: New: Book Report: Data and Goliath

Bruce Schneier once again writing a normal-person-understandable policy-ish book about implications of computer security SNAFU.

Plenty of organizations gather info about us. Some of this information is online stuff: who we call, who we know on social networks, and on and on. Some of this information is real-world stuff: where our cars' license plates have been spotted, where we've traveled, and on and on.

Who/what has access to this information? Some people/things that make sense. I'm glad Gmail knows who sent me that email* so it can show me the From: field. Some people/things that don't make sense. I'm sad the NSA knows who's sending me emails since they're not using it for anything useful and employ some creepy folks who like to peek at such things.

Even if you're glad that some organization has your info, you might not be so glad if you knew how poorly they keep it safe. Users of the Ashley Madison adultery-hookup site were presumably glad to give private info to the site. They were presumably sad when hackers got past the site's not-so-great security and published the users' private no-longer-private info.

What can users do? Some things, but maybe not much. When you choose a service to work with, you might choose the one you trust to keep your data safe and/or to "forget" that data when it's no longer useful. But how do you know which services to trust? If you'd ask me to guess whether an adultery-hookup site would have good security, I'd have guessed it would (such private info)… and I would have been wrong. And sometimes all the choices are bad. And often, we don't choose. If I choose to move to another country, the NSA won't stop trying to snoop on my emails; it just won't be breaking US law when it does so. (So I guess I'd be helping to stop illegal spying? kinda?)

Policy-makers can do more. If in a secret police force, you might be a policy-maker; you can choose to snoop less. If you're in a company, you might be a policy-maker: you can choose to "forget" data if the risk of retaining it is > the benefit of keeping it around.

It's a thoughtful book.

*Yeah, email can be spoofed. Anyhow.

Tags: book capabilities

blog comments powered by Disqus