Security Experts:

Surveillance is the Business Model of the Internet: Bruce Schneier

Internet Surveillance

BOSTON – SOURCE CONFERENCE - Data is a natural consequence of computing, and as search tools get better, it shifts the balance of power towards mass collection and surveillance, renowned security expert Bruce Schneier said at the SOURCE Boston conference on Wednesday.

“Surveillance is the business model of the Internet,” Schneier told attendees. “We build systems that spy on people in exchange for services. Corporations call it marketing."

The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech. The Internet and technology has changed the impact a group can have on others, where dissidents can use the Internet to amplify their voices and extend their reach. Governments already have a lot of power to begin with, so when they take advantage of technology, their power is magnified, he said.

“That's how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens,” Schneier said.

Over the past few years, it's become easier and cheaper to store data and search for the necessary item rather than to sort and delete. Email is a very good example of this shift in behavior. This change, spurred by the popularity of mobile devices and the push to move more data and services to the cloud has also made it easier to track user behavior. When corporations track users for marketing purposes, it seems benign, but the same actions come across as sinister when it's the government.

Data is a by-product of the information society and socialization, Schneier told attendees. It has become easier to do things online, and the very act of doing something using technology results in data. For example, he described how an IM conversation was data—for its content, but also by virtue of the fact that it happened. Details about when it happened, who the conversation was with, the geographic locations of the participants, and other such information is part of the conversation's metadata.

“Metadata is us,” Schneier said, noting that the government claiming they are collecting “only” metadata downplays just how much insights can be gleaned from the information.

Metadata is far easier to store, search, and analyze, than actual content, and actually has far more value to an intelligence agency, Schneier said. Law enforcement tracking a terror network don't necessarily need the actual conversations, but rather information about who is talking to who. “Metadata is fundamentally surveillance data,” he said.

Data is currency, and consumers are willing to hand over their information in exchange for “free or convenience,” Schneier said. Companies such as Facebook and Google want the data so that they can sell more stuff. Users hand it over to play games, to get email, or some other benefit. “I like to think of this as a feudal model. At a most fundamental model, we are tenant farming for companies like Google. We are on their land producing data,” he said.

By handing the data over, users have an expectation of trust that Google, Facebook, and other data brokers will do the right thing with the personal data. However, this becomes a power play when governments get involved. Governments don't need to collect the data themselves when corporations are already doing it.

“The NSA woke up and said ‘Corporations are spying on the Internet, let’s get ourselves a copy,’” Schneier said. Most NSA surveillance “piggybacks” what the companies are already doing, he said.

The government didn't tell anyone they have to carry around a tracking device, but people now carry mobile devices. The government doesn't require users to notify any agency about their relationships. Users will tell Facebook soon enough, Schneier noted. “Fundamentally, we have reached the golden age of surveillance because we are all being surveilled ubiquitously.”

Lowering the cost of technical surveillance also transforms the actual act of surveillance itself, Schneier said. It's no longer just “follow the car,” but rather, “tell me everywhere the car has been for the past month,” Schneier noted. Surveilling a car in the past may have required five people, but technology means agents can track 3,000 cars without using any additional agents. Technology has changed the extents of what surveillance can do, and that can be worrisome.

When the government has power, there has to be a way to ensure responsibility, Schneier said.

The Industrial Revolution in the 19th Century largely ignored consequences for widespread adoption and rapid innovation such as pollution. Fast forward to the present day, and privacy and security are being ignored in a similar fashion in favor of rapid online innovation in the digital age, Schneier said.

“I think this is the issue by which we will be judged when our grandchildren read the history of the early days of the Internet,” Schneier said.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.