Bruce Schneier, one of the world's leading security technologists, has a new book out March 2, 2015 titled "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World."
Below, the prolific bestselling author shares an exclusive excerpt from "Data and Goliath" on the global public-private surveillance partnership that has maintained its strength in the face of Edward Snowden's damaging revelations.
The Public-Private Surveillance Partnership
Corporate surveillance and government surveillance aren’t separate. They’re intertwined; the two support each other. It’s a public-private surveillance partnership that spans the world. This isn’t a formal agreement; it’s more an alliance of interests. Although it isn’t absolute, it’s become a de facto reality, with many powerful stakeholders supporting its perpetuation. And though Snowden’s revelations about NSA surveillance have caused rifts in the partnership, it’s still strong.
The Snowden documents made it clear how much the NSA relies on US corporations to eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already building one, and tapped into it. Through programs like PRISM, the NSA legally compels Internet companies like Microsoft, Google, Apple, and Yahoo to provide data on several thousand individuals of interest. Through other programs, the NSA gets direct access to the Internet backbone to conduct mass surveillance on everyone. Sometimes those corporations work with the NSA willingly. Sometimes they’re forced by the courts to hand over data, largely in secret. At other times, the NSA has hacked into those corporations’ infrastructure without their permission.
This is happening all over the world. Many countries use corporate surveillance capabilities to monitor their own citizens. Through programs such as TEMPORA, the UK’s GCHQ pays telcos like BT and Vodafone to give it access to bulk communications all over the world. Vodafone gives Albania, Egypt, Hungary, Ireland, and Qatar—possibly 29 countries in total—direct access to Internet traffic flowing inside their countries. We don’t know to what extent these countries are paying for access, as the UK does, or just demanding it. The French government eavesdrops on France Télécom and Orange. China and Russia partner with companies in their countries to eavesdrop on their citizens. About a dozen countries have data retention laws—declared unconstitutional in the EU in 2014—requiring ISPs to keep surveillance data on their customers for some months in case the government wants access to it. Internet cafes in Iran, Vietnam, India, and elsewhere must collect and retain identity information of their customers.
[sharequote align="center"]Corporate surveillance and government surveillance aren’t separate. They’re intertwined[/sharequote]
Similar things are happening off the Internet. Immediately after 9/11, the US government bought data from data brokers, including air passenger data from Torch Concepts and a database of Mexican voters from ChoicePoint. US law requires financial institutions to report cash transactions of $10,000 or larger to the government; for currency exchangers, the threshold is $1,000. Many governments require hotels to report which foreigners are sleeping there that night, and many more make copies of guests’ ID cards and passports. CCTV cameras, license plate capture systems, and cell phone location data are being used by numerous governments.
By the same token, corporations obtain government data for their own purposes. States like Illinois, Ohio, Texas, and Florida sell driver’s license data, including photos, to private buyers. Some states sell voter registration data. The UK government proposed the sale of taxpayer data in 2014, but public outcry has halted that, at least temporarily. The UK National Health Service also plans to sell patient health data to drug and insurance firms. There’s a feedback loop: corporations argue for more government data collection, then argue that the data should be released under open government laws, and then repackage the data and sell it back to the government.
The net result is that a lot of surveillance data moves back and forth between government and corporations. One consequence of this is that it’s hard to get effective laws passed to curb corporate surveillance—governments don’t really want to limit their own access to data by crippling the corporate hand that feeds them.
Excerpted from Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier. Copyright © 2015 by Bruce Schneier. With permission of the publisher, W. W. Norton & Company, Inc. All rights reserved.