A look at the reasons you should lie awake at night worrying about cybersecurity, crypto, and “The Internet of Things.”
We should be afraid, very afraid, of the internet, says our guest on this week’s WhoWhatWhy podcast, longtime internet security expert, public-interest technologist, and lecturer at the Harvard Kennedy School Bruce Schneier.
Most people, Schneier points out, either don’t know how their lives are directly impacted by digital technology or blithely ignore the implications of being always “online.” For example, we don’t think about how our phones always know where we are, or about the remarkable ability of modern camera technology to peer into windows, even if we are on a high floor of a hotel.
This might not be so worrisome, Schneier argues, if the government oversaw the internet the way it oversees airline safety or food safety or highway safety. Instead, as he sees it, no one is looking out for us in the digital world. There is no real government regulation and no significant laws designed to keep us safe.
And the rise of the so-called Internet of Things will only make us even less secure — as digital technology takes over not just our keyboards and screens, but our driving, our hospitals, our appliances, our money, and more.
Schneier heaps special scorn on cryptocurrency and its enabling blockchains as merely the fantasy of “white, male, libertarian crypto bros” — an enterprise with no real purpose but with a dire impact on global warming and other aspects of modern life. His bottom line: taking money out of government control is a stupid idea.
Full Text Transcript:
(As a service to our readers, we provide transcripts with our podcasts. We try to ensure that these transcripts do not include errors. However, due to a constraint of resources, we are not always able to proofread them as closely as we would like and hope that you will excuse any errors that slipped through.)
Jeff Schechtman: Welcome to the WhoWhatWhy podcast. I’m your host, Jeff Schechtman. The metaverse notwithstanding, the nexus between what happens on the internet, and what happens in the real, physical world, is disappearing. The blood-brain barrier between the two has broken. And every day, in our finances, in our interpersonal communications, in our entertainment, in our transportation, and even in what we eat, the connection between our digital world and our real world is further integrated.
Reactions to this vary from, “I’m terrified of everything; the government should control the internet,” to, “There is no privacy; do I have nothing to hide; and why should I care if I’m being served up greater convenience?” The fact is that vast sums of data on all of us are being collected, sometimes in the name of convenience, sometimes in the name of national security, and it’s unclear exactly what’s going on. It’s unclear where security theater starts, and real security begins.
In short, the cyber world presents 21st-century problems that have not yet been solved, much less, fully understood. We’re going to talk about that today with my guest, Bruce Schneier. He’s a public interest technologist working at the intersection of security, technology, and people. He’s been writing about security issues since 2004 and is a fellow and lecturer at Harvard’s Kennedy School. He’s a board member of the Electronic Frontier Foundation and chief of security architecture at Inrupt, Inc. He is the author of numerous books, including We Have Root and Click Here to Kill Everybody. It is my pleasure to welcome Bruce Schneier here to the WhoWhatWhy podcast. Bruce, thanks so much for joining us.
Bruce Schneier: Thanks for having me. What was that 2004 thing you mentioned?
Jeff: I guess you started your blog in 2004.
Bruce: Right. And I thought I was late in blogging, and now everyone thinks I’m early.
Jeff: [laughs] You were ahead of the curve.
Bruce: But I don’t know. In my community, there were a lot of bloggers. I remember for years not wanting to blog because it just felt too fast. I was doing an email newsletter, and then I liked it. I liked the monthly cadence. But to be part of the conversation, back then, you had to be immediate. And of course, now you got to be really immediate.
Jeff: Well, it’s so interesting, to digress for just a second here, that newsletters today and Substack and all the stuff that goes along with it, the imitations, are a throwback to the days of blogging.
Bruce: Right, and they are back. And so, newsletters were before blogging. I started my newsletter, and God, I’m going to look it up. I think 1998. And then it became a blog, and that was to be faster. So, newsletters were cool. They were not cool for a long time. And now they’re cool again, right with Substack and other ways that people are actually monetizing their newsletters, which I never did.
Jeff: But it’s the classic case of everything old is new again. It just comes around and in a just slightly different form.
Bruce: I guess. So, I started my newsletter in 1998, and my first book was 1993. Oh, right, then the blog was 2004.
Jeff: Well, Bruce, it’s a good way into this, because you’ve been looking at this so long. And one of the things I was thinking about in anticipation of our conversation is the way in which this world that you’re involved in changes so rapidly, not just over years, but almost over months. And that it seems like it is an endless struggle because what you solve today, which we’re able to protect today, changes tomorrow. Talk about that in a general sense first.
Bruce: And I think that’s true. And that’s bigger than security, that’s tech. And those of us who are steep in tech know it that things change so fast. And if it’s the invention of a new technology like the iPhone or some app, and suddenly things are different, or drones or wireless communication. Now, video is big. And I remember when video was too much bandwidth. And things change a lot and assumptions change—the notion that our phones know where we are at all times and all the good that brings—and it is hard to keep up.
Most people’s perceptions of what is possible—what happens—doesn’t match reality because it changes so fast. I was struck by this in another area. I was in a hotel, which is rare, right: in pandemic, hotels, traveling. And I’m up on a high floor, and it’s a giant window. And I opened the curtains, and there are some other buildings far off in the distance, and you can see tiny, tiny black dots, which are windows. And I think the cameras are so good these days, that someone in one of those windows has a really good image of me if they’re looking. And that’s something we don’t think about.
We don’t think about a loss of privacy from faraway buildings or from aerial aircraft. And now the world has changed, and our notion of what cameras can do doesn’t match the reality of what cameras can do. So, multiply that by everything, and that’s where we are.
Jeff: So, I guess the other part of the question then is, if we thought about this all the time, if we thought about those cameras every time we were in a hotel room, and the way in which our phone was really tracking us, and all the other information about us that’s out there, and the ways in which it’s been diced and collected, it would either cause us to not want to participate in any of this or just create a level of anxiety that was arguably unsustainable.
Bruce: Or more likely, we would just pretend it wasn’t true, which is what most of us do most of the time. So, we don’t want to have to think about this all the time. So, this is another thing about modern society. Modern society, we delegate, generally, government organizations to protect us, right? So, when I was in that hotel, I did not think for a minute about building codes and safety measures and egress staircases and how any of that worked because when that building was built, there were rules the builders had to follow. In case they don’t follow them, buildings fall down in Florida, but by and large, that works for us.
When I got on an airplane, I didn’t have to worry about aircraft design or maintenance or crew rest or pilot training or any of that. The FAA has rules, and I can get in a plane without even thinking about it. So, why is it that there are no such rules about data, about corporate spying, about government spying? Oh, we know the answer: corporations basically make the rules. But what we want is a world where government steps in, like they do in every other aspect of society, to protect me so I don’t have to learn about it, think about it, be anxious about it, ignore it. It’s just true. I can walk into a restaurant, and I know the food won’t kill me. It’s kind of neat.
Jeff: Is it one of the differences though? This brings us back to where we started, the speed at which technology changes and the ability or lack of faith in the ability of government to stay on top of that. Planes haven’t changed that dramatically over a 10-year arc or a 20-year arc. They’re fundamentally the same. Keeping planes from crashing into each other by the FAA is similar business today than it was 10 years ago. With respect to cybersecurity, that’s not true.
Bruce: Yes, the speed matters, and it’s a difference in degree—not that it’s a difference in kind. I think if we say, “Well, look. ’It’s too fast. We can’t do it,” we’re just saying democracy is over, which feels too extreme a position. I’m not willing to give up on the ability of us as humans to govern ourselves. You don’t have to say, “Okay, we’re now going to build society in the near-term financial interest of a bunch of tech billionaires. ’That’s the only way we can do it.” That feels wrong to me.
So yes, there’re going to be challenges. And we’re talking about aircraft, and we know 737 Max, the problems of regulation there. Where in fact, the FAA delegated regulation to Boeing, which of course, regulated in a way that was profitable for them—not that was safe for everybody else—and we saw the disasters there. So, there are a lot of challenges here, but I don’t think we as a people should give up our ability to decide what society should look like. We really don’t want to run the world for a bunch of oligarchs. That feels bad. I’d rather do it flawed than not do it at all.
Jeff: Is one of the differences and one of the reasons people seem to be less concerned is that it’s not necessarily a life-or-death situation? If you eat tainted food, you could die. If you’re in a plane crash, you will die. And we could go on and on with these things. Whereas if you’re surveilled, or if that camera’s looking at you through that hotel window, or if data is being collected on you that you don’t know about, there are no immediate consequences.
Bruce: So, I think that is a big difference, and that’s a reason why it’s not a campaign issue—why a lot of people do ignore it—that the effects are not immediately salient, like a plane crashing, a car crashing, you getting food poisoning. That’s changing now because computers are moving out of the world of keyboards and screens into our lives. So now, computers are in the planes and the cars and the power plants and the appliances and the medical devices.
So, we’re moving into a world where this stuff is life and death, where the way these systems work determine whether your hospital is working or not or whether the cars stay on the road or not. So, that change, I think that difference is important and make you put your finger on why people are willing to let this slide in a way they’re not in those other areas. But the internet of things changes that because the internet of things now affects the world in a direct physical manner in way your spreadsheets or your Facebook or your Gmail never did.
Jeff: To what extent does it have to also do with people’s understanding of how the system works and what’s really going on?
Bruce: I think that’s part of it too. These are very complex technological systems, and then we talked about how people’s intuitions of them are wrong, but a lot of that complexity is hidden. Airplanes are super complex too, yet we can describe them in simple terms, so we can think about them in simple terms. Search is complex, yet we understand it in simple terms. I don’t know. I think that is a difference, but that the contours of it aren’t obvious, and that’’s worth thinking about.
Jeff: The other question of course is how concerned people should be in this sense of understanding what the real dangers are—and getting mixed messages about that?
Bruce: So, I don’t know how concerned people should be. I mean, I want it so people don’t have to be concerned at all. Just like you don’t have to be concerned about airplane safety. You get on airplanes. You want to fly somewhere. I mean, COVID willing, but that’s not an airplane issue. I think people right now need to understand this is more than security, the threats of big tech to society, and we’re seeing some of that.
So right now, there is a bill going through Congress to try to force Apple and Google to open up their app stores. They are a monopoly. They have a lot of bad outcomes because they’re a monopoly. Monopolies are bad, and this is a law. This bill [is] actually being fought really hard by Google and Apple for good reason. I mean, there’s enormous profit margin for them because monopolies are incredibly profitable for the monopolists. To open up the app store.
And so how much does the average consumer need to know about that? It would be nice if they understood how much money they’re paying that they don’t have to, how much their quality of service isn’t as good because there’s no competition, and that would be great if they knew that. Then there would be some public outcry that would push Congress to do the right thing. Right now, the lobbyists are spending a lot of money trying to get Congress to do the wrong thing.
So, more public awareness would be better here, and we’re seeing that with Facebook. They’ve been—no actual regulation but a lot of hearings. They’re perfectly happy to drop democracy in pursuit of profits, and I’m not convinced that we as society should let them do that.
Jeff: How much of the concerns, or what should be the concerns with respect to security, cybersecurity, all these things that we were touching on a little while ago, how much is there a problem in the way that gets conflated today in the discussion about these corporations and how much money they’re making and their monopolistic practices et cetera? It seems that when the two things come together, it confuses people with respect to what they should really worry about.
Bruce: I think that’s true. The monopolists help. One of Apple’s biggest arguments of why they should remain a monopoly is they make these security arguments: “You are more secure. ’We’re a monopoly.” Facebook says same thing: “You break us up, you allow competition, it’ll be much less secure.” Monopolists say this all the fricking time. It’s never true, but it’s a common refrain. And you’re right. It does confuse people. It does make it harder to understand the issues.
Security permeates everything but is rarely the central thing that matters. Airplane safety is important, but what really matters for airplanes is, are they going to get where I want to go? Is there schedule good? What’s the price of the tickets? How annoying is the airport? So, all the things about the fact that we as consumers pay attention to, we take airline safety and security as a given and an afterthought, and that’s true, I think, pretty much everywhere.
And I don’t think that’s bad. I think that’s the sign of a mature society: that I can not worry about airplane safety because the government’s got it. They’ve got it for me. I’m free to worry about the things that matter to me. So, same thing with choosing a restaurant or in a lot of ways choosing a doctor and buying a pharmaceutical, ’there’s a whole system designed so I don’t have to worry about that.
Jeff: One of the things though, it seems like we crossed some kind of a threshold many years ago, when finance moved into the internet world, when our banking and our financial transactions moved online, and the public began to accept that completely. That when that happened, it indicated a level of security that was not unlike the safe feeling we have getting on an airplane or going to that restaurant.
Bruce: And largely that works. It’s a feeling of safety, of assurance, of security, I guess is also a good word, that we could just bank online and not think about it. And you’re right. We all do it. And Apple Pay was another threshold, that you can use your phone for credit card transactions. And I mean, I was a latecomer on this because I am. I do it now, and it is largely safe. We’re not being hoodwinked here. Banking online is fine.
There was lots of fraud, but there was fraud before. I’m not convinced the online banking caused a degree of fraud that’s different in any major way. In a lot of ways, this is a combination of regulation and banks realizing they need to eat the fraud. That in order for people to feel safe, banks just have to make good on fraud, even when it’s not their fault, and I think that was interesting to watch.
Sometimes industries are forced to do that. Credit Corporate Company was in the 1970s—Fair Credit Reporting Act. There are other rules about debit cards. But I think largely in internet banking, the banks realized. And they’re going to save an enormous amount of money by not needing tellers and branches and all of that physicality. But in order for people to do it, they need to feel safe doing it, which means banks need to eat fraud, and they do.
Jeff: And as we move that up the food chain to a new level today with cryptocurrency, with the blockchain, et cetera, talk a little bit about where you see that going in terms of—
Bruce: Oh, hopefully, gone. Hopefully away. I mean blockchain, cryptocurrency, I mean it’s all complete in the garbage nonsense. It’s bad. ’It’s insecure. ’It’s not decentralized. ’It’s not safe. ’It’s stupid at every level. It’s a big deal now, so there’s lots of money in it, but I hope where it’s going, people will realize that this is just absolute nonsense, and then it just goes away. That’d be great. Plus, it would be great for the planet too.
Jeff: Expand on that a little bit as to why you think that it should go away. What do you see as the biggest problems with it?
Bruce: I guess where do you want me to start? Why is it here? The problems are everywhere. It doesn’t work as advertised. It’s a complete disaster at every level. But why are we [unintelligible 00:18:57] I can tell it’s just a bunch of white male libertarian crypto bros who think it’s cool to stick it to the government. What’s its benefit?
Jeff: What about the blockchain and the sense that that’s the security apparatus of the future?
Bruce: But it’s not a security apparatus. How many times have you read about people losing millions of dollars? Blockchain is a data structure. And it’s a fine data structure, but to make it a currency, you need three things. You need the data structure, the blockchain, which is basically distributed database. We know how to do those. Those are super easy. There is the mining system, the incentive structure to get people to basically burn the planet to create these coins, and then you need this exchange mechanism.
It doesn’t do anything that normal finance doesn’t do. It provides no additional value, and it burns up the planet, and you can lose your money, and it’s rife with fraud. There’s nothing of value in it.
Jeff: Why do you think it has caught on the way it does, or at least capture the imagination of so many—
Bruce: Oh, God. Libertarian crypto bros. 100 percent, right? And then it became a thing, and then it increased in value, so now it’s a speculative bubble.
Jeff: What’s the downside in terms of the broader effect it has on what we should be concerned about?
Bruce: A couple of downsides: one, is people are losing an enormous amount of money in this, and when the bubble bursts, they’ll lose even more. But the amount of fraud and just hacks, ’it’s ultimately decentralization. People think bitcoin’s decentralized, and that’s just not true. And it enables ransomware, and this is a big deal. The reason ransomware is a thing is because of cryptocurrencies. The problem with any ransom system is moving the money.
For ransomware, the normal banking system won’t have anything to do with them, and suitcases full of $100 bills are really, really heavy. So, the reason ransomware works is because there are these cryptocurrencies, and regulating that space would do a lot to get rid of ransomware. So, there’s just one. But I think pulling money out of government control is actually kind of stupid. There’s a reason why governments issue currencies, and it’s a good one, and we generally like it.
And the notion that any investment vehicle, where if you forget your password, you lose your life savings, and there’s no recourse. Or, you lose your hard drive, and you lose your life savings; there’s no recourse. How does anyone believes this is secure makes no sense to me. Sorry. It is a weird, weird speculative bubble we’re living through, and hopefully it’ll end soon because the environmental cost is ginormous.
Jeff: What in your view should be our greatest concern, with respect to cyber security today?
Bruce: Yes, the concern I have is primarily not the illegal uses of our data, but the legal uses. I worry more about the governments and corporations who are doing things legally than I am about the criminals. I think the harms are greater there. And we talk about this in the beginning. In your intro, you talked about that our data was being collected by governments and corporations. [unintelligible 00:22:31] convenience and security. I mean, that’s wrong. It’s not convenience. It’s profit.
We’re being surveilled for security, which is defined in any number of different ways, whether the U.S., or China, or Russia, or France, or Switzerland, or Australia, and then also for profit, generally not ours.
Jeff: Is it unrealistic to think that any of these companies are going to do anything that isn’t governed by that profit motive?
Bruce: Oh, of course not. That’s why you need government to step in. You have to go to a company and say, “Yes, you have a profitable business buying and selling human kidneys. We’ve decided that’s illegal and immoral. You can’t do that anymore. Yes, you as an auto manufacturer are producing cars that explode on impact, or gasoline has too much lead in it. And we get that it’s less profitable if you going to do it another way, but we’re going to force you to do it.”
That is what government does. Government provides the playing field on which the corporations operate. We set the basic rules: what is allowed or what isn’t. Well, 100 and something years ago, we went to an industry and said, “Yes, we know you are making a nice profitable business sending five year olds up chimneys to clean them. We have decided that is immoral. You can’t do that anymore.” That’s what we do in society.
So yes, you cannot assume that corporations do anything that isn’t in their financial interest, and you shouldn’t. That’s not the way the system works. We build a system where we decide what is allowable, and then on top of that, companies decided what is profitable.
Jeff: To what extent do you think that legislators in particular, even more than regulators, but legislators have a clear understanding of the issues that we face?
Bruce: You know the answer to that question before you asked it, don’t you? They don’t, and that’s why the lobbyist do so well. If this bill to force Google and Apple to open their app store monopolies to competition passes, it’ll be—I think—a miracle. It’ll mean that the very expensive lobbyists failed to convince the legislators. That’s not the way to bet.
Jeff: Is there a problem, as you said, and you’ve been looking at these security issues for a long time, that it has changed by the way in which, like everything else in society, it has become so politicized, it has taken the real focus off what the problems that need to be solve really are?
Bruce: Oddly, I think not. A lot of these issues don’t fall on the standard Republican/Democratic divide. Now, I’m thinking again about the Apple, Google app store monopoly just because it’s what I’m paying attention to this week. It just came out of committee, and the voting wasn’t along party lines. A lot of these tech issues aren’t traditional politics. They’re much more power in lobbying. So, I don’t think that’s the big deal here, weirdly, because everything else is.
But here, big tech has got a lot of people in their pockets—Republicans and Democrats. Privacy/security has a lot of proponents—Republics and Democrats. It doesn’t fall cleanly, which I think is an opportunity.
Jeff: Unpack that a little bit. Where do you think the opportunities are?
Bruce: Because when something doesn’t fall in neat political lines, you just don’t have the politics of sports overlay that permeates so much of what we’re trying to do in governance, that you actually can have some real debate because the major political divisions aren’t in play. Politics of sports has really done a lot of damage. Any time you can get away from that, I think you’re doing well.
Jeff: And finally, Bruce, what keeps you awake at night? What do you worry about the most in this whole arena?
Bruce: I tend to sleep pretty well. And I think it’s what I’ve said before. I really worry about corporate control of our society, that we’ve really seeding so much governance to corporations and it’s in weird places. The Paris Call is this giant international agreement on stability in cyberspace, how nations should use cyber weapons. It’s something signed by a bunch of countries. U.S. signed it last year—big deal. A lot of that work was sponsored by corporations.
Now, to me that’s worrisome that this is this major international inter-government treaty, really, that is being managed by corporate interests. I don’t like that. And it’s like if our nuclear [unintelligible 00:27:24] treaties were run by [unintelligible 00:27:27]. We would think that would be wrong. I think similarly, that’s wrong here. So back to more general, corporate interest are steering too much of society right now, and I think that is to our detriment.
Jeff: I wonder if that’s a pendulum that just historically, we know swings from one side to the other, and we will overtime see a change in this.
Bruce: Oh, I think that’s true. What’s different now—everything swings in a pendulum like that, and I think corporate government balance is one of those things, is the amplitudes are increasing. The amount of damage that can be done when the pendulum goes bad gets worse every time. Climate change is the big example. Corporate control is a freaking disaster for the planet. So, do we get to the point where swinging back and forth becomes dangerous because the amplitude of the pendulum is too great? I don’t know the answer to that question, but that is what I think about when I think about the pendulum swing.
Jeff: And to that, finally, what’s the one thing you would like to see government do that could really make a difference, if you had to pick one thing?
Bruce: I don’t—do I have to pick one thing? Get involved, pay attention, stop goofing off.
Jeff: Those are good things.
Bruce: [laughs]. I know. I’m not optimistic either. We’re doing our best.
Jeff: Bruce Schneier, I thank you so much for spending time with us.
Bruce: Thanks for having me. This was fun.
Jeff: Thank you, and thank you for listening and joining us here on the WhoWhatWhy podcast. I hope you join us next week for another radio WhoWhatWhy podcast. I’m Jeff Schechtman. If you like this podcast, please feel free to share and help others find it by rating and reviewing it on iTunes. You can also support this podcast and all the work we do by going to whowhatwhy.org/donate.