Interview It has been nearly a decade since famed cryptographer and privacy expert Bruce Schneier released the book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World – an examination of how government agencies and tech giants exploit personal data. Today, his predictions feel eerily accurate.

At stake, he argued then, was a possibly irreversible loss of privacy, and the archiving of everything. As he wrote, science fiction author Charlie Stross described the situation as the “end of prehistory,” in that every facet of our lives would be on a computer somewhere and available to anyone who knew how to find them.

Since the book was published, we’ve seen data harvesting continue, particularly for training AI models. The battle to keep even the most basic facts about us private seems all but lost.

We sat down with Bruce Schneier for an update on his work, and what we can expect in the future.

The Register: Data and Goliath came out nearly two years after Snowden’s leaks and just months before Congress finally made a few moves on the surveillance issue with the USA Freedom Act. Ten years on, how do you feel things have changed, if at all?

Schneier: In the main, nothing has changed since 2015. On the government side, the NSA – and their counterparts around the world – are still engaging in bulk surveillance to the extent of their abilities. Yes, the US Congress tweaked the law around the edges, but did nothing that substantially reduced their bulk surveillance, both domestically and internationally. And on the corporate side, companies ranging from the large tech monopolies to invisible data brokers are spying on us even more extensively.

At the same time, the information environment has gotten worse. More of our data is in the cloud, where companies have easier access to it. We have more Internet-of-Things devices around ourselves, which keep us under constant surveillance. And every one of us carries an incredibly sophisticated surveillance device around with us wherever we go: our smartphones. Everywhere you turn, privacy is losing.

The Register: Indeed, I know some parents who refuse to allow their kids to have a smartphone to protect their data. Will the government be the savior of privacy or, by action or inaction, kill it?

Schneier: Government needs to pass a comprehensive privacy law and regulate mass surveillance. I wrote that back in 2015, and it’s equally true today. And it’s also equally unlikely to happen at the federal level in the US anytime soon.

There has been some regulation in Europe; the General Data Protection Regulation protects Europeans to some degree from corporate surveillance. And in the US, a handful of states have passed privacy laws. But while these are often very good and to be applauded, they don’t solve the problem head-on. Surveillance capitalism is just too entrenched as a business model, and the large tech monopolies have too much power, to change that anytime soon.

After sounding the warning on privacy everyone ignored it, Schneier told us … Picture source: Joe MacInnis

The Register: You highlighted the difficulties of being free from data collection back in 2015, and that it was nearly impossible. Today the situation is worse, and it seems that if you don’t have a digital fingerprint then that’s almost seen as suspicious in itself. Can anything be done on the individual level?

Schneier: It’s hard. There are certainly things you can do around the edges, but they only help a little bit. I can tell you to not carry a smartphone, not have an email address, and not use a credit card. That was dumb advice in 2015, and it’s even dumber advice today.

I try very hard not to use cloud services, but it’s increasingly difficult because everyone else does. I try to use Signal and WhatsApp for messages, but that’s not always possible. And while I don’t use Gmail, Google has more than half of my email because over half of my correspondents do. And – you’re right – courts have taken the fact that someone left their cell phone at home as evidence that they did not want to be tracked.

The Register: Apple sells itself in its marketing as the choice for the privacy minded, although those adverts don’t appear in China. While it did stand up to the FBI over the 2016 San Bernardino criminal’s iPhone, how is Cupertino doing now?

Schneier: I’ve often made the observation that everyone wants you to have privacy, except from them. This is true for both government entities like the NSA and the large tech monopolies whose business models involve spying on our every move. Apple is the exception. It doesn’t make money spying on its users. It makes money selling them overpriced electronics.

So, yes, it can be the one tech monopoly that can give you privacy, even from them. As you point out, there are limits, like when their lucrative Chinese business interests are threatened. But for most of us, Apple builds its systems that limit even its own ability to spy on its users, which in turn limits its ability to turn our data over to governments when they demand it. But don’t think that this is anything other than a self-serving business stance.

The Register: Do you see any signs that people are wising up to the fact that their lives are an open book to anyone with the cash to pay a data broker?

Schneier: I think that people realize it today much more than they did when I wrote Data and Goliath. This is the problem with the “reasonable expectation of privacy” test that the US courts have.

If you have realistic knowledge of the level of mass surveillance that’s going on constantly, then by definition it’s okay. But while people realize it, they also realize that they can’t realistically opt out. This is why the notion of consumer choice doesn’t make sense here, and we need a comprehensive privacy law.

The Register: Are you still long-term optimistic about privacy? The short term appears to be getting worse.

Schneier: Yes, but my definition of “long-term” is stretching. I just can’t imagine that we will have this level of mass surveillance – either corporate or government – in 50 years, I think we’ll view these business practices like we view sweatshops today: as evidence of our less ethical past selves.

But it’ll be a long time getting there. As long as both corporations and governments are punch-drunk on our data, there’s no real incentive for change. AI technologies will make the problem worse.

A major privacy win since 2014 is the prevalence of end-to-end encryption for services like messaging and data archiving. But those only work for systems where the cloud doesn’t have to do work on your data. One of the promises of AI is personal digital assistants. We are going to want them to train on all of our personal data.

And, at least right now, they have to run in the cloud because of the huge compute requirements. This will cause us to give all of our personal data to a few large tech monopolies. It won’t matter if our WhatsApp messages are end-to-end encrypted if we just hand the plaintext over to whatever tech company hosts our AI assistant. I fear we are about to lose one of the few wins we’ve had.

The Register: The NSA, through people like Rob Joyce, has been on a PR campaign over the last few years. What’s your take on the agency’s posture?

Schneier: The NSA is doing a lot of good things for privacy, but there we’ve seen no evidence that security trumps surveillance if the fundamental mission is surveillance.

In Data and Goliath I recommended breaking up the NSA to remove that dual mission, so that the organization is no longer fundamentally at odds with itself. I still stand by that recommendation. And I still don’t believe that it is going to happen.

The Register: We have a new administration in the White House, backed in part by the very companies you were warning us about. How does that bode for the next four years?

Schneier: It’s really hard to know. Yes, the large tech monopolies have a lot of power right now. But the new White House might be very pro privacy, and might be equally anti state surveillance.

My guess is that there will be a lot of infighting as the various factions inside Trump’s coalition fight for their particular agendas. But – honestly – given all the chaos that is likely to befall the US and the world, fighting for privacy might not be that high on our collective agendas. But we have to see; it’s a fool’s errand predicting this one.

The Register: If the mass privatization of the government that’s looking likely happens, what are the implications of all that data being leased out to the private sector?

Schneier: I worry about security first and foremost. A lot of that data is sensitive personal data: it’s tax data, it’s medical data, it’s Social Security data. Controlling dissemination is hard; controlling dissemination when it’s being sent hither and yon is impossible.

And by security, I mean two things. Obviously, there’s the possibility that the data will be stolen and used by foreign governments and corporations. And there is the high probability that it will end up in the hands of data brokers, and then bought and sold and combined with other data.

Surveillance in the US is largely a corporate business; this will just make it worse. ®