Surveillance and Security: A Q&A with Bruce Schneier

After appearing as the keynote speaker at Scholarship After Snowden, security expert and author Bruce Schneier had a conversation with CGCS about online security.

CGCS: Were the Snowden revelations novel? What in the documents uncovered information that was unknown to surveillance and security scholars and experts?

Bruce Schneier: On the one hand, there was no real surprise.  Anyone who has followed the NSA has assumed that they did this.  What was surprising is the sheer extensiveness of the surveillance programs, which probably should not have been a surprise, either.  I guess just seeing it in actual detail made it more real, and therefore different.

What is the greatest misconception the general public has about security online, especially in this post-NSA revelations environment?

I think people believe that their data is more secure than it is.  And I’m not thinking about criminals and hackers, I’m thinking about the “good guys.”  Google knows when I stop thinking about it.  Google knows what related things I’m thinking about.  And Google knows that about everyone.  Google knows what kind of porn everyone likes. This kind of thing is inherently creepy, and people don’t think about it.

We don’t think about it because it’s not salient.  We don’t wake up in the morning and think “I’m going to carry a tracking device around with me today.”  We just grab our cellphone.  People don’t think about this data, who…

Click here to read more.

After Scholarship After Snowden

Prerna Soni, a UPenn Law Student and Symposium Editor of the Journal of Business Law, reports on CGCS and Penn Law’s Scholarship After Snowden mini-conference which took place on October 17th

Ferret Cannon.  Egotistical Giraffe.  Bullrun.  These are not just nonsensical terms, but rather the names of a few of the surveillance tools used by the National Security Agency (NSA) to monitor your online activity.  The discussion of Internet surveillance and the right to privacy has swept the U.S. by storm after the NSA exposé by Edward Snowden earlier this year. On October 17th a group of scholars and practitioners gathered at Penn to discuss what these revelations mean for the future of the academia and the Internet. Scholarship After Snowden proved to be a thought-provoking event.  Attendees were forced to reexamine the breadth of government surveillance, and to reevaluate the way the academy approaches technology education and policy going forward.

The mere scope of surveillance by the U.S. government is astounding – we are not talking about an email here, a chat history there. Everything that is done on the Internet is collected and stored as data.  As Bruce Schneier, a renowned cryptographer and privacy expert noted, “We leave digital footprints everywhere,” and the fundamental problem is that we have made surveillance far too easy and cheap. When surveillance and data storage is cheap, there is a tendency to store everything.  As Schneier aptly noted, when you have a great deal of money and resources, “when you have the choice of A or B, you do both.”  This problem is furthered by the fact that while many Internet users understand its basic mechanics, they do not really get what is going on “under the hood,” as Joseph Turow, the Associate Dean for Graduate Studies…

Click here to read more.

Guidelines for the Protection of National Critical Information Infrastructure: How Much Regulation?

Jonathan Diamond analyzes recent developments in India’s national cyber security policies.

This summer was a busy period for cyber security in India. Beginning with the release of the country’s first National Cyber Security Policy on July 2, followed shortly by a set of guidelines for the protection of national critical information infrastructure (CII) developed under the direction of the National Technical Research Organization (NTRO), India has made respectable progress in its national cyber security mentality. However, the National Cyber Security Policy, taken together with what little is known of the as-yet restricted guidelines for CII protection, raises troubling questions, particularly regarding the regulation of cyber security practices in the private sector. Whereas the current Policy suggests the imposition of certain preferential acquisition policies, India would be best advised to maintain technology neutrality to ensure maximum security.

According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to “prescribe the information security practices and procedures for such protected system[s].” These two paragraphs form the legal basis for the regulation of cyber security within the private sector.

Despite this basis, private cyber security remains almost completely unregulated. According to the Intermediary Guidelines, intermediaries are required to report cyber security incidents to India’s national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. Last year the Reserve Bank of India mandated that…

Click here to read more.