The famous computer security specialist, cryptographer, founder and CTO of ‘BT Managed Security Solutions’ Bruce Schneier delivers a talk at RSA Conference 2012 where he expresses his non-standard viewpoint on today’s major risks in the Internet.
Hi! Today I would like to talk about risks to the Internet infrastructure, but a specific kind. I don’t want to talk about hackers or criminals, or terrorists. I want to talk about risks to the Internet infrastructure coming from the good guys. If this was a real tech audience, I might call it ‘Layer 8’ and ‘Layer 9’ risks; talk about, basically, economics and politics.
I think the real risks in the Internet today are not from the criminals and the hackers. They are from business, and they are from government. And the more we start thinking this way, the better chance we have of keeping the Internet we want and not getting stuck with things we don’t want.
So I have three risks I want to talk about.
I call the first one ‘The rise of big data’. And I might change that word, because a normal definition of big data is big data sets. So you see a lot of talk about how to manipulate big data. By big data I mean an industry force, like big oil or big tobacco – companies that make a living with our data; and what they are doing and want to do to the Internet.
So I’m talking about data brokers; companies like Google and Amazon who have our data; social networking sites like Facebook. These companies and many, many more are collecting our data. They are collecting it as we browse, as we send SMS messages, as we tweet. This data is more and more being saved, it’s been bought and sold, and it’s been used to make decisions about us – you know, primarily it’s advertising decisions.
But more and more we are seeing this been used for things like employment decisions or college admission decisions. Government makes the use of this data. There was a proposal several years ago – it didn’t come into force – to use of this data at airline checkpoints. You know, that’s not happening but this data is being used at fusion centers. More of this data is being collected, being saved and being used.
From a product side, everything is going out in the cloud. So data that used to be on our computers are now being put elsewhere, but under the control of some other company.
Well, you put a post on Facebook and it’s protected based on your privacy settings, so that you know who of your friends can see it and who can’t. But the company on the back end can of course see everything. And they can use everything. And they do!
So, right now we are seeing companies pushing for legislation, or more often lack of legislation that limits what they do. These companies are very big, very profitable, and they are big lobbying forces. And they are agitating for more data, more access, less controls over what they can do.
I mean, they are competing to be the company that has your data and can monetize it. So, what does this mean? In a lot of ways, this mean the loss of control! And from the security perspective, we are losing control over our security.
Data we put up on Facebook, photos on Flickr, email on Gmail – we no longer have direct control over that security. The security is whatever those companies want it to be. And that’s either good or bad.
If you are an average user, it might be a good thing. You are not doing good security anyway. Having your photos on Flickr means that if your computer crashes, you won’t lose them. Isn’t that a positive?
If you are a company, if you are focused on your own security – that can easily be a negative. We are seeing this also with special purpose devices. The things you can do on your iPhone are much more limited than on your computer. And there’s a lot of security you can’t implement. You can’t implement verifiable file deletion. You can’t implement a good firewall or a good antivirus. You just don’t have access to that low level.
And that’s more desired as these big data companies are trying to control more of our environment. The result really is going to be ‘feudal security’. And I mean ‘feudal’ with a ‘d’, not with a ‘t’, not ‘futile’ – ‘feudal’ as in a system where you pledge allegiance to some lord, or some data company, and in return – they protect you, to the limits they protect you. Good if you are a weak servant, probably pretty bad if you are an independent noble. But I think this is an enormous risk, and something we need to watch looking forward.