Reflections on Bruce Schneier's talk, titled “Security and Privacy in the World-Sized Web”

Technology Law, Ethics and Policy
Blog
tabaret building
Author: Salahuddin Rafiquddin

On Feburary 17, the University of Ottawa’s Faculty of Law and the Centre for Law, Technology and Society welcomed Bruce Schneier to give the 9th annual Deirdre G. Martin Memorial Lecture on Privacy.


Schneier’s talk, titled “Security and Privacy in the World-Sized Web”, addressed numerous different aspects of our technological world and highlighted many points of interest for those interested in ensuring privacy protections are robust moving forward.

To begin, Schneier underscored how sociotechnical systems – technical systems built to engage, evaluate, and predict user habits – have permeated our world. Instead of individuals choosing when and where to engage with these systems, we all now exist within a world where connected systems are constantly around us. Our phones, cars, thermostats, and watches are all computers monitoring and recording our information whether we want them to or not.

Undoubtedly, the Internet of Things is the next leap forward in expanding sociotechnical systems. Aided by sensors, processors, memory, and actuators, these new devices will share many similarities with us as individuals. Sensors such as cameras and microphones will allow these devices to take in information just as our ears and eyes do. Processors and memory aided by the cloud will allow devices to make sense of all the information they are recording just as an organic brain would. Actuators ensure these devices can interact with our environment just as we do with our hands and feet.

Taken together, sociotechnical systems and the Internet of Things are helping us create a World-Sized Web that senses, thinks, and acts upon information. This new system of systems will eventually know everything about us and will make decisions that impact a great number of lives – ultimately, it will change everything about how we live. We may be good at predicting what new technologies are on the way, but we have been notoriously poor at predicting the social changes that will come as a result.Given that it will be nearly impossible to unplug entirely from this new networked world, ensuring security and privacy protections are in place is essential moving forward.

To secure this World-Sized Web, Schneier sees two paradigms of security that are quickly being blurred together. The first is the “get it right the first time” approach ensuring the technology does not fail to begin with – such as when we build planes. The second is the “agile” approach taken from computing that expects errors, but assumes rapid recovery and adaptation through future software updates. Whatever approach is taken and to whatever degree, the stakes are high where failure in systems could be catastrophic.

Driverless cars were one example of note Schneier elaborated upon to show the costs associated with a possible breach in security. If technical security policies are not executed properly, mass surveillance could allow a state to track every car on the road – a reality that would deeply trouble privacy advocates. Even worse, however, a malicious actor could program all those cars to crash, thereby eliminating any societal benefit driverless cars may provide.

Moving forward, for security to become a reality in the World-Sized Web, Schneier explains that we must first understand the technological arms race currently occurring. There are three modern trends in this race:

  1. New sociotechnical systems shift power balances between people, corporations, and states. Individuals may be more efficient in how they use technology, but our current technological development favours larger, more powerful actors. These actors, such as states and corporations, can better leverage technology to further maximize their power vis-à-vis all others in society.
  2. Attacking is more advantageous than defending in the World-Sized Web. A defender must protect against every possible breach where as an attacker must only find one. Defenders may be limited by laws, morals, codes of conduct, and ethics whereas attackers may have no restraints whatsoever.
  3. Lone wolves can cause a great deal of harm and fewer attackers are required to carry out large scale attacks. Technology makes everyone more efficient, including those who are looking to cause harm.

Implementing security policies in a technological arms race will be difficult. Ultimately technological solutions are not a long term and sustainable solution. Rather, what is truly needed is coherent, organized, consistent, and technologically invariant policy guiding all actors engaged in cultivating and expanding the World-Sized Web. For Schneier, the only place that could push forward this ambitious policy agenda would be a Federal Technology Trade Commission with centralized authority and expertise capable of crossing many jurisdictions just as technological systems do. It is a forgone conclusion that government will get more involved in regulating the World-Sized Web, but that regulation must be based in smarter engagement, rather than piecemeal and diffused strategies from many different agencies. Although some may disagree, a market solution is not possible, as markets tend to favour short-term monetary gain over long term societal benefit.

Schneier’s talk was, without question, a peak into the near future. He raised many salient points for privacy experts to consider moving forward in how technology will shape our interactions with each other and the digital world. To conclude his talk, Schneier argued that we must be careful in connecting ourselves and our things to the network – instead, we should review what we are connecting, when we are connecting it, and for what purpose to evaluate whether our decisions are truly beneficial.

* Salahuddin Rafiquddin is a joint JD/MA student at the Faculty of Law and the Norman Paterson School of International Affairs at Carleton University. His research interests include technology law touching on topics including privacy, copyright, net neutrality, and national security law.