Bruce Schneier

The platforms are so powerful, their names are verbs: Google, Uber, Instagram, Netflix. For years, the dominance of American tech companies has brought economic benefits…

An op-ed by Nathan E. Sanders and Bruce Schneier: Launched just weeks ago, ChatGPT is already threatening to upend how we draft everyday communications like…

Chinese researchers claim to have introduced a new code-breaking algorithm that, if successful, could render mainstream encryption powerless within years rather than decades. The team,…

Just two days after he announced he would buy Twitter, Elon Musk sent out a deluge of tweets about his plans for the social media platform. One stood out for its broad appeal. "Twitter DMs should have end to end encryption like Signal, so no one can spy on or hack your messages," he wrote. ... Twitter's relatively smaller size — its global user base is a fraction of Facebook, Instagram and WhatsApp — and the fact that it is not seen primarily as a messaging platform, may have allowed it to fly slightly under the radar, according to Bruce Schneier, a security technologist and fellow at Harvard University's Berkman Center for Internet and Society. "Twitter is used less for that kind of direct conversation than Signal, SMS, WhatsApp and Telegram," he said. "It's more semi-public."

Boise residents on Saturday found bookmark-sized fliers in their neighborhoods. A large black box at the top read, “POLITICAL PROSECUTION.” Below it were photos, home addresses, phone numbers and email addresses of two people: 4th District Magistrate Judge Annie McDevitt and Ada County Deputy Prosecuting Attorney Whitney Welsh. The flier claimed that McDevitt and Welsh were “using their position of power to retaliate against a gubernatorial candidate because of his opposition to the inequity of justice and systemic excessive force used by government agents” — a reference to Ammon Bundy. ... “Any of these laws could be subverted by the powerful,” Bruce Schneier, a fellow at the Berkman Klein Center for Internet & Society at Harvard University, told The Markup last year.

An op-ed by Henry Farrell and Bruce Schneier: This month, the New York state attorney general issued a report on a scheme by “U.S. Companies and Partisans [to] Hack Democracy.” This wasn’t another attempt by Republicans to make it harder for Black people and urban residents to vote. It was a concerted attack on another core element of U.S. democracy — the ability of citizens to express their voice to their political representatives. And it was carried out by generating millions of fake comments and fake emails purporting to come from real citizens. This attack was detected because it was relatively crude. But artificial intelligence technologies are making it possible to generate genuine-seeming comments at scale, drowning out the voices of real citizens in a tidal wave of fake ones. As political scientists like Paul Pierson have pointed out, what happens between elections is important to democracy. Politicians shape policies and they make laws. And citizens can approve or condemn what politicians are doing, through contacting their representatives or commenting on proposed rules.

Colorado on Tuesday made it illegal to share the personal information of public health workers and their families online so that it can be used for purposes of harassment, responding to an increase in threats to such workers during the pandemic...Violators of Colorado’s new law face up to 18 months in jail and a $5,000 fine. The state had already made it a crime to dox law enforcement officers or workers who provide child welfare and adult protective services. Bruce Schneier, a cybersecurity expert and a fellow at the Berkman-Klein Center for Internet and Society at Harvard University, welcomed the legislation but questioned why its protections were extended only to public health workers. “What about the people who faced a lot of doxxing and harassment before the pandemic?” Mr. Schneier said in an interview on Wednesday. “It’s like saying it’s illegal to rob truck drivers but it’s OK to rob everybody else. It doesn’t make any sense to me.”

When news broke late last year that a massive, years-long Russian cyberespionage had penetrated large parts of the U.S. federal government and its information technology systems, policymakers were quick to describe the breach as “an act of war” and that the United States must strike back. But the breach that leveraged weaknesses in software developed by the company SolarWinds was not an act of war. It was an act of espionage. The United States has experienced cycles of outrage over Russian espionage before and mislabeling espionage as an act of war risks leading the United States toward the wrong response. To understand why the SolarWinds breach was an act of espionage, and not an act of war, it is worth considering the technical details of the breach...Today, a number of different policy proposals have been floated in response to the SolarWinds breach. One former supply chain security official at the Department of Homeland Security has argued in favor of greater oversight of software suppliers. Others have proposed greater incentives for software firms to build secure products. The computer security expert Bruce Schneier recently noted that the economic incentives for companies to fix their own cybersecurity problems before they impact customers are misaligned. Companies can transfer the risk of a data breach or cybersecurity incident to their customers or to taxpayers with little or no financial impact.

An op-ed by Bruce Schneier: President Biden wants his Peloton in the White House. For those who have missed the hype, it’s an Internet-connected stationary bicycle. It has a screen, a camera, and a microphone. You can take live classes online, work out with your friends, or join the exercise social network. And all of that is a security risk, especially if you are the president of the United States. Any computer brings with it the risk of hacking. This is true of our computers and phones, and it’s also true about all of the Internet-of-Things devices that are increasingly part of our lives. These large and small appliances, cars, medical devices, toys and — yes — exercise machines are all computers at their core, and they’re all just as vulnerable. Presidents face special risks when it comes to the IoT, but Biden has the NSA to help him handle them. Not everyone is so lucky, and the rest of us need something more structural. US presidents have long tussled with their security advisers over tech. The NSA often customizes devices, but that means eliminating features. In 2010, President Barack Obama complained that his presidential BlackBerry device was “no fun” because only ten people were allowed to contact him on it. In 2013, security prevented him from getting an iPhone. When he finally got an upgrade to his BlackBerry in 2016, he complained that his new “secure” phone couldn’t take pictures, send texts, or play music. His “hardened” iPad to read daily intelligence briefings was presumably similarly handicapped. We don’t know what the NSA did to these devices, but they certainly modified the software and physically removed the cameras and microphones — and possibly the wireless Internet connection.

An op-ed by Bruce Schneier: The information that is emerging about Russia's extensive cyberintelligence operation against the United States and other countries should be increasingly alarming to the public. The magnitude of the hacking, now believed to have affected more than 250 federal agencies and businesses -- primarily through a malicious update of the SolarWinds network management software -- may have slipped under most people's radar during the holiday season, but its implications are stunning. According to a Washington Post report, this is a massive intelligence coup by Russia's Foreign Intelligence Service (SVR). And a massive security failure on the part of the United States is also to blame. Our insecure internet infrastructure has become a critical national security risk -- one that we need to take seriously and spend money to reduce. President-elect Joe Biden's initial response spoke of retaliation, but there really isn't much the United States can do beyond what it already does. Cyberespionage is business as usual among countries and governments, and the United States is aggressively offensive in this regard. We benefit from the lack of norms in this area and are unlikely to push back too hard because we don't want to limit our own offensive actions.

The massive hack of government networks that came to light this month is “probably the most consequential cyber-espionage campaign in history,” an industry expert warns...The extensive security breach affected the federal Treasury, Commerce and Homeland Security departments, among others. The hackers — believed by many experts to be Russian — piggybacked on software updates pushed out by the company SolarWinds, although the nation’s top cybersecurity agency believes other access points may have also been used. “Here’s where the Russian [Foreign Intelligence Service] ruined Christmas: the only thing you can do, if you want to be secure, is basically burn your network to the ground and start all over again,” said Bruce Schneier, a security expert and fellow at Harvard University’s Berkman Klein Center for Internet and Society. “It is long, it is hard, it is painful, it is time-consuming; and even then you can’t be sure.”

An article by Nick Couldry and Bruce Schneier: Six months into the pandemic with no end in sight, many of us have been feeling a sense of unease that goes beyond anxiety or distress. It's a nameless feeling that somehow makes it hard to go on with even the nice things we regularly do. What's blocking our everyday routines is not the anxiety of lockdown adjustments, or the worries about ourselves and our loved ones -- real though those worries are. It isn't even the sense that, if we're really honest with ourselves, much of what we do is pretty self-indulgent when held up against the urgency of a global pandemic. It is something more troubling and harder to name: an uncertainty about why we would go on doing much of what for years we'd taken for granted as inherently valuable. What we are confronting is something many writers in the pandemic have approached from varying angles: a restless distraction that stems not just from not knowing when it will all end, but also from not knowing what that end will look like. Perhaps the sharpest insight into this feeling has come from Jonathan Zecher, a historian of religion, who linked it to the forgotten Christian term: acedia. Acedia was a malady that apparently plagued many Medieval monks. It's a sense of no longer caring about caring, not because one had become apathetic, but because somehow the whole structure of care had become jammed up. What could this particular form of melancholy mean in an urgent global crisis? On the face of it, all of us care very much about the health risks to those we know and don't know. Yet lurking alongside such immediate cares is a sense of dislocation that somehow interferes with how we care.

The National Conference of Bar Examiners has a remote proctoring requirement for states using its testing materials in October online bar exams. However, according to one of three bar exam software providers that recently pulled out of the online exam, the mandate may not be possible to carry out. Greg Sarab, the founder and chief executive officer of Extegrity, says his primary concerns about a bar exam with remote proctoring include reliable internet connections being required for live remote proctored exams, and that the requirement of simultaneous start times comes with significant technological and procedural burdens. He also says there hasn’t been sufficient development time or product testing for the technology...Bruce Schneier, a security technologist who is a fellow at Harvard University’s Berkman Klein Center for Internet and Society, says building technology for government entities is often difficult. Also, he thinks that when people discuss policy in technology, they frequently talk at each other rather than engaging in active listening to find the best solutions. “It’s not a matter of just plugging in the system and saying, ‘Go.’ It’s hard, and it needs to be thought about. To the extent it hasn’t been thought out, that’s kind of a recipe for disaster,” says Schneier. Many universities now use online proctoring for tests, but Schneier says the systems are “kind of mediocre at everything.” He’s not sure the offerings will improve much and wonders if jurisdictions may want to consider moving away from proctored remote bar exams during the pandemic, and instead, replace them with take-home tests. “How do we define success? If it’s online proctoring and cheating, and I don’t detect you cheating, it’s a success, right? This is hard,” Schneier says.

Lisa Marsh’s job shopping and delivering groceries for Instacart during the past three years has been unforgiving. Company tipping policies cut into earnings while boycotts and other labor strife created confusion, she said. Then the global pandemic hit, transforming once mundane trips to Los Angeles grocery stores where she lives into a palpable health risk. In recent weeks, another problem has emerged: bots that snatch the largest, most lucrative orders out of the hands of other shoppers. Here’s how it works. Instacart pays contract workers to shop for groceries and deliver them to customers. Normally, the shoppers open the Instacart shopping app and, as orders flash by, click on the ones they want to fulfill. But in order to gain an edge, some shoppers are paying software developers who have created bots—in the form of third-party apps—that run alongside the legitimate Instacart app and claim the best orders for clients. In this way, the app tilts competition between shoppers but is invisible to customers and doesn’t take business away from Instacart either...But as security experts at Amazon.com Inc. and other sites have discovered, battling rogue apps is a lot like playing whack-a-mole. As soon as a company thwarts one bot program, a new version of it emerges, usually with a new name. “If Instacart cared—if it was losing money—they could devote resources to make the jobs of these automatic snipers much harder,” Bruce Schneier, a cybersecurity expert, author and lecturer at Harvard University, who said there are ways for companies to detect such bots. “This is a problem that any company that makes money from automation is likely being forced to deal with. Some handle it well. Others don’t.”

An article by Bruce Schneier: Twitter was hacked this week. Not a few people’s Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter’s system administrators. Those are the people trusted to ensure that Twitter functions smoothly. The hacker used that access to send tweets from a variety of popular and trusted accounts, including those of Joe Biden, Bill Gates, and Elon Musk, as part of a mundane scam—stealing bitcoin—but it’s easy to envision more nefarious scenarios. Imagine a government using this sort of attack against another government, coordinating a series of fake tweets from hundreds of politicians and other public figures the day before a major election, to affect the outcome. Or to escalate an international dispute. Done well, it would be devastating. Whether the hackers had access to Twitter direct messages is not known. These DMs are not end-to-end encrypted, meaning that they are unencrypted inside Twitter’s network and could have been available to the hackers. Those messages—between world leaders, industry CEOs, reporters and their sources, heath organizations—are much more valuable than bitcoin. (If I were a national-intelligence agency, I might even use a bitcoin scam to mask my real intelligence-gathering purpose.) Back in 2018, Twitter said it was exploring encrypting those messages, but it hasn’t yet. Internet communications platforms—such as Facebook, Twitter, and YouTube—are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure. Yet they are run by for-profit companies with little government oversight. This is simply no longer sustainable.

It took a global pandemic and stay-at-home orders for 1.5 billion people worldwide, but something is finally occurring to us: The future we thought we expected may not be the one we get. We know that things will change; how they’ll change is a mystery. To envision a future altered by coronavirus, Quartz asked dozens of experts for their best predictions on how the world will be different in five years. Below is an answer from Bruce Schneier, a security expert focused on technology. He is a fellow at the Berkman Klein Center for Internet & Society at Harvard University and a lecturer in public policy at the Harvard Kennedy School. He is also the author of more than a dozen books—his latest, Click Here to Kill Everybody, was published in 2018. "For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing.  Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that’s all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient. Using many small suppliers is inefficient. Inefficiency is unprofitable. But inefficiency is essential security, as the Covid-19 pandemic is teaching us. All of the overcapacity that has been squeezed out of our health care system; we now wish we had it. All of the redundancy in our food production that has been consolidated away; we want that, too. We need our old, local supply chains—not the single global ones that are so fragile in this crisis. And we want our local restaurants and businesses to survive, not just the national chains."

Zoom’s rapid ascent this year has brought with it the scrutiny that most fast-growing tech companies face — mostly in the form of a series of privacy and security concerns. Now, the San Jose-based company is taking a big step towards damage control. The hugely popular video conferencing platform will begin rolling out end-to-end encryption to all its users next month, it said Wednesday, backtracking on a controversial plan to offer the heightened security feature only to paying customers. End-to-end encryption is considered one of the most private ways to communicate online and allows users to have secure conversations without anyone — including the platform they’re speaking on — having access to the data...And offering encryption to all its users has become even more important for Zoom, which was built as a remote workplace tool but is suddenly being used for private events such as birthdays, funerals, government meetings and activist gatherings. “With all of the dissidents and all the people using Zoom now, I think [offering end-to-end encryption only to paid users] is a mistake,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “I want them to have other features as profit centers, not safety and security.” ... “If you think about what Zoom is doing, they are collecting all the videos, all the voices, putting it together, displaying them nicely. If that stuff is being done in the center, they have to do work on it,” said Schneier. “It does get harder exponentially as the size of the meeting grows.” However, it’s not an insurmountable task, and could be well worth it to restore the trust of Zoom’s users after a series of privacy and security slip-ups. “It’s hard but it’s not go-to-the-moon hard,” Schneier said. “It’s you-just-gotta-do-it hard.”

When an outbreak of the bubonic plague swept through Europe in the 16th century, people in London were told to stay home for a month if anyone they lived with had contracted the disease. So long as they carried with them a long white stick, known as a plague wand, one person from an infected household could venture outside to get food or other supplies. The stick served as a warning sign. It told other people to stay away. Today, in the grip of the Covid-19 pandemic, the advice is the same: Stay home and avoid other people. But in the 21st century, we no longer use white sticks to identify those who may be contagious. Instead, governments and law enforcement agencies are turning to a vast armory of digital technologies in an effort to track and stop outbreaks in different parts of the world. We have surveillance systems that can map out the movements of entire populations, thanks to the invisible signals emitted by the smartphones we carry in our pockets. We have drones that fly above city parks and blast out audio warnings to anyone not following guidelines on social distancing...Many governments had broad digital surveillance capabilities in place prior to the pandemic. In 2013, the U.S. National Security Agency whistleblower Edward Snowden laid bare some of them. Snowden’s disclosures revealed that the NSA had built a global spying apparatus that was vacuuming up vast amounts of private communications from the world’s phone and internet networks. In December 2013, the Washington Post reported that the agency was covertly collecting almost 5 billion records every day on the whereabouts of people’s cellphones internationally... “They already have these ridiculous surveillance powers,” says Bruce Schneier, a security expert and cryptographer who lectures at Harvard's Kennedy School. “The smartphone is the most invasive surveillance device our species has ever invented. I don’t see what’s happening now [during the Covid pandemic] as making any difference.”