In the April issue of Money, before the story of the Heartbleed bug broke, Money spoke with computer security expert Bruce Schneier, chief technology officer at Co3 Systems and a fellow at Harvard Law’s Berkman Center for Internet and Society. Schneier said it is difficult for consumers to protect their data on their own — a point that Heartbleed has demonstrated all too well.
Is my data safe?
A: Well, that depends … What does that question even mean?
For example, the recent theft of credit card data from Target — as well as names, phone numbers, and email addresses — worries people.
That story is all over the Net, but if your card number was stolen, it didn’t cost you any money and you got a new one. Most of the other data is in telephone books. And all of it is for sale, cheap, from data brokers. If the bad guys want that stuff, getting it is easy. It’s common information, and not very useful for fraud.
So is there anything about data people should be worried about?
Sure. Pretty much everything you do on the Internet is spied on. I used to say that Google knows more about my interests than my wife does. But actually that’s wrong: Google knows more about my interests than I do.
Google knows exactly what I’m interested in and when I’m interested, and Google remembers those things more than I do. Do I remember what I was interested in six months ago? I don’t. Google remembers.
What’s the danger there?
We think we have a right to private thoughts, and that’s increasingly unlikely. That’s why the question “Is my data safe?” makes no sense.
The problem isn’t security of your data. When you go on Google or Facebook, for example, you say, “Yes, I am open to you spying on me.” And I’m talking about legitimate, legal uses.
Take the Nest thermostat, which connects to the Internet. All your heating and cooling data are stored in the cloud, meaning on the company’s servers. The company knows when you’re home, when you’re not.
You might have said, “Well, that’s a small company.” But Google just bought Nest. Now Google has that data, along with its other data. [Nest’s CEO has said that data is used only for Nest services, and that if this changes, users will be asked to “opt in.”]
And what can happen when companies have all this data?
Then they can use it for psychological manipulation — for advertising. That’s the fundamental business model of the Internet. Google’s profit is the net difference between the value of your data, to them, and the value of the services they’re giving you for your data. You are not the customer of Google or Facebook or other free services. The customers are advertisers. The product is you.
Is this just about showing me targeted ads?
The Federal Trade Commission is now looking at what to do about cellphone tracking in stores. You can be surveilled in a store because you’re carrying a phone. We’ve moved into an era when we are always observed.
Is this really spying? If a computer monitors me to send me ads, that’s not like a person looking at me.
Someone at Google said having a computer read your email is like having a dog see you naked. And that’s sort of what you’re asking.
It’s a computer — what’s the problem? But then think of the difference between a computer and a dog. You can trust the dog. The dog will never say anything. But a year from now if someone asked the computer what it saw you do, the computer might tell.
What about criminals getting into my data?
There are hacker threats. Compared with the threat of what you give away, they’re kind of the background noise, but they’re real. Primarily people are stealing data for financial fraud, and the effort is to get account numbers, passwords — information that can be used for identity theft.
Can I protect myself?
You can do things around the edges, but in the main, not really. And what’s interesting is why not really: Most of your data is not under your control.
How can you protect your Gmail? You can’t. Google protects it. Google can do a good job or a bad job, but you can’t fix it.
That Target hack was interesting because it happened out of Target servers: You as a Target customer could do nothing. It was a wholesale attack: Stealing one credit card is inefficient, so thieves break into a server and steal 40 million.
What are the things you can do around the edges?
You can do things like not putting your passwords in an email. Have good antivirus software. Make sure your software is updated. This is good computer hygiene. But the big threats are not related to those solutions.
Is biometrics, like using your thumbprint to open your phone, safer than using a password?
I wrote a piece on Apple’s new fingerprint ID, and I said on the whole this is a good idea. It secures the phone in ways that you’d probably not secure it otherwise. But the neat thing about a password is that if someone steals it, you can make a new one. If someone steals your biometric data, you can’t get a new thumb.
You said having a credit card number stolen isn’t that big a deal. Why? It feels scary.
Card fraud has been largely solved by credit card companies. They want you to use your cards, so they’ve made it easy to get problems fixed. Other kinds of identity theft are nastier, like when someone gets credit in your name.
Card lenders are also legally liable for the losses. You’ve said liability is a key to good security.
We need to put the risk onto the organizations with the power to fix the problem. Congress limited the amount you were liable for credit card fraud to $50. The lender pays the rest. So the people in the position to implement security have the incentive to do so.
As we move into this era where you have less control over security, those who have control should have the liability. If your email provider has lousy security and you suffer privacy loss as a result, you should have legal recourse. That aligns the incentives properly.
Sometimes people seem to shrug off all these privacy concerns. Why?
They’re not unconcerned. It’s that this is how you live your life. You really don’t have a choice. It’s hard to live without Facebook or a cellphone. We’re dealing with immediate gains vs. long-term, nebulous losses. Those are hard tradeoffs for people.
So what do I do, then?
Take a deep breath and go outside and play.