Skip to content


Bruce Schneier

  • Idaho extremists target judges, prosecutors, health workers in doxxing campaigns

    April 18, 2022

    Boise residents on Saturday found bookmark-sized fliers in their neighborhoods. A large black box at the top read, “POLITICAL PROSECUTION.” Below it were photos, home addresses, phone numbers and email addresses of two people: 4th District Magistrate Judge Annie McDevitt and Ada County Deputy Prosecuting Attorney Whitney Welsh. The flier claimed that McDevitt and Welsh were “using their position of power to retaliate against a gubernatorial candidate because of his opposition to the inequity of justice and systemic excessive force used by government agents” — a reference to Ammon Bundy. ... “Any of these laws could be subverted by the powerful,” Bruce Schneier, a fellow at the Berkman Klein Center for Internet & Society at Harvard University, told The Markup last year.

  • ‘Grassroots’ bot campaigns are coming. Governments don’t have a plan to stop them.

    May 25, 2021

    An op-ed by Henry Farrell and Bruce Schneier: This month, the New York state attorney general issued a report on a scheme by “U.S. Companies and Partisans [to] Hack Democracy.” This wasn’t another attempt by Republicans to make it harder for Black people and urban residents to vote. It was a concerted attack on another core element of U.S. democracy — the ability of citizens to express their voice to their political representatives. And it was carried out by generating millions of fake comments and fake emails purporting to come from real citizens. This attack was detected because it was relatively crude. But artificial intelligence technologies are making it possible to generate genuine-seeming comments at scale, drowning out the voices of real citizens in a tidal wave of fake ones. As political scientists like Paul Pierson have pointed out, what happens between elections is important to democracy. Politicians shape policies and they make laws. And citizens can approve or condemn what politicians are doing, through contacting their representatives or commenting on proposed rules.

  • Colorado Makes Doxxing Public Health Workers Illegal

    May 20, 2021

    Colorado on Tuesday made it illegal to share the personal information of public health workers and their families online so that it can be used for purposes of harassment, responding to an increase in threats to such workers during the pandemic...Violators of Colorado’s new law face up to 18 months in jail and a $5,000 fine. The state had already made it a crime to dox law enforcement officers or workers who provide child welfare and adult protective services. Bruce Schneier, a cybersecurity expert and a fellow at the Berkman-Klein Center for Internet and Society at Harvard University, welcomed the legislation but questioned why its protections were extended only to public health workers. “What about the people who faced a lot of doxxing and harassment before the pandemic?” Mr. Schneier said in an interview on Wednesday. “It’s like saying it’s illegal to rob truck drivers but it’s OK to rob everybody else. It doesn’t make any sense to me.”

  • The danger in calling the SolarWinds breach an ‘act of war’

    March 5, 2021

    When news broke late last year that a massive, years-long Russian cyberespionage had penetrated large parts of the U.S. federal government and its information technology systems, policymakers were quick to describe the breach as “an act of war” and that the United States must strike back. But the breach that leveraged weaknesses in software developed by the company SolarWinds was not an act of war. It was an act of espionage. The United States has experienced cycles of outrage over Russian espionage before and mislabeling espionage as an act of war risks leading the United States toward the wrong response. To understand why the SolarWinds breach was an act of espionage, and not an act of war, it is worth considering the technical details of the breach...Today, a number of different policy proposals have been floated in response to the SolarWinds breach. One former supply chain security official at the Department of Homeland Security has argued in favor of greater oversight of software suppliers. Others have proposed greater incentives for software firms to build secure products. The computer security expert Bruce Schneier recently noted that the economic incentives for companies to fix their own cybersecurity problems before they impact customers are misaligned. Companies can transfer the risk of a data breach or cybersecurity incident to their customers or to taxpayers with little or no financial impact.

  • Presidential Cybersecurity and Pelotons

    February 8, 2021

    An op-ed by Bruce Schneier: President Biden wants his Peloton in the White House. For those who have missed the hype, it’s an Internet-connected stationary bicycle. It has a screen, a camera, and a microphone. You can take live classes online, work out with your friends, or join the exercise social network. And all of that is a security risk, especially if you are the president of the United States. Any computer brings with it the risk of hacking. This is true of our computers and phones, and it’s also true about all of the Internet-of-Things devices that are increasingly part of our lives. These large and small appliances, cars, medical devices, toys and — yes — exercise machines are all computers at their core, and they’re all just as vulnerable. Presidents face special risks when it comes to the IoT, but Biden has the NSA to help him handle them. Not everyone is so lucky, and the rest of us need something more structural. US presidents have long tussled with their security advisers over tech. The NSA often customizes devices, but that means eliminating features. In 2010, President Barack Obama complained that his presidential BlackBerry device was “no fun” because only ten people were allowed to contact him on it. In 2013, security prevented him from getting an iPhone. When he finally got an upgrade to his BlackBerry in 2016, he complained that his new “secure” phone couldn’t take pictures, send texts, or play music. His “hardened” iPad to read daily intelligence briefings was presumably similarly handicapped. We don’t know what the NSA did to these devices, but they certainly modified the software and physically removed the cameras and microphones — and possibly the wireless Internet connection.

  • The SolarWinds hack is stunning. Here’s what should be done

    January 6, 2021

    An op-ed by Bruce Schneier: The information that is emerging about Russia's extensive cyberintelligence operation against the United States and other countries should be increasingly alarming to the public. The magnitude of the hacking, now believed to have affected more than 250 federal agencies and businesses -- primarily through a malicious update of the SolarWinds network management software -- may have slipped under most people's radar during the holiday season, but its implications are stunning. According to a Washington Post report, this is a massive intelligence coup by Russia's Foreign Intelligence Service (SVR). And a massive security failure on the part of the United States is also to blame. Our insecure internet infrastructure has become a critical national security risk -- one that we need to take seriously and spend money to reduce. President-elect Joe Biden's initial response spoke of retaliation, but there really isn't much the United States can do beyond what it already does. Cyberespionage is business as usual among countries and governments, and the United States is aggressively offensive in this regard. We benefit from the lack of norms in this area and are unlikely to push back too hard because we don't want to limit our own offensive actions.

  • The most consequential cyber-attack in history just happened. What now?

    January 4, 2021

    The massive hack of government networks that came to light this month is “probably the most consequential cyber-espionage campaign in history,” an industry expert warns...The extensive security breach affected the federal Treasury, Commerce and Homeland Security departments, among others. The hackers — believed by many experts to be Russian — piggybacked on software updates pushed out by the company SolarWinds, although the nation’s top cybersecurity agency believes other access points may have also been used. “Here’s where the Russian [Foreign Intelligence Service] ruined Christmas: the only thing you can do, if you want to be secure, is basically burn your network to the ground and start all over again,” said Bruce Schneier, a security expert and fellow at Harvard University’s Berkman Klein Center for Internet and Society. “It is long, it is hard, it is painful, it is time-consuming; and even then you can’t be sure.”

  • The unrelenting horizonlessness of the Covid world

    September 23, 2020

    An article by Nick Couldry and Bruce SchneierSix months into the pandemic with no end in sight, many of us have been feeling a sense of unease that goes beyond anxiety or distress. It's a nameless feeling that somehow makes it hard to go on with even the nice things we regularly do. What's blocking our everyday routines is not the anxiety of lockdown adjustments, or the worries about ourselves and our loved ones -- real though those worries are. It isn't even the sense that, if we're really honest with ourselves, much of what we do is pretty self-indulgent when held up against the urgency of a global pandemic. It is something more troubling and harder to name: an uncertainty about why we would go on doing much of what for years we'd taken for granted as inherently valuable. What we are confronting is something many writers in the pandemic have approached from varying angles: a restless distraction that stems not just from not knowing when it will all end, but also from not knowing what that end will look like. Perhaps the sharpest insight into this feeling has come from Jonathan Zecher, a historian of religion, who linked it to the forgotten Christian term: acedia. Acedia was a malady that apparently plagued many Medieval monks. It's a sense of no longer caring about caring, not because one had become apathetic, but because somehow the whole structure of care had become jammed up. What could this particular form of melancholy mean in an urgent global crisis? On the face of it, all of us care very much about the health risks to those we know and don't know. Yet lurking alongside such immediate cares is a sense of dislocation that somehow interferes with how we care.

  • Software provider pulls out of remotely proctored bar exams because of technology concerns

    August 19, 2020

    The National Conference of Bar Examiners has a remote proctoring requirement for states using its testing materials in October online bar exams. However, according to one of three bar exam software providers that recently pulled out of the online exam, the mandate may not be possible to carry out. Greg Sarab, the founder and chief executive officer of Extegrity, says his primary concerns about a bar exam with remote proctoring include reliable internet connections being required for live remote proctored exams, and that the requirement of simultaneous start times comes with significant technological and procedural burdens. He also says there hasn’t been sufficient development time or product testing for the technology...Bruce Schneier, a security technologist who is a fellow at Harvard University’s Berkman Klein Center for Internet and Society, says building technology for government entities is often difficult. Also, he thinks that when people discuss policy in technology, they frequently talk at each other rather than engaging in active listening to find the best solutions. “It’s not a matter of just plugging in the system and saying, ‘Go.’ It’s hard, and it needs to be thought about. To the extent it hasn’t been thought out, that’s kind of a recipe for disaster,” says Schneier. Many universities now use online proctoring for tests, but Schneier says the systems are “kind of mediocre at everything.” He’s not sure the offerings will improve much and wonders if jurisdictions may want to consider moving away from proctored remote bar exams during the pandemic, and instead, replace them with take-home tests. “How do we define success? If it’s online proctoring and cheating, and I don’t detect you cheating, it’s a success, right? This is hard,” Schneier says.

  • Instacart shoppers are battling order-grabbing bots

    August 3, 2020

    Lisa Marsh’s job shopping and delivering groceries for Instacart during the past three years has been unforgiving. Company tipping policies cut into earnings while boycotts and other labor strife created confusion, she said. Then the global pandemic hit, transforming once mundane trips to Los Angeles grocery stores where she lives into a palpable health risk. In recent weeks, another problem has emerged: bots that snatch the largest, most lucrative orders out of the hands of other shoppers. Here’s how it works. Instacart pays contract workers to shop for groceries and deliver them to customers. Normally, the shoppers open the Instacart shopping app and, as orders flash by, click on the ones they want to fulfill. But in order to gain an edge, some shoppers are paying software developers who have created bots—in the form of third-party apps—that run alongside the legitimate Instacart app and claim the best orders for clients. In this way, the app tilts competition between shoppers but is invisible to customers and doesn’t take business away from Instacart either...But as security experts at Inc. and other sites have discovered, battling rogue apps is a lot like playing whack-a-mole. As soon as a company thwarts one bot program, a new version of it emerges, usually with a new name. “If Instacart cared—if it was losing money—they could devote resources to make the jobs of these automatic snipers much harder,” Bruce Schneier, a cybersecurity expert, author and lecturer at Harvard University, who said there are ways for companies to detect such bots. “This is a problem that any company that makes money from automation is likely being forced to deal with. Some handle it well. Others don’t.”

  • The Twitter Hacks Have to Stop

    July 20, 2020

    An article by Bruce SchneierTwitter was hacked this week. Not a few people’s Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter’s system administrators. Those are the people trusted to ensure that Twitter functions smoothly. The hacker used that access to send tweets from a variety of popular and trusted accounts, including those of Joe Biden, Bill Gates, and Elon Musk, as part of a mundane scam—stealing bitcoin—but it’s easy to envision more nefarious scenarios. Imagine a government using this sort of attack against another government, coordinating a series of fake tweets from hundreds of politicians and other public figures the day before a major election, to affect the outcome. Or to escalate an international dispute. Done well, it would be devastating. Whether the hackers had access to Twitter direct messages is not known. These DMs are not end-to-end encrypted, meaning that they are unencrypted inside Twitter’s network and could have been available to the hackers. Those messages—between world leaders, industry CEOs, reporters and their sources, heath organizations—are much more valuable than bitcoin. (If I were a national-intelligence agency, I might even use a bitcoin scam to mask my real intelligence-gathering purpose.) Back in 2018, Twitter said it was exploring encrypting those messages, but it hasn’t yet. Internet communications platforms—such as Facebook, Twitter, and YouTube—are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure. Yet they are run by for-profit companies with little government oversight. This is simply no longer sustainable.

  • Bruce Schneier says we need to embrace inefficiency to save our economy

    June 30, 2020

    It took a global pandemic and stay-at-home orders for 1.5 billion people worldwide, but something is finally occurring to us: The future we thought we expected may not be the one we get. We know that things will change; how they’ll change is a mystery. To envision a future altered by coronavirus, Quartz asked dozens of experts for their best predictions on how the world will be different in five years. Below is an answer from Bruce Schneier, a security expert focused on technology. He is a fellow at the Berkman Klein Center for Internet & Society at Harvard University and a lecturer in public policy at the Harvard Kennedy School. He is also the author of more than a dozen books—his latest, Click Here to Kill Everybody, was published in 2018. "For decades, we have prized efficiency in our economy. We strive for it. We reward it. In normal times, that’s a good thing.  Running just at the margins is efficient. A single just-in-time global supply chain is efficient. Consolidation is efficient. And that’s all profitable. Inefficiency, on the other hand, is waste. Extra inventory is inefficient. Overcapacity is inefficient. Using many small suppliers is inefficient. Inefficiency is unprofitable. But inefficiency is essential security, as the Covid-19 pandemic is teaching us. All of the overcapacity that has been squeezed out of our health care system; we now wish we had it. All of the redundancy in our food production that has been consolidated away; we want that, too. We need our old, local supply chains—not the single global ones that are so fragile in this crisis. And we want our local restaurants and businesses to survive, not just the national chains."

  • Zoom Responds To Privacy Backlash, Giving All Users End-To-End Encryption

    June 22, 2020

    Zoom’s rapid ascent this year has brought with it the scrutiny that most fast-growing tech companies face — mostly in the form of a series of privacy and security concerns. Now, the San Jose-based company is taking a big step towards damage control. The hugely popular video conferencing platform will begin rolling out end-to-end encryption to all its users next month, it said Wednesday, backtracking on a controversial plan to offer the heightened security feature only to paying customers. End-to-end encryption is considered one of the most private ways to communicate online and allows users to have secure conversations without anyone — including the platform they’re speaking on — having access to the data...And offering encryption to all its users has become even more important for Zoom, which was built as a remote workplace tool but is suddenly being used for private events such as birthdays, funerals, government meetings and activist gatherings. “With all of the dissidents and all the people using Zoom now, I think [offering end-to-end encryption only to paid users] is a mistake,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “I want them to have other features as profit centers, not safety and security.” ... “If you think about what Zoom is doing, they are collecting all the videos, all the voices, putting it together, displaying them nicely. If that stuff is being done in the center, they have to do work on it,” said Schneier. “It does get harder exponentially as the size of the meeting grows.” However, it’s not an insurmountable task, and could be well worth it to restore the trust of Zoom’s users after a series of privacy and security slip-ups. “It’s hard but it’s not go-to-the-moon hard,” Schneier said. “It’s you-just-gotta-do-it hard.”

  • Surveillance Technology Will Only Get More Intense After Covid

    June 2, 2020

    When an outbreak of the bubonic plague swept through Europe in the 16th century, people in London were told to stay home for a month if anyone they lived with had contracted the disease. So long as they carried with them a long white stick, known as a plague wand, one person from an infected household could venture outside to get food or other supplies. The stick served as a warning sign. It told other people to stay away. Today, in the grip of the Covid-19 pandemic, the advice is the same: Stay home and avoid other people. But in the 21st century, we no longer use white sticks to identify those who may be contagious. Instead, governments and law enforcement agencies are turning to a vast armory of digital technologies in an effort to track and stop outbreaks in different parts of the world. We have surveillance systems that can map out the movements of entire populations, thanks to the invisible signals emitted by the smartphones we carry in our pockets. We have drones that fly above city parks and blast out audio warnings to anyone not following guidelines on social distancing...Many governments had broad digital surveillance capabilities in place prior to the pandemic. In 2013, the U.S. National Security Agency whistleblower Edward Snowden laid bare some of them. Snowden’s disclosures revealed that the NSA had built a global spying apparatus that was vacuuming up vast amounts of private communications from the world’s phone and internet networks. In December 2013, the Washington Post reported that the agency was covertly collecting almost 5 billion records every day on the whereabouts of people’s cellphones internationally... “They already have these ridiculous surveillance powers,” says Bruce Schneier, a security expert and cryptographer who lectures at Harvard's Kennedy School. “The smartphone is the most invasive surveillance device our species has ever invented. I don’t see what’s happening now [during the Covid pandemic] as making any difference.”

  • The Public Is Being Misled by Pandemic Technology That Won’t Keep Them Safe

    May 22, 2020

    The lockdown on commercial industry and personal activity in response to the global Covid-19 pandemic has been in place for almost two months in many parts of the U.S. Due to financial desperation and frustration with isolation, nonessential businesses are starting to reopen and more people are going out in public despite ongoing health concerns. Seeking to frame this economically driven agenda with a veneer of public health responsibility, governments and businesses are implementing a variety of precautions, including using thermal imaging cameras to detect elevated skin temperatures. Unfortunately, the use of this technology, like some of the others in the pandemic response kit, is “security theater,” to use a term coined by the security and privacy expert Bruce Schneier. It’s a dangerous, possibly life-threatening mirage that looks like strong leadership but, in fact, shimmers over empty promises that inspire false confidence about personal health and safety. Schneier has been warning us for years of this kind of facade, calling out familiar examples, from offices stationing a “uniformed guard-for-hire” to check visitors’ ID cards to airports banning liquids and using full-body scanners to search for explosive material that, it turns out, they are not great at detecting anyway. So much magical thinking pervades airport security that Schneier has bluntly declared, “The two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn’t worth it.”

  • Digital contact tracing is becoming available, but is it effective?

    May 7, 2020

    Technology companies are offering a new tool to countries and states trying to reopen their economies amid the coronavirus pandemic: digital contact tracing applications. Touted as a way to track cases and isolate carriers quickly through the use of smartphones people already have in their pockets, the technological fix has gained significant attention from governments and private companies alike. But it's not clear how effective the alternative to traditional one-on-one interview-based contact tracing would be. And it also raises other issues dealing with surveillance. Apple and Google have been two of the leaders developing digital contact tracing and jointly released API this week for public health officials to build applications with. The unprecedented collaboration from the Silicon Valley giants allows applications to use bluetooth emissions to create a log of the people the phone’s user has come into proximity with. This would give officials a list of people that an individual infected by COVID-19, the disease caused by the coronavirus, may have passed it to. There are a few potential roadblocks with the technology...Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University, told The Hill that issues with apps could negatively color users’ perceptions of contact tracing more broadly. “My fear is that an app people lose trust in could cause more harm than good,” he said. “Some things in life an app can’t solve.”

  • We Need An “Army” Of Contact Tracers To Safely Reopen The Country. We Might Get Apps Instead.

    April 30, 2020

    On the phone inside her San Francisco apartment, Lucía Abascal gently informed two brothers she had never met that they had been exposed to the coronavirus. Privacy rules, however, meant she could not tell them who had possibly infected them. She also told the siblings they’d have to stay inside for the next 14 days and monitor themselves for signs of a disease that has killed 59,000 Americans and counting...These days, she works in "contact tracing" — a public health strategy to contain the spread of disease by tracing backward from an infected person to others who may have been exposed so they too can be tested and quarantined...But amid all the sobering statistics of the coronavirus pandemic in the US, here is one more: There are nowhere near enough Lucía Abascals. Experts estimate the country needs as many as 300,000 contact tracers to chart and break the chains of the pandemic. Currently, there are fewer than 8,000...China, Singapore, and South Korea have been lauded for their use of phones, in conjunction with old-fashioned shoe leather, to track infected people’s movements and trace clusters of the disease. Germany and Australia are launching their own programs. Yet many are skeptical about how the US is going about it, or even whether the country would accept it... “My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet and Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.”

  • Colleges deny using facial recognition technology after high-profile academics shame them

    March 25, 2020

    More than 150 academics, scholars and tenured faculty from colleges across the country have signed an open letter that names and shames colleges for using facial recognition technology on campus. They include a renowned cryptographer, prominent gender theorist and the popularizer of intersectionality. There’s just one problem: Some of those colleges told The College Fix they aren’t using the technology. Another college, meanwhile, passed the buck to its students, saying they choose to use it...Cryptographer and author Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, told The Fix in a phone call that there is a difference between “campus security” and “social control.” The first name on the open letter noted that facial recognition technology is used by “authoritarian governments” such as the Chinese Communist Party, and it gives them “awesome” power over their citizens. Schneier also warned that universities are “unprepared” to handle high levels of biometric data, leaving their students’ personal information vulnerable to cyber-penetration by ill-intended actors...Cryptographer Schneier, who also lectures at Harvard, says that the technology has “no place” in an American college campus. He told The Fix that China’s use of facial recognition works in conjunction with video surveillance and artificial intelligence to evaluate citizens in the Communist Party’s “social credit” systems. More often than not, this kind of technology is used “without consent.”

  • ‘This is pretty fantastic’: Expert applauds Greene County’s efforts to secure elections

    September 30, 2019

    In 2015, Greene County’s newly minted elections chief went to a conference where people were talking about voting on the internet.  Shane Schoeller wasn’t interested. Sure, voting via iPhone would be more convenient than trudging to the polling place, waiting in line and then casting a ballot. But he worried about getting hacked and thought there was some value to having a paper record of each vote. ... When cybersecurity expert Bruce Schneier, a fellow with Harvard's Berkman Klein Center for Internet and Society, reviewed the plans, he was pleasantly surprised. “This is pretty fantastic,” he said. “Voter-verifiable ballots and risk-limiting audits are the two things experts have been saying you need. So we’ve got one and the other on a pilot. This is better than everybody else. This is someone who’s taking it seriously.” Schneier warned that Greene County could still face threats: voter registration rolls could be manipulated, for example, meaning registered voters could show up and find themselves removed from the rolls. But he concluded Schoeller was off to a “great start.”

  • Security Experts Unite Over the Right to Repair

    April 30, 2019

    Two years ago, as Nebraska was considering a “right to repair” bill designed to make it easier for consumers to fix their own gadgets, an Apple lobbyist made a frightening prediction. If the state passed the legislation, it would turn into a haven for hackers, Steve Kester told then-state senator Lydia Brasch. He argued the law would inadvertently give bad actors the opportunity to break into devices like smartphones. The bill was later shelved, in part because of industry pressure., founded by technology journalist Paul Roberts, has attracted the support of more than 20 security experts, including Harvard University security technologist Bruce Schneier, bug bounty expert Katie Moussouris, and ACLU technologist Jon Callas. They plan to arrange for expert witnesses to testify at legislative hearings across the country in an effort to convince lawmakers that the right to repair is inherently safe.

  • The attack of the killer fridges has begun

    December 14, 2018

    The world is ever more connected via the internet, from cars and power grids to home appliances and toys. That means ever more things are dangerously hackable, security expert Bruce Schneier writes in “Click Here to Kill Everybody.” The title is hyperbolic, but not by much. In some ways, the attack of the killer fridges has already begun. Catastrophe doesn’t have to happen on purpose. Nation states can attack each other’s electricity infrastructure, and cyber criminals seize hospital computers and threaten patients’ lives until ransom is paid. But Schneier, who is chief technology officer at IBM Resilient and a fellow of Harvard University’s Berkman Klein Center for Internet & Society, also worries about fumbles and surprises. Small-time hackers lose control of their malware and infect bigger systems. Threats emerge not from individually compromised devices but from the unforeseen ways they interact.

  • AI is a very surprising tech, which makes its future hard to predict: Bruce Schneier

    June 12, 2018

    Bruce Schneier is an internationally renowned security technologist. An author of 13 books including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, his newsletter Crypto-Gram and his blog Schneier on Security are read by over 250,000 people...In an interview, Schneier speaks about some of the biggest online security threats that individuals, companies and governments will face in 2018; how these threats have ballooned because of the IoT (Internet of Things); learnings from the Cambridge Analytica-Facebook data compromise issue; Surveillance Capitalism; and his thoughts on artificial intelligence (AI) and cyberwar among other things.

  • Alexa, Just How Secure Are You?

    May 29, 2018

    You may think of your virtual assistant as a kind of trusty companion, giving out weather forecasts, recipes, news and all sorts of ephemera on request. But these devices also pose a host of security risks that render users vulnerable to hacks, eavesdropping, data siphoning and other threats that might not be immediately apparent. That danger was highlighted Thursday when Inc. said one of its Echo home speakers mistakenly recorded a private conversation and sent it to someone in the owners’ contact list...Don’t buy one at all. “That is my personal solution,” says Bruce Schneier, a cybersecurity expert who lectures on public policy at Harvard University. For Mr. Schneier, the real threat to our privacy is companies like Google and Amazon, which are also vulnerable to hacks and whose privacy policies can be vague and hard to decipher.

  • The very real risks posed by Trump’s use of a cellphone

    May 23, 2018

    ...Politico reports that Trump uses two iPhones. One is Twitter-only. The other only allows him to make calls. Both are customized, issued by the White House department responsible for securing administration telecommunications. One problem identified by Politico, though, is that the Twitter-capable phone wasn’t swapped out on a monthly basis, as requested by Trump’s security team....Security expert Bruce Schneier spoke by phone with The Post and explained why, even if he adhered assiduously to those precautions, the likelihood that Trump’s communications have been compromised is high. If Trump’s calls-only device was a standard iPhone, there’s little question about it. The odds of a foreign adversary having gained access to such a device, according to Schneier? “One” — meaning 100 percent, he said. “The question is how many foreign powers.” The president could assume, he said, “that anything said on unsecured phones is known by — name your top six intelligence agencies.”

  • U.S. Voting System Remains Vulnerable 6 Months Before Election Day. What Now?

    May 8, 2018

    As America heads toward the 2018 midterms, there's an 800-pound gorilla in the voting booth. Despite improvements since Russia's attack on the 2016 presidential race, the U.S. elections infrastructure is vulnerable — and will remain so in November. Cybersecurity expert Bruce Schneier laid out the problem to an overflowing room full of election directors and secretaries of state — people charged with running and securing elections — at a conference at Harvard University this Spring. "Computers are basically insecure," said Schneier. "Voting systems are not magical in any way. They are computers."..."This is the problem we always have in computer security — basically nobody has ever built a secure computer. That's the reality," Schneier said. "I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don't because no one has found them yet. And people will find them — whether it's nation states or teenagers on a weekend."

  • Banning Chinese phones won’t fix security problems with our electronic supply chain

    May 8, 2018

    An op-ed by Bruce Schneier. Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users. It’s a legitimate fear, and perhaps a prudent action. But it’s just one instance of the much larger issue of securing our supply chains. All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems. And while we can ban a few specific products, services or companies, no country can isolate itself from potential foreign interference.

  • Could tech refuse to help Uncle Sam during war? (audio)

    April 27, 2018

    Last week 34 tech companies signed the Cybersecurity Tech Accord saying they won't help any government, including the U.S., carry out cyber-attacks. That came amid warnings from the U.S. and the U.K. about the Russian government's global attempts to hack routers and other network equipment. Marketplace Tech host Molly Wood spoke with Bruce Schneier, a cybersecurity expert at Harvard, about how tech companies will play a role in combating international cyber threats.

  • American elections are too easy to hack. We must take action now

    April 18, 2018

    An op-ed by Bruce Schneier. Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them. Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

  • Facebook embraces A.I., and risks further spooking consumers

    April 17, 2018

    Social media companies have embraced artificial intelligence tools to scrub their platforms of hate speech, terrorist propaganda and other content deemed noxious. But will those tools censor other content? Can a program judge the value of speech? Facebook founder Mark Zuckerberg told Congress last week that his company is rapidly developing AI tools to “identify certain classes of bad activity proactively and flag it for our team.” It is one of several moves by Facebook as it struggles with an erosion of consumer trust over its harvesting of user data, its past vulnerability to targeted political misinformation and the opaqueness of the formulas upon which its news feeds are built...“The problem is that surveillance is Facebook's business model: surveillance in order to facilitate psychological manipulation,” Bruce Schneier, a well-known security expert and privacy specialist, said. “Whether it's done by people or (artificial intelligence) is in the noise.”

  • There’s Almost Nothing You Can Do to Protect Your Personal Data Online

    March 30, 2018

    If you’re one of the millions of Americans feeling like it’s time to start better protecting your personal data, you’re pretty much out of luck, according to cybersecurity experts...When asked what people can do to prevent their data from being harvested without their direct knowledge, security technologist Bruce Schneier’s answer was chillingly straightforward. “You can’t do anything. That’s the fundamental problem with this,” he said...“You live in the United States and the United States doesn’t regulate surveillance capitalism. Your data can be bought and sold without your knowledge and consent. That’s the way it works,” he said. “If you don’t like that, lobby your congressman. That is your only option.”

  • It’s not just Facebook. Thousands of companies are spying on you

    March 27, 2018

    An op-ed by Bruce Schneier. In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed.

  • America’s Voting Systems Are Highly Vulnerable to Hackers

    February 23, 2018

    After Robert Mueller’s indictment of 13 Russians last week, there can be no doubt that the Kremlin meddled with the 2016 election by spreading lies through social media that twisted voters’ judgments. But what about more direct forms of interference: Did Russia shift the election’s outcome by hacking registration rolls or voting machines? The fact is that it’s impossible to say. In September, the Department of Homeland Security informed officials in 21 states that Russians had hacked into their registration systems in the run-up to the election. Whether the hackers manipulated the rolls—removed names or switched their precincts—no one has investigated; perhaps no one could investigate, as so many months had passed before the hack was revealed...In the realm of computer hacking, these sorts of attacks are far from the most sophisticated—and the methods for blocking the attacks aren’t so sophisticated either. “We know what to do,” Bruce Schneier, a noted cybersecurity specialist, said in a phone interview. “It’s not a matter of figuring out the tech. The problem is our political system.”

  • The New Way Your Computer Can Be Attacked

    January 30, 2018

    An op-ed by Bruce Schneier. On January 3, the world learned about a series of major security vulnerabilities in modern microprocessors. Called Spectre and Meltdown, these vulnerabilities were discovered by several different researchers last summer, disclosed to the microprocessors’ manufacturers, and patched—at least to the extent possible. This news isn’t really any different from the usual endless stream of security vulnerabilities and patches, but it’s also a harbinger of the sorts of security problems we’re going to be seeing in the coming years.

  • How to fight mass surveillance even though Congress just reauthorized it

    January 26, 2018

    An op-ed by Bruce Schneier. For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We’ve just lost an important battle. On Jan. 18, when President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of U.S. law.

  • Too Much Music: A Failed Experiment In Dedicated Listening

    January 17, 2018

    ...Streaming has become the primary way we listen to music: in 2016, streaming surpassed both physical media and digital downloads as the largest source of recorded music sales. There are plenty of valid complaints about a music world dominated by streaming. Among the many arguments musicians level against Spotify, for example, one typically repeated is that the artist is the only link in the food chain getting the proverbial shaft. This argument is often predicated on notions of economics, intellectual property and ethics. Missing from a larger discussion is the radical idea that maybe it is the consumers who are being done the greatest disservice, and that this access-bonanza may be cheapening the listening experience by transforming fans into file clerks and experts into dilettantes...As long as we try to maintain the Sisyphean task of trying to experience everything, our brains, unable to adapt and forever lagging behind exponential technological progress, will continue to struggle. "Computing power is still doubling every 18 months," notes cryptographer and technology writer Bruce Schneier, "while our species' brain size has remained constant."

  • The security of pretty much every computer on the planet has just gotten a lot worse

    January 5, 2018

    An op-ed by Bruce Schneier. The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which,of course, is not a solution -- is to throw them all away and buy new ones that may be available in a few years. On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15 to 20 years. They've been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.

  • Microservices and the invasion of the identity entities

    December 19, 2017

    ...The whole concept of "cyberspace" implies the occupancy by people, or entities that represent people, accessing resources, data files, and applications by moving from place to place like browsing a shopping mall..."There's going to be a lot more 'what's,'" described noted security expert and author Bruce Schneier, referring to a communications system whose ratio of entities to people will only grow. "What sent this? It's going to be a streetlight sensor that's telling me the traffic on this street is such that I'm going to try this other way. Or that I should brake now and not in fifteen milliseconds, because that'll save my life."

  • How the Supreme Court could keep police from using your cellphone to spy on you

    November 27, 2017

    An op-ed by Bruce Schneier. The cellphones we carry with us constantly are the most perfect surveillance device ever invented, and our laws haven’t caught up to that reality. That might change soon. This week, the Supreme Court will hear a case with profound implications on your security and privacy in the coming years. The Fourth Amendment’s prohibition of unlawful search and seizure is a vital right that protects us all from police overreach, and the way the courts interpret it is increasingly nonsensical in our computerized and networked world. The Supreme Court can either update current law to reflect the world, or it can further solidify an unnecessary and dangerous police power.

  • How Facebook Figures Out Everyone You’ve Ever Met

    November 8, 2017

    In real life, in the natural course of conversation, it is not uncommon to talk about a person you may know. You meet someone and say, “I’m from Sarasota,” and they say, “Oh, I have a grandparent in Sarasota,” and they tell you where they live and their name, and you may or may not recognize them. You might assume Facebook’s friend recommendations would work the same way: You tell the social network who you are, and it tells you who you might know in the online world. But Facebook’s machinery operates on a scale far beyond normal human interactions. And the results of its People You May Know algorithm are anything but obvious...Facebook doesn’t keep profiles for non-users, but it does use their contact information to connect people. “Mobile phone numbers are even better than social security numbers for identifying people,” said security technologist Bruce Schneier by email. “People give them out all the time, and they’re strongly linked to identity.”

  • The U.S. Election System Remains Deeply Vulnerable, But States Would Rather Celebrate Fake Success

    October 4, 2017

    When the Department of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements...Still, most states lack the mechanisms to deal with large-scale changes to voter registration, said Bruce Schneier, a cybersecurity specialist at Harvard’s Berkman Center who has written frequently about the security vulnerabilities of U.S. election systems. “Imagine an election in a state office, where 20 percent of the people can’t vote, and everyone says the voting roll was hacked. There’s no system to deal with that — there’s no plan, no rules,” he said.

  • The White House and Equifax Agree: Social Security Numbers Should Go

    October 4, 2017

    The Trump administration is exploring ways to replace the use of Social Security numbers as the main method of assuring people’s identities in the wake of consumer credit agency Equifax Inc.’s massive data breach...Over the decades, the Social Security number became valuable for what could be gained by stealing it, said Bruce Schneier, a fellow at Harvard’s Kennedy School of Government. It was the only number available to identify a person and became the standard used for everything from confirming someone at the doctor’s office to school. “They appeared at an age when we didn’t have other numbers,” Schneier said in an interview. “Think of this as part of our aging infrastructure” from roads and bridges to communications. “Sooner or later we as a society need to fix our aging infrastructure.”

  • Here’s What Security Experts Think About The iPhone X’s New Face ID Feature

    September 13, 2017

    Of the smorgasbord of features stuffed into Apple's new thousand-dollar iPhone X, one of the most intriguing is Face ID — a new feature that lets you unlock your iPhone with your gaze after the system has learned what you look like, using Apple’s first-ever neural engine. “In the iPhone X, your phone is locked — until you look at it, and it recognizes you," Phil Schiller, Apple’s senior vice president of worldwide marketing, said onstage at today’s iPhone event. “Nothing has ever been simpler, more natural, and effortless.”...Meanwhile, Bruce Schneier, an internet security expert and chief technology officer at Resillient Systems, a subsidiary of IBM, said Apple’s “one in a million” failure claim may well hold up — but that it doesn’t matter if even one person in a million is still able to break into your phone. “That’s why [security] professionals don’t unlock phones that way,” Schneier wrote to BuzzFeed News in an email.

  • Don’t waste your breath complaining to Equifax about data breach

    September 12, 2017

    An op-ed by Bruce Schneier. Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud. Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

  • The Militarization of the Hamptons

    August 31, 2017

    A few weeks ago, the Bridgehampton Chamber Music Festival held one of its occasional outdoor concerts at a nearby Long Island winery...Afterward, when someone inquired about the presence of these heavily armed police, he was told that the Southampton police department required the extra protection...The militarization of local police forces, of course, is a trend that began after the Sept. 11 attacks, when many departments added “fighting terror” to their mission statements, and when the federal government began to make money available to local police to buy military-style equipment, including automatic weapons, night vision goggles and other paraphernalia. As the security expert Bruce Schneier points out, “when they get this stuff, they want to trot it out. So now it is being used.”

  • On internet privacy, be very afraid

    August 28, 2017

    An interview with Bruce Schneier. In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life. In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data.

  • Woman with phone walking past Bruce Schneier

    On internet privacy, be very afraid

    August 25, 2017

    In an interview with the Harvard Gazette, cybersecurity expert Bruce Schneier, a fellow with the Berkman Klein Center for Internet & Society and the Belfer Center for Science and International Affairs at Harvard Kennedy School, talked about government and corporate surveillance, and about what concerned users can do to protect their privacy.

  • Our Homes May Get Smarter, But Have We Thought It Through?

    August 15, 2017

    John Essey and family live in a modest, two-story home on a tree-lined street in the suburbs north of Pittsburgh. From the outside, it looks like any other house in the neighborhood. But this house has a brain...While Essey's setup might sound a little like science fiction, it's a prototype of the future. Some critics are worried these devices won't be secure and that companies will use them to spy on us to make money..."Surveillance is now the business model of the Internet. Companies make money spying on you," says Bruce Schneier, an Internet security expert and the chief technology officer at IBM's cybersecurity arm.