Book review: Data and Goliath (Bruce Schneier)

I finally got around to finishing Bruce Schneier’s latest bestseller: Data and Goliath. I’ve read a few of Bruce’s books over the years (and own most of the rest, waiting patiently to be read). I’ve watched Bruce on many TV news segments, lectures, interviews, and web videos. I follow his blog and Twitter posts. I’ve even had the pleasure of emailing him from time to time. Some day I’d love to meet the guy. So… what I’m trying to say here is: fair warning, I’m a bit of a Bruce Schneier fan boy.

However, I feel this is completely justified. I tend to have the most respect for the even-keeled, professorial types – the ones who are passionate about what they do and highly knowledgeable about their field, but at the end of the day are most concerned with getting it right and avoiding hyperbole. That’s a small camp of people, but Bruce is definitely in it.

Bruce’s latest book is at once timely and timeless. The topics of computer security and online privacy are obviously hot right now in the wake of the Snowden revelations, but Bruce makes it clear that this stuff has been going on for a very long time now and will only get more important in the coming decades. I think Bruce was moved to write this book much as I was to write mine – people need to understand what’s going on here, but the fact of the matter is that they just don’t. At the end of the day, it’s up to us to demand change. Left to their own devices, corporations and governments will not cede the power that comes from massive data collection and mass surveillance.

Data and Goliath is remarkably comprehensive and well researched. Bruce draws on many sources – not just the Snowden documents (to which I believe he has had full access, at least for a time) but also from many insiders and security researchers, in addition to decades of experience.

In the first section, Bruce explains how we got where we are and what’s really going on. It was staggering to see it exhaustively cataloged. The enormity of the problem we face and the depth to which surveillance has already permeated our society is truly alarming. Even though I was aware of most of these things at one time or another, even I found myself shaking my head while reading this litany. One of the key take-aways from this section is how all of this data is used in concert to create a shockingly complete picture of each person’s life – not just digital life, but real life. Correlating all of these data streams results in something quite a bit larger than just the sum of its parts – which is something that I feel is lost on most people, but crucial to understand.

Bruce explores the harm that is already being done by this mass surveillance and data collection, and explores the very real future dangers in the second section of the book. Again, this is something that I believe everyday people just aren’t grasping. Too many people blow it all off thinking they have nothing to hide, so who cares? Everyone should care. I can’t do it justice in a paragraph – you’d think I was just being paranoid and blowing it out of proportion. Bruce walks you through why this all matters, with real-life examples, and clearly explains the deep impacts it is already having on our democracies.

Finally, Bruce wraps up the book with a wide range of things that we can and should be doing. What I love about Bruce’s approach is that it’s not all-or-nothing. Surveillance and espionage and even mass data collection all have their place in a civil society. Where many people get it wrong, I think, is to go to one extreme or the other. There is absolutely a sane, practical, and healthy middle ground to be found here. Targeted surveillance, when governed by transparent laws and reviewed by impartial third parties, makes perfect sense and has a place in democratic society. Collecting mass quantities of anonymous data can provide huge benefits for everyone – from medical research to traffic avoidance. It’s not always what we’re doing, it’s how we’re doing it. Still, Bruce comes down solidly on the side of an individual’s right to privacy and that computer security is essential for everyone. He just points out, very clearly, that that stance does not interfere with protecting ourselves from criminals and terrorists. That’s a false choice.

This book does not go into any detail, really, on how to protect yourself at a personal level – he even says that that would take an entire book (like, oh, say, I don’t know…. MY book). It does, however, explore many legal frameworks and “bill of rights” type proposals that are already on the table from around the world. Bruce also makes many solid and well-crafted proposals for approaching these problems – while many are politically difficult, they’re eminently rational and workable.

At the end of the day, though, it’s really up to us, as a people, to decide that we value our privacy and demand action – not just for ourselves, but truly for our society as a whole. The first step is to get educated… and if you had to pick just one book to read, Data and Goliath would be an excellent choice.