Bruce Schneier is a world-famous computer security expert whose new book is about where all your personal data is going — and who can see it. It's called Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. We've got an excerpt.
And tomorrow, Schneier will join us for a Q/A, so if you've got questions you can ask him — we'll post a call for questions tomorrow, March 13, at 9:30 AM eastern.
From the introduction to Data and Goliath:
If you need to be convinced that you're living in a science-fiction world, look at your cell phone. This cute, sleek, incredibly powerful tool has become so central to our lives that we take it for granted. It seems perfectly normal to pull this device out of your pocket, no matter where you are on the planet, and use it to talk to someone else, no matter where the person is on the planet.
Yet every morning when you put your cell phone in your pocket, you're making an implicit bargain with the carrier: "I want to make and receive mobile calls; in exchange, I allow this company to know where I am at all times." The bargain isn't specified in any contract, but it's inherent in how the service works. You probably hadn't thought about it, but now that I've pointed it out, you might well think it's a pretty good bargain. Cell phones really are great, and they can't work unless the cell phone companies know where you are, which means they keep you under their surveillance.
This is a very intimate form of surveillance. Your cell phone tracks where you live and where you work. It tracks where you like to spend your weekends and evenings. It tracks how often you go to church (and which church), how much time you spend in a bar, and whether you speed when you drive. It tracks—since it knows about all the other phones in your area—whom you spend your days with, whom you meet for lunch, and whom you sleep with. The accumulated data can probably paint a better picture of how you spend your time than you can, because it doesn't have to rely on human memory. In 2012, researchers were able to use this data to predict where people would be 24 hours later, to within 20 meters.
Before cell phones, if someone wanted to know all of this, he would have had to hire a private investigator to follow you around taking notes. Now that job is obsolete; the cell phone in your pocket does all of this automatically. It might be that no one retrieves that information, but it is there for the taking.
Your location information is valuable, and everyone wants access to it. The police want it. Cell phone location analysis is useful in criminal investigations in several different ways. The police can "ping" a particular phone to determine where it is, use historical data to determine where it has been, and collect all the cell phone location data from a specific area to figure out who was there and when. More and more, police are using this data for exactly these purposes.
Governments also use this same data for intimidation and social control. In 2014, the government of Ukraine sent this positively Orwellian text message to people in Kiev whose phones were at a certain place during a certain time period: "Dear subscriber, you have been registered as a participant in a mass disturbance." Don't think this behavior is limited to totalitarian countries; in 2010, Michigan police sought information about every cell phone in service near an expected labor protest. They didn't bother getting a warrant first.
There's a whole industry devoted to tracking you in real time. Companies use your phone to track you in stores to learn how you shop, track you on the road to determine how close you might be to a particular store, and deliver advertising to your phone based on where you are right now.
Your location data is so valuable that cell phone companies are now selling it to data brokers, who in turn resell it to anyone willing to pay for it. Companies like Sense Networks specialize in using this data to build personal profiles of each of us.
Phone companies are not the only source of cell phone data. The US company Verint sells cell phone tracking systems to both corporations and governments worldwide. The company's website says that it's "a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance," with clients in "more than 10,000 organizations in over 180 countries." The UK company Cobham sells a system that allows someone to send a "blind" call to a phone—one that doesn't ring, and isn't detectable. The blind call forces the phone to transmit on a certain frequency, allowing the sender to track that phone to within one meter. The company boasts government customers in Algeria, Brunei, Ghana, Pakistan, Saudi Arabia, Singapore, and the United States. Defentek, a company mysteriously registered in Panama, sells a system that can "locate and track any phone number in the world . . . undetected and unknown by the network, carrier, or the target." It's not an idle boast; telecommunications researcher Tobias Engel demonstrated the same thing at a hacker conference in 2008. Criminals do the same today.
All this location tracking is based on the cellular system. There's another entirely different and more accurate location system built into your smartphone: GPS. This is what provides location data to the various apps running on your phone. Some apps use location data to deliver service: Google Maps, Uber, Yelp. Others, like Angry Birds, just want to be able to collect and sell it.
You can do this, too. HelloSpy is an app that you can surreptitiously install on someone else's smartphone to track her. Perfect for an anxious mom wanting to spy on her teenager—or an abusive man wanting to spy on his wife or girlfriend. Employers have used apps like this to spy on their employees.
The US National Security Agency (NSA) and its UK counterpart, Government Communications Headquarters (GCHQ), use location data to track people. The NSA collects cell phone location data from a variety of sources: the cell towers that phones connect to, the location of Wi-Fi networks that phones log on to, and GPS location data from Internet apps. Two of the NSA's internal databases, code-named HAPPYFOOT and FASCIA, contain comprehensive location information of devices worldwide. The NSA uses the databases to track people's movements, identify people who associate with people of interest, and target drone strikes.
The NSA can allegedly track cell phones even when they are turned off.
I've just been talking about location information from one source—your cell phone—but the issue is far larger than this. The computers you interact with are constantly producing intimate personal data about you. It includes what you read, watch, and listen to. It includes whom you talk to and what you say. Ultimately, it covers what you're thinking about, at least to the extent that your thoughts lead you to the Internet and search engines. We are living in the golden age of surveillance.
Sun Microsystems' CEO Scott McNealy said it plainly way back in 1999: "You have zero privacyanyway. Get over it." He's wrong about how we should react to surveillance, of course, but he's right that it's becoming harder and harder to avoid surveillance and maintain privacy.
Surveillance is a politically and emotionally loaded term, but I use it deliberately. The US military defines surveillance as "systematic observation." As I'll explain, modern-day electronic surveillance is exactly that. We're all open books to both governments and corporations; their ability to peer into our collective personal lives is greater than it has ever been before.
The bargain you make, again and again, with various companies is surveillance in exchange for free service. Google's chairman Eric Schmidt and its director of ideas Jared Cohen laid it out in their 2013 book, The New Digital Age. Here I'm paraphrasing their message: if you let us have all your data, we will show you advertisements you want to see and we'll throw in free web search, e-mail, and all sorts of other services. It's convenience, basically. We are social animals, and there's nothing more powerful or rewarding than communicating with other people. Digital means have become the easiest and quickest way to communicate. And why do we allow governments access? Because we fear the terrorists, fear the strangers abducting our children, fear the drug dealers, fear whatever bad guy is in vogue at the moment. That's the NSA's justification for its mass-surveillance programs; if you let us have all of your data, we'll relieve your fear.
The problem is that these aren't good or fair bargains, at least as they're structured today. We've been accepting them too easily, and without really understanding the terms.
Here is what's true. Today's technology gives governments and corporations robust capabilities for mass surveillance. Mass surveillance is dangerous. It enables discrimination based on almost any criteria: race, religion, class, political beliefs. It is being used to control what we see, what we can do, and, ultimately, what we say. It is being done without offering citizens recourse or any real ability to opt out, and without any meaningful checks and balances. It makes us less safe. It makes us less free. The rules we had established to protect us from these dangers under earlier technological regimes are now woefully insufficient; they are not working. We need to fix that, and we need to do it very soon.
Excerpted from Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier. Copyright © 2015 by Bruce Schneier. With permission of the publisher, W. W. Norton & Company, Inc. All rights reserved.
Bruce Schneier is a security technologist, and CTO of Resilient Systems, Inc. His latest book is Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. He blogs, and tweets at @schneierblog.