Monday, December 26, 2022

Review of Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier

This review was written by Eugene Kernes   

Book can be found in: 
Book Club Event = Book List (05/06/2023)

Watch Short Review


“The biggest cost is liberty, and the risk is real enough that people across political ideologies are objecting to the sheer invasiveness and pervasiveness of the surveillance system.” – Bruce Schneier, Chapter 7: Political Liberty and Justice, Page 107

“The perfect enforcement that comes with ubiquitous government surveillance chills this process.  We need imperfect security – systems tat free people to try new things, much the way off-the-record brainstorming sessions loosen inhibitions and foster creativity.  If we don’t have that, we can’t slowly move from a thing’s being illegal and not okay, to illegal and not sure, to illegal and probably okay, and finally to legal.” – Bruce Schneier, Chapter 7: Political Liberty and Justice, Page 115

“Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.  It is about choice, and having the power to control how you present yourself to the world.” – Bruce Schneier, Chapter 10: Privacy, Page 148



Technology has provided enormous benefits.  Devices containing lots of personal data has been life-transforming.  The problem are the threats possessed by their surveillance.  Technology has enabled governments and corporations with the capacity for mass surveillance.  An intimate form of continuous surveillance.  Governments, and corporations gather, store, and analyze a lot of data.  Often without consent, or knowledge that they are doing that.  Profiles of individual attributes are built from the data.  When data is collected and used within its service, to provide a better serve, people do not mind.  Using data within the context of collection and is transparent makes it acceptable.  Data collection is objected when the data is bought and sold without knowledge or consent, and used outside their context.

Mass surveillance has dangerous implications for it allows discrimination on any criteria, and can be used to control what is seen, what can be done, and what is said.  Digital mass surveillance created a panopticon.  When individuals think they are being monitored, they change their behavior.  Data from surveillance is stored forever, which can be used as evidence against the individual later.  Even the contemporary legally accepted values, can change their status in the future.  In this way, many governments have persecuted people based on their past views and values, even if they have changed them.  This surveillance comes without giving citizens an effect means of opting out, and without meaningful checks and balances.  Making people less safe, and less free. 


Tracking Technology:

It used to be difficult to retain a lot of data, and too difficult to sift through the data to find meaningful information.  Early digital information products threw away most of the metadata that was created.  But with technological improvements, the ability to save and sift data have improved.  Reducing their costs, and increasing their effectiveness. 

Communication devices connect individuals to a variety of people with ease and speed.  To do that, the device needs to be tracked.  Tracked everywhere.  Which means that the device knows more about the individual than the individual, because the device does not rely on human memory. 

To obtain the intimate data before cell phones required the use of private investigators.  An obsolete profession because of the data tracking on the phone.  Cell phone data can be used by a variety of professions, and can obtain historic use of that cell phone.  To know where the phone has been, where it was, and who was around it.

Data is a byproduct of everything a computer does.  Recording their every operation.  Even without using the device, the device creates data about where the individual is, those near the individual, recording the interactions with others. 

It is uncertain which technology products will make it, but what is certain is that they will create a lot of data.  They can be used to provide a variety of life and world changing applications, but will record everything about the individual.  Due to technological ability, secrets are harder to keep.

Intrusive surveillance systems tend to be hidden.  They tend to be in the background, which makes them easier to ignore.  Even if an individual tries to opt out of services that have surveillance, data is still being collected on them when they interact with others who are being monitored. 

Internet anonymity is nearly impossible against ubiquitous surveillance.  A single mistake in protecting the identity, permanently attaches the identity to the anonymous provider.  Even trained government agents with resources have a hard time maintaining privacy and anonymity. 



Government went from collecting data on a few necessary people to as many people as possible.  This was due to the reduction in expense of surveillance.  Limited resources and risk of discovery limited surveillance.

Part of the reason why cell phone data is being taken by governments, is claim about protecting everyone from a variety of dangerous elements.  Mass-surveillance programs are justified by trying to relieve the fear.  In an effort to protect against various malicious actors such as terrorist, should not come at ignoring the costs of police or government tyranny.  Just as bad would be to ignore malicious actors when trying to protect against government overreach.  The problem is trying to focus on a single threat, especially the rare but dramatic threats, while not considering the many more frequent banal threats.

There are situations and contexts in which governments should conduct surveillance or sabotage.  There are cases in which access to citizen’s private data is used to solve crimes and make people safer.  This power should be given, but without the ability to abuse it.  People need security provided by government, and security from government. 

Another government defense for collecting the data, is that they collect only metadata.  Not the words spoken, but the numbers of the interacting individuals, including the date, time, and duration of the call.  While data provides the content, metadata provides context.  Metadata can be very revealing, especially in aggregate.  Targeting a single individual makes the contents important, but a population makes context important.  With enough metadata on an individual, contend is not needed.

NSA successful surveillance comes from targeted surveillance rather than mass surveillance.  With mass surveillance, there are many false positive threats that are flagged by the system.  Each threat requires massive efforts in investigation, time, and money.  Which prevents searching for actual threats.  By trying to seek out all threats, very few threat are actually prevented.  Ubiquitous surveillance and data mining cost taxpayers’ money without rewards of finding the dangerous criminals.  Money that is not being spent on more proven surveillance programs.  Surveillance and data collection are valuable tools, but needs to be limited and targeted. 

Mass surveillance and data mining are more suitable for social control, as governments can discriminate between individuals and groups based on their various beliefs and associations.  Data mining works with well-denied criminal profiles, such as credit card fraudsters and political dissidents.  False alarms under authoritarian rules are not as costly, because of the fear instilled by charging innocent people. 

Espionage used to be about spying of government on government.  As perpetrators no longer belong to any particular government, and can be anywhere, governments monitor everyone.  Domestic and international surveillance.  Government espionage on other governments is a military mission during peacetime and wartime which is target and can act as a stabilizer by reducing uncertainties about other governments intentions. 

As different countries are using cyberweapons against others, makes it important to remove vulnerabilities.  Vulnerabilities risks that others can discover it, and use it against the users.  The difference between cyberespionage and a cyberattack depends on their disruptions.  Both require breaking into another country’s network.  That is illegal under each country’s laws, but countries are doing that to each other constantly.  Cyber-attacks on infrastructure should be recognized as an attack on the country, and subject to international law standards. 

Everyone uses the same networks, which means that perpetrator communications use the same circuits as social media.  Companies store the data in various places internationally.  Difficult not to collect information on the innocent, non-targets, because of these networks.  As everyone uses the same networks and with similar capabilities, it is not possible to choose to weaken or protect specific networks of enemies or allies.  Vulnerabilities used by intelligence agencies to spy, is also used by criminals to steal information. 

US feared purchases of technology equipment from international suppliers because of a security threat, that the foreign government created a backdoor to the equipment.  It turned out that the NSA has been doing that to other governments. 

Within the US, there is no legal defense for intelligence-related whistleblowing.  Those on trial for leaking classified information, are even prevented from using terms and claims during the trial.  Those on trial are not allowed to make their case.  Government whistleblowers should be protected, just like corporate whistleblowers, as they provide an additional oversight mechanism.

NSA has made sure that nobody understands its legal authorization, while purposely misrepresenting themselves in court.  Those who can access the documents, and the expertise to understand them, are lobbied by the NSA.  The NSA uses different definitions for surveillance.  NSA claims not to collect data on myriads of Americans, because the data is not seen by human beings.  Even though algorithms go through the data in various ways, and are used for policy implementation. 



Private corporations control where people gather online, and are gathering information about the individuals for their own benefit.  Companies can categorize and manipulate people based on all the information they gather.  Manipulation that is mostly hidden and unregulated.  Much of the invisible surveillance is allowed because laws have not kept up with changes in business practices. 

Corporate surveillance tends to be agreed with.  Not because it was an informed decision, but because the product offered has value but is attached to the surveillance.  That is not really a choice, because its either surveillance or nothing.  Surveillance has become a business model because people get free content, and it’s convenient.  Opting out of many of the digital tools is not possible, because they have become necessary for career and social life.  The choice is not between surveillance or no surveillance, but who gets to spy on the individual.

Companies and data brokers track what individuals do on the internet.  Companies can get permission to track you in other websites through third-party cookies.  Giving access to third-party used to have limited applicability, and laws that enabled the loss of privacy when sharing the data were acceptable.  But third-party parties now have access to a variety of information, while the same laws allow the lack of privacy. 

Many companies make their business through selling advertisement space.  As companies have made their customer into a commodity through data that is bought and sold.  The consumer has changed, to those willing to buy the data.  Individuals have become products.  Companies need to collect far more data than before because the value of the data has been reduced, effecting advertising.  Detailed consumer profiles were valuable, but have become common.  To keep the value of the data, companies need to collect far more data than before, which is an increased cost to users of the interest.

Users of digital content providers cannot request more security for their content.  They have no rights to do so.  Users do not even have the right to find out what outsourcing companies that the content provider is using.  There is no recourse to companies deleting data, and giving government access to the data.  No way to take the data to another service. 

Technological progress should not be inhibited for they provide many benefits, but the harms should be minimized.   Liabilities for privacy violations would provide more responsibility for companies to protect customer data.  Businesses use surveillance because of profit and lack of regulations.  Collection and use of data should be regulated, and data retention costs increased. 


Government and Corporations:

NSA utilized the surveillance networks of corporations.  NSA even forces internet companies to give the NSA data on many people, in secret.  To obtain the data, the NSA sometimes hacks corporations without permission, sometimes corporations work willingly with the NSA, sometimes the corporations are legally compelled to cooperate. 

Running a business means that the FBI and NSA can use the business as a tool for mass surveillance.  The NSA can even force the business to change the business’s security system.  All this is done in secret, which the business is forced to keep secret.  As it is difficult to shut down large businesses or parts of the business, the NSA basically control the business.  Governments and corporations tend to resist transparency laws. 

The NSA has even purposely weakened American companies; security, for NSA surveillance.  NSA has deliberately created backdoors into encrypted software.  Creating backdoors makes the software very vulnerable because there is no security in only the government utilizing it. 

US companies are harmed competitively by NSA surveillance.  US companies are less trusted, and therefore do not purchase US technology and network equipment. 


Psychology, Liberty, and Ubiquitous Surveillance:

The cost of the invasiveness and pervasiveness of the surveillance system is liberty.  Without any privacy, there is a lack of liberty.  There are many examples of authority figures using some pieces of information about a disapproved individual, or group, to have them arrested or worse.  With enough data, evidence of guilt can be found on everyone.  Ubiquitous surveillance means everyone has the capacity to be considered a lawbreaker, depending on police inclination.  Where everything that the individual has done is stored, which can be used as evidence against the individual later.  Especially in countries with vague laws, such as the US. 

Police are usually prohibited from using general warrants that allow them to search for anything.  General warrants can become extremely abusive, and used for social control. 

What is wrong changes over time.  Surveillance can be misused by the authority in power, even if nothing wrong is being done.  Fashionable political claims during a time when they acceptable, can be used against those individuals in the future.  Any action can be used against the individual at an indefinite future, because the evidence is stored indefinitely.  Records have become permanent. 

Government censorship enabled by surveillance stifles freedom and the circulation of ideas.  When people know that someone, like the government is watching, they self-censor.  People are less likely to discuss seemingly forbidden topics.  Not only can government technology provide surveillance, but also citizens.  As citizens can discover and report others, as they might obtain penalties if they do not report.  

Hard to think and act individualistic when the individual is being monitored.  Fear and threat of reprisal, even potential future reprisals, makes people conformist and compliant.  Society stagnates when individuality cannot be expressed, when nothing outside the norm is acceptable, when power is not questioned.  Lack of individuality means less freedom.

Democracy, liberty, freedom, and progress are lost under ubiquitous mass surveillance.  Dissent and forms of lawbreaking can be ways to improve society.  There were many activities that were once considered terrible, but have become socially acceptable.  Perfectly enforcing prior laws using mass surveillance would have meant that there would have been no time for citizens to consider those prior wrong acts as acceptable.  There would have been no period when those acts would have been illegal, but become tolerable, and then acceptable and legal.  A process that takes a lot of time.  Deviation creates progress.  Creativity is fostered by the lack of inhibitions in interactions not on the record. 

Privacy is needed, even for those who have nothing to hide.  Nothing wrong is done during the routine daily basic tasks.  Privacy enables the individual have a choice, the power to select what information can be shared with whom.  Nothing wrong with not sharing information given the context, such as seeking alternative employment without advising current employer.  Nothing wrong in seeking private places for reflection and conversation.  Privacy is a human right that gives humans dignity and respect.  Ubiquitous surveillance means that the individuals has not power to control what and how their information is shared. 

Research indicates that those under even the perception of constant surveillance makes people less physically and emotionally healthy.  Surveillance that threatens the sense of oneself.  Context matters for violations of privacy, for depending on what is found and by whom determines the damage done.  The damage for privacy violations is higher for marginalized groups, and those in the public’s attention.  Surveillance effects more those who are not in favor with those in power.

Security and privacy is usually associated by a trade-off, but that precipitates in inappropriate evaluations.  That to get either security or privacy, the other must be sacrificed.  This is a false trade-off.  Costs of insecurity tend to be real and visceral, while costs of privacy loss are vague until faced with its aftereffects.  There are security measures that do require a reduction in privacy, but others do not.  Door locks and fences are for security and privacy.  People become vulnerable without privacy, making people feel less secure.  Privacy is enabled by the security of personal spaces and records.  Even the U.S. constitution recognizes privacy as a fundamental right along with security. 

Security and surveillance do have conflicting designs requirements.  Making a system more secure, makes it harder to surveil, and vice versa.  Not possible to create surveillance capacity for only appropriate people.  Security protects information flow from damaging attacks of theft and destruction, of all users. 



The book acknowledges a paradox within tracking.  Referencing the ability to track every individual continuously, but also with government’s inability to catch threats using mass data.  A resolution to this paradox might be practice, as it takes time and practice using the algorithms to find the threats.  But this ability then leads to the threats against innocent people.


Questions to Consider while Reading the Book

•What is the raison d’etre of the book?  For what purpose did the author write the book?  Why do people read this book?
•What are some limitations of the book?
•To whom would you suggest this book?
•What are the benefits of technology and surveillance?
•What are the consequences of technology and surveillance?
•What data do governments and companies collect?
•How did technological evolution change how surveillance is conducted?
•How is data gathered?
•When is data collection and use acceptable?  When are they not acceptable?
•How is mass surveillance used on a population?
•How do people behave when they are being surveilled?
•What happens to currently acceptable claims with surveillance? 
•How can people protect themselves against surveillance?
•How to obtain anonymity?
•What is metadata? 
•Is tracking needed?
•What is the different between targeted surveillance and mass surveillance?  How effective is each?
•How is government on government espionage used?
•What are cyberattacks?
•What are the implications of everyone using the same networks?
•What are the consequences of whistleblowing?
•Does the NSA collect data on Americans? 
•What surveillance choice do individuals have when trying to use corporate products? 
•Who is the consumer of corporate products?
•Why do companies need to collect more and more data on the individual?
•How to determine advertisements value?  How did that value change? 
•How is the NSA involved in corporate security?
•What is a panopticon? 
•How is privacy and liberty connected? 
•How does surveillance change what people say and do? 
•How do previous illegal acts and claims become legal?
•What is the purpose of privacy? 
•What are the health implications of surveillance?
•Should surveillance be accepted even with nothing to hide?
•What is the security and privacy trade-off?  

Book Details
Publisher:         W. W. Norton
Edition ISBN:  9780393352177
Pages to read:   280
Publication:     2016
1st Edition:      2015
Format:            Paperback

Ratings out of 5:
Readability    5
Content          5
Overall           5