An Interview with Bruce Schneier, Renowned Security Technologist

Bruce Schneier is an internationally renowned, award-winning public-interest technologist who

serves as Chief of Security Architecture at Inrupt, a company working to bring Sir Tim Berners-
Lee’s distributed data ownership model into the mainstream. Mr. Schneier is a fellow at
the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public
Policy at the Harvard Kennedy School; a board member of the Electronic Frontier
Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic
Privacy Information Center and VerifiedVoting.org. He is the author of over a dozen books–
including one of the quintessential cryptography texts, Applied Cryptography–as well as
hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and
his blog "Schneier on Security" are read by over 250,000 people. Before joining Inrupt, Mr.
Schneier served as CTO of Resilient, British Telecom, and Counterpane Internet Security.

The NSA’s phone program cost $100 million over four years and only twice
generated unique information for the FBI. What’s your takeaway? Does that say
more about the program’s inefficiency or about how much data the NSA already
collects?

Collecting data is easy; analyzing it is hard. Gathering actionable intelligence from mass
surveillance data is often described as finding a needle in a haystack. The obvious extension of
that metaphor is that piling more hay onto the pile doesn't help. What we know is that
conventional investigative techniques—following the leads—is very effective. This means that
targeted surveillance can be very effective. Mass surveillance, not so much. It's good at social
control, which is why totalitarian governments like it so much. But despite the US government's
insistence that it's essential for national security, it turns out that when you examine the actual
evidence it is not.

What kind of constraints are there on academics publishing cryptography papers?

Does the NSA restrict academic freedom at all? 

No, they do not. That's a very 1970s way of limiting the spread of cryptographic expertise around
the globe. It worked for a while, until the establishment of cryptography as an academic
discipline in the 1980s. Around then, the NSA switched to export controls as a way to regulate
the use of strong cryptography worldwide. That collapsed with the rise of the Internet and
electronic commerce. Today, the NSA relies on its superior cryptographic expertise and hacking
skills, and somewhat on its ability to slip back doors into commercial products and standards.
How effective this all is, we don't know, but the Snowden documents showed us that it was all
very effective in the early 2010s. My guess is that it's no less effective today.

Whether and what security precautions someone should take seems largely
contextual, but are there any baseline precautions that you think most people
would benefit from?

Keep your software updated, run an anti-virus program (I don't care which—they're all
equally mediocre), and backup regularly. That will protect you against most common threats.
Also, use two-factor authentication for your important accounts, and a password manager so
you don't have to remember the ridiculously complicated passwords you need to use to remain
secure.

After that, it's harder to give advice. Most of the data that is important to you isn't under
your direct control. It's not on your computers. It's on computers owned by Google, and Apple,
and your credit-card company, and your cell phone provider. The security precautions that they
take are much more critical than anything you do, and you have no control over them. You
mostly don't even have any visibility into what they are.

How about specifically for journalists and authors dealing with medium-high
sensitivity information?

First and most important: do not rely on security advice from Q&A interviews in random college
magazines. The threats you face are probably much more serious than that. There are resources
out there for you. Check out Security Planner. The Electronic Frontier Foundation maintains a
"Surveillance Self Defense" guide. And the Committee to Protect Journalists has a security
guide. Section 3 is all about maintaining security and privacy in the face of a variety of digital
threats.

One of the things I tell activists working in authoritarian countries is that their best option
is a fully tricked out Chromebook. Google is likely to protect their data better than they could.
Sure, their stuff is being spied on by Google and will be turned over to the US government with a
court order, but that's probably not part of their threat model. For truly at risk individuals,
Google's Advanced Protection Program is worth seriously considering.

How much of a threat are hardware backdoors? Given the CIA’s secret acquisition
of Crypto AG, quite a lot seems possible. Could you foresee secret contracts
between the U.S. government and hardware manufacturers? Are they already in
place?

Of course there have been secret contracts, or more likely secret verbal agreements, between the
US government and hardware manufacturers to keep their products insecure. The story of
Crypto AG selling back-doored encryption hardware to
governments around the world has made the news recently, but it's not the only story that has
become public. During the Cold War, it's reasonable to assume the US government did that all
the time. It's harder today, because the tech industry is much more public and global. Still, while
Apple has refused to make it's iPhone insecure at the request of the US government, they have
not encrypted their iCloud backups. because of what we believe is pressure from the US
government.

This story will play out in all countries. We believe that Chinese communications
infrastructure companies have put back doors into their products at the request of their
government. The Chinese believe Cisco has done the same at the request of the US government.
My guess is that—unfortunately—everyone is right and that there are back doors in pretty much
everything. And I don't really worry about spying. If Huawei routers had a back door that sent
copies of all Internet packets back to China, we would easily detect that. More worrisome is a
secret embedded command that would allow China to disable the routers in the event of
hostilities. That's easy to do and next to impossible to detect.

Onto Inrupt/Solid. It looks like Inrupt's implementation of a Solid server is

in prototype phase. What’s the idea behind the project, and what's the basic
timeline for full release?

The Solid server prototype was born out of the work conducted by Sir Tim Berners-Lee and his
team while at MIT. Inrupt's mission is to catalyze this work and help apply Solid to real-world
use cases. The promise of realizing Tim's true vision for the web has prompted a pretty amazing
array of global organizations to engage with us on truly transformational projects. To make all of
that happen, Inrupt has been building our own software based on the open and public Solid
protocol. Some of this, like our SDK, is already available to the open-source community. Other
products are starting to make their way into the public domain. At this point we can't talk about
our customers/partners about their projects, because they're in charge of the schedules and
timelines.

Relatedly–how long would it take for me right now to create a WebID, establish a
Pod with Inrupt, and begin storing my data?

Assuming you're an individual user visiting inrupt.net, then the literal answer is "like 20
seconds": the time it takes you to sign up for any kind of online account. But remember that
inrupt.net is not intended as a mainstream commercial offering. It's a test system: a way to let
people explore the basic functionality of Solid and to provide open-source application
developers with Pods to test and use. This is a critical element of seeding Solid throughout the
developer community. Inrupt's core focus is working with organizations to explore the powerful
opportunities for innovation at enterprise-scale. That's still coming.

How are for-profit companies–especially social networks like Facebook–

incentivized to develop using Solid if they can no longer hyper-target advertising to
their users at their current level?

Companies like Facebook, with a business model built entirely around surveillance capitalism,
are not going to be the first movers here. If they come around to Solid it all, it will be late in the
adoption curve. I would expect a potential Facebook competitor—assuming they're not squashed
by Facebooks' monopoly power—would be much more likely to adopt Solid because it lets them
scale their system quickly without the liability around collecting everyone's data. They would
still be able to use the data, and market based on it, but it wouldn't be in their servers on their
networks. Additionally, most companies do not build their business models around targeted
advertising. We have projects underway in industries like finance, health care, insurance and
more. A lot of companies understand that they can have a better relationship with their
customers by rethinking who gets ultimate control—and also value—of that data.