right to sell this info? Do you realize you have no rights as to how your personal data is used?
What’s at stake starts with political perspective (liberty and justice), commercial aspects (fairness and equality), and looks at privacy vs. security facets of the issue. Schneier proposes that mass surveillance by commercial companies or governments has chilling effects on social change, leads to censorship, and facilitates surveillance-based manipulation. Additionally, he points out examples of accusation by data after the fact, cases of institutional abuse, and governments stockpiling vulnerabilities or building in backdoors. He builds a strong case for what the NSA has cost U.S. companies in international business after Snowden revealed how they were collaborating. He does acknowledge the same would be true in other countries like China and companies like Huawei.
One key idea for me was: “Science fiction writer Charles Stross described this as the end of prehistory.” What is the impact of your actions being tracked and stored for the rest of your life? Do you want to have to explain your actions at 21 when you’re 45?
What to do about it provides actionable advice to governments, corporations and the average citizen. The book looks at social norms and big data trade-offs. This section talks about the security to surveillance trade-off and covers comparing police to national surveillance, as it pertains to protecting citizens. It looks at institutional vs. individual power and comes down hard on the NSA and FISA court. In fact, Schneier proposes that the Communications Security mission should be split off from the Signals Intelligence mission of the NSA and given to the National Institute of Standards and Technology. He calls for whistleblowing protection organizations and talks about how Snowden could not get a fair trial under the current system. Finally, he outlines concerns around movements to nationalize the Internet.
Here are the notable guidance references: Necessary and Proportionate principles, Executive Order 12333, Section 215 of PATRIOT act and Section 702 of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, Communications Assistance for Law Enforcement Act, Posse Comitatus Act, Organisation for Economic Co-operation and Development Privacy Framework, European Union Data Protection Directive, The Code of Fair Information Practices, White House Consumer Privacy Bill of Rights, Madrid Privacy Declaration.
The key in this section for me was “Privacy-law scholar Peter Swire writes about the declining half-life of secrets.” The days of government secrets lasting 50 years until they were declassified are gone.
Here is his guidance: use encryption and systems, like Tor, to anonymize yourself. We should look for ways to avoid, block, distort and break surveillance. Institutions need transparency accountability and independent oversight. His call to action: notice it, talk about it, and organize politically.
Schneier does acknowledge the benefits of mass data collection, like steering us away from traffic jams and how hard this issue is to address. What he is asking is that we have a transparent debate about what is socially and legally acceptable.
While Data and Goliath brings to mind the Internet enabling a surveillance state that Stalin wanted or Orwell imagined, it is also a must read to provide you with the background and evidence to make up your own mind. While I didn’t agree with all of the arguments presented, I would not have developed my opinion if I had not been challenged by the ideas in the book.
This book should be read by anyone who has responsibility for the privacy of customer data.