Bruce Schneier

The lockdown on commercial industry and personal activity in response to the global Covid-19 pandemic has been in place for almost two months in many parts of the U.S. Due to financial desperation and frustration with isolation, nonessential businesses are starting to reopen and more people are going out in public despite ongoing health concerns. Seeking to frame this economically driven agenda with a veneer of public health responsibility, governments and businesses are implementing a variety of precautions, including using thermal imaging cameras to detect elevated skin temperatures. Unfortunately, the use of this technology, like some of the others in the pandemic response kit, is “security theater,” to use a term coined by the security and privacy expert Bruce Schneier. It’s a dangerous, possibly life-threatening mirage that looks like strong leadership but, in fact, shimmers over empty promises that inspire false confidence about personal health and safety. Schneier has been warning us for years of this kind of facade, calling out familiar examples, from offices stationing a “uniformed guard-for-hire” to check visitors’ ID cards to airports banning liquids and using full-body scanners to search for explosive material that, it turns out, they are not great at detecting anyway. So much magical thinking pervades airport security that Schneier has bluntly declared, “The two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn’t worth it.”

Technology companies are offering a new tool to countries and states trying to reopen their economies amid the coronavirus pandemic: digital contact tracing applications. Touted as a way to track cases and isolate carriers quickly through the use of smartphones people already have in their pockets, the technological fix has gained significant attention from governments and private companies alike. But it's not clear how effective the alternative to traditional one-on-one interview-based contact tracing would be. And it also raises other issues dealing with surveillance. Apple and Google have been two of the leaders developing digital contact tracing and jointly released API this week for public health officials to build applications with. The unprecedented collaboration from the Silicon Valley giants allows applications to use bluetooth emissions to create a log of the people the phone’s user has come into proximity with. This would give officials a list of people that an individual infected by COVID-19, the disease caused by the coronavirus, may have passed it to. There are a few potential roadblocks with the technology...Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University, told The Hill that issues with apps could negatively color users’ perceptions of contact tracing more broadly. “My fear is that an app people lose trust in could cause more harm than good,” he said. “Some things in life an app can’t solve.”

On the phone inside her San Francisco apartment, Lucía Abascal gently informed two brothers she had never met that they had been exposed to the coronavirus. Privacy rules, however, meant she could not tell them who had possibly infected them. She also told the siblings they’d have to stay inside for the next 14 days and monitor themselves for signs of a disease that has killed 59,000 Americans and counting...These days, she works in "contact tracing" — a public health strategy to contain the spread of disease by tracing backward from an infected person to others who may have been exposed so they too can be tested and quarantined...But amid all the sobering statistics of the coronavirus pandemic in the US, here is one more: There are nowhere near enough Lucía Abascals. Experts estimate the country needs as many as 300,000 contact tracers to chart and break the chains of the pandemic. Currently, there are fewer than 8,000...China, Singapore, and South Korea have been lauded for their use of phones, in conjunction with old-fashioned shoe leather, to track infected people’s movements and trace clusters of the disease. Germany and Australia are launching their own programs. Yet many are skeptical about how the US is going about it, or even whether the country would accept it... “My problem with contact tracing apps is that they have absolutely no value,” Bruce Schneier, a privacy expert and fellow at the Berkman Klein Center for Internet and Society at Harvard University, told BuzzFeed News. “I’m not even talking about the privacy concerns, I mean the efficacy. Does anybody think this will do something useful? … This is just something governments want to do for the hell of it. To me, it’s just techies doing techie things because they don’t know what else to do.”

More than 150 academics, scholars and tenured faculty from colleges across the country have signed an open letter that names and shames colleges for using facial recognition technology on campus. They include a renowned cryptographer, prominent gender theorist and the popularizer of intersectionality. There’s just one problem: Some of those colleges told The College Fix they aren’t using the technology. Another college, meanwhile, passed the buck to its students, saying they choose to use it...Cryptographer and author Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, told The Fix in a phone call that there is a difference between “campus security” and “social control.” The first name on the open letter noted that facial recognition technology is used by “authoritarian governments” such as the Chinese Communist Party, and it gives them “awesome” power over their citizens. Schneier also warned that universities are “unprepared” to handle high levels of biometric data, leaving their students’ personal information vulnerable to cyber-penetration by ill-intended actors...Cryptographer Schneier, who also lectures at Harvard, says that the technology has “no place” in an American college campus. He told The Fix that China’s use of facial recognition works in conjunction with video surveillance and artificial intelligence to evaluate citizens in the Communist Party’s “social credit” systems. More often than not, this kind of technology is used “without consent.”

In 2015, Greene County’s newly minted elections chief went to a conference where people were talking about voting on the internet.  Shane Schoeller wasn’t interested. Sure, voting via iPhone would be more convenient than trudging to the polling place, waiting in line and then casting a ballot. But he worried about getting hacked and thought there was some value to having a paper record of each vote. ... When cybersecurity expert Bruce Schneier, a fellow with Harvard's Berkman Klein Center for Internet and Society, reviewed the plans, he was pleasantly surprised. “This is pretty fantastic,” he said. “Voter-verifiable ballots and risk-limiting audits are the two things experts have been saying you need. So we’ve got one and the other on a pilot. This is better than everybody else. This is someone who’s taking it seriously.” Schneier warned that Greene County could still face threats: voter registration rolls could be manipulated, for example, meaning registered voters could show up and find themselves removed from the rolls. But he concluded Schoeller was off to a “great start.”

Two years ago, as Nebraska was considering a “right to repair” bill designed to make it easier for consumers to fix their own gadgets, an Apple lobbyist made a frightening prediction. If the state passed the legislation, it would turn into a haven for hackers, Steve Kester told then-state senator Lydia Brasch. He argued the law would inadvertently give bad actors the opportunity to break into devices like smartphones. The bill was later shelved, in part because of industry pressure. ...Securepairs.org, founded by technology journalist Paul Roberts, has attracted the support of more than 20 security experts, including Harvard University security technologist Bruce Schneier, bug bounty expert Katie Moussouris, and ACLU technologist Jon Callas. They plan to arrange for expert witnesses to testify at legislative hearings across the country in an effort to convince lawmakers that the right to repair is inherently safe.

The world is ever more connected via the internet, from cars and power grids to home appliances and toys. That means ever more things are dangerously hackable, security expert Bruce Schneier writes in “Click Here to Kill Everybody.” The title is hyperbolic, but not by much. In some ways, the attack of the killer fridges has already begun. Catastrophe doesn’t have to happen on purpose. Nation states can attack each other’s electricity infrastructure, and cyber criminals seize hospital computers and threaten patients’ lives until ransom is paid. But Schneier, who is chief technology officer at IBM Resilient and a fellow of Harvard University’s Berkman Klein Center for Internet & Society, also worries about fumbles and surprises. Small-time hackers lose control of their malware and infect bigger systems. Threats emerge not from individually compromised devices but from the unforeseen ways they interact.

Bruce Schneier is an internationally renowned security technologist. An author of 13 books including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, his newsletter Crypto-Gram and his blog Schneier on Security are read by over 250,000 people...In an interview, Schneier speaks about some of the biggest online security threats that individuals, companies and governments will face in 2018; how these threats have ballooned because of the IoT (Internet of Things); learnings from the Cambridge Analytica-Facebook data compromise issue; Surveillance Capitalism; and his thoughts on artificial intelligence (AI) and cyberwar among other things.

You may think of your virtual assistant as a kind of trusty companion, giving out weather forecasts, recipes, news and all sorts of ephemera on request. But these devices also pose a host of security risks that render users vulnerable to hacks, eavesdropping, data siphoning and other threats that might not be immediately apparent. That danger was highlighted Thursday when Amazon.com Inc. said one of its Echo home speakers mistakenly recorded a private conversation and sent it to someone in the owners’ contact list...Don’t buy one at all. “That is my personal solution,” says Bruce Schneier, a cybersecurity expert who lectures on public policy at Harvard University. For Mr. Schneier, the real threat to our privacy is companies like Google and Amazon, which are also vulnerable to hacks and whose privacy policies can be vague and hard to decipher.

...Politico reports that Trump uses two iPhones. One is Twitter-only. The other only allows him to make calls. Both are customized, issued by the White House department responsible for securing administration telecommunications. One problem identified by Politico, though, is that the Twitter-capable phone wasn’t swapped out on a monthly basis, as requested by Trump’s security team....Security expert Bruce Schneier spoke by phone with The Post and explained why, even if he adhered assiduously to those precautions, the likelihood that Trump’s communications have been compromised is high. If Trump’s calls-only device was a standard iPhone, there’s little question about it. The odds of a foreign adversary having gained access to such a device, according to Schneier? “One” — meaning 100 percent, he said. “The question is how many foreign powers.” The president could assume, he said, “that anything said on unsecured phones is known by — name your top six intelligence agencies.”

As America heads toward the 2018 midterms, there's an 800-pound gorilla in the voting booth. Despite improvements since Russia's attack on the 2016 presidential race, the U.S. elections infrastructure is vulnerable — and will remain so in November. Cybersecurity expert Bruce Schneier laid out the problem to an overflowing room full of election directors and secretaries of state — people charged with running and securing elections — at a conference at Harvard University this Spring. "Computers are basically insecure," said Schneier. "Voting systems are not magical in any way. They are computers."..."This is the problem we always have in computer security — basically nobody has ever built a secure computer. That's the reality," Schneier said. "I want to build a robust system that is secure despite the fact that computers have vulnerabilities, rather than pretend that they don't because no one has found them yet. And people will find them — whether it's nation states or teenagers on a weekend."

An op-ed by Bruce Schneier. Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users. It’s a legitimate fear, and perhaps a prudent action. But it’s just one instance of the much larger issue of securing our supply chains. All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems. And while we can ban a few specific products, services or companies, no country can isolate itself from potential foreign interference.

Last week 34 tech companies signed the Cybersecurity Tech Accord saying they won't help any government, including the U.S., carry out cyber-attacks. That came amid warnings from the U.S. and the U.K. about the Russian government's global attempts to hack routers and other network equipment. Marketplace Tech host Molly Wood spoke with Bruce Schneier, a cybersecurity expert at Harvard, about how tech companies will play a role in combating international cyber threats.

An op-ed by Bruce Schneier. Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them. Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

Social media companies have embraced artificial intelligence tools to scrub their platforms of hate speech, terrorist propaganda and other content deemed noxious. But will those tools censor other content? Can a program judge the value of speech? Facebook founder Mark Zuckerberg told Congress last week that his company is rapidly developing AI tools to “identify certain classes of bad activity proactively and flag it for our team.” It is one of several moves by Facebook as it struggles with an erosion of consumer trust over its harvesting of user data, its past vulnerability to targeted political misinformation and the opaqueness of the formulas upon which its news feeds are built...“The problem is that surveillance is Facebook's business model: surveillance in order to facilitate psychological manipulation,” Bruce Schneier, a well-known security expert and privacy specialist, said. “Whether it's done by people or (artificial intelligence) is in the noise.”

If you’re one of the millions of Americans feeling like it’s time to start better protecting your personal data, you’re pretty much out of luck, according to cybersecurity experts...When asked what people can do to prevent their data from being harvested without their direct knowledge, security technologist Bruce Schneier’s answer was chillingly straightforward. “You can’t do anything. That’s the fundamental problem with this,” he said...“You live in the United States and the United States doesn’t regulate surveillance capitalism. Your data can be bought and sold without your knowledge and consent. That’s the way it works,” he said. “If you don’t like that, lobby your congressman. That is your only option.”

An op-ed by Bruce Schneier. In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed.

After Robert Mueller’s indictment of 13 Russians last week, there can be no doubt that the Kremlin meddled with the 2016 election by spreading lies through social media that twisted voters’ judgments. But what about more direct forms of interference: Did Russia shift the election’s outcome by hacking registration rolls or voting machines? The fact is that it’s impossible to say. In September, the Department of Homeland Security informed officials in 21 states that Russians had hacked into their registration systems in the run-up to the election. Whether the hackers manipulated the rolls—removed names or switched their precincts—no one has investigated; perhaps no one could investigate, as so many months had passed before the hack was revealed...In the realm of computer hacking, these sorts of attacks are far from the most sophisticated—and the methods for blocking the attacks aren’t so sophisticated either. “We know what to do,” Bruce Schneier, a noted cybersecurity specialist, said in a phone interview. “It’s not a matter of figuring out the tech. The problem is our political system.”

An op-ed by Bruce Schneier. On January 3, the world learned about a series of major security vulnerabilities in modern microprocessors. Called Spectre and Meltdown, these vulnerabilities were discovered by several different researchers last summer, disclosed to the microprocessors’ manufacturers, and patched—at least to the extent possible. This news isn’t really any different from the usual endless stream of security vulnerabilities and patches, but it’s also a harbinger of the sorts of security problems we’re going to be seeing in the coming years.

An op-ed by Bruce Schneier. For over a decade, civil libertarians have been fighting government mass surveillance of innocent Americans over the Internet. We’ve just lost an important battle. On Jan. 18, when President Trump signed the renewal of Section 702, domestic mass surveillance became effectively a permanent part of U.S. law.

...Streaming has become the primary way we listen to music: in 2016, streaming surpassed both physical media and digital downloads as the largest source of recorded music sales. There are plenty of valid complaints about a music world dominated by streaming. Among the many arguments musicians level against Spotify, for example, one typically repeated is that the artist is the only link in the food chain getting the proverbial shaft. This argument is often predicated on notions of economics, intellectual property and ethics. Missing from a larger discussion is the radical idea that maybe it is the consumers who are being done the greatest disservice, and that this access-bonanza may be cheapening the listening experience by transforming fans into file clerks and experts into dilettantes...As long as we try to maintain the Sisyphean task of trying to experience everything, our brains, unable to adapt and forever lagging behind exponential technological progress, will continue to struggle. "Computing power is still doubling every 18 months," notes cryptographer and technology writer Bruce Schneier, "while our species' brain size has remained constant."