Congress party workers shout slogans during a protest accusing Prime Minister Narendra Modi’s government of using military-grade spyware to monitor political opponents, journalists, and activists in New Delhi
For many, the world of data and cybersecurity can feel nebulous. But as abstract as blockchain, spyware, and Big Tech may seem, they have major implications for the everyday person’s privacy — and for journalism, on how reporters can incorporate tech into their work, how newsrooms can protect their staff from cyberattacks, and how the media can make complicated data-driven stories digestible to audiences.
Bruce Schneier, dubbed the “security guru” by The Economist, broke this all down in a seminar with the Nieman Foundation in April. An international security expert, he is the author of 14 books, including the New York Times best-seller “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World,” along with hundreds of articles, essays, and academic papers. Schneier also writes the newsletter “Crypto-Gram” and runs the popular blog Schneier on Security, which is read by over 250,000 people. He is a fellow at the Berkman Center for Internet and Society at Harvard University, a fellow at the Belfer Center at Harvard’s Kennedy School of Government, and a board member of the Electronic Frontier Foundation.
Edited excerpts:
On writing good data-driven journalism
I need you to be a little bit good in data science or know how to hire a data scientist when there’s data science-driven journalism.
I’m thinking of the New York Times report from a couple of weeks ago, how they proved that it was the Russians that conducted the genocide [in Bucha, Ukraine]. They were able to pull satellite photos, do pattern matching, and determine the dates on which bodies appeared on the streets.
That’s data-driven journalism. That’s fantastic work. It probably wouldn’t have been impossible 10 years ago.
My chief skill, I have found, has been [as a] translator. My first book translates math to programmers. My current work translates tech policy to regular people.
If you read my essays and op-eds, I’m constantly trying to write accessibly to the average intelligent person about tech topics — and make them understand why Google tracking matters, or why the safety of the Internet connection on your refrigerator matters.
One of the problems we have in tech is [that] techies write like techies. If you’ve read that stuff, you don’t want to read that stuff. Someone needs to translate.
On spyware
This stuff [spyware] has been going on for decades, and we’ve been writing about it for decades. [The New Yorker’s “How Democracies Spy on Their Citizens”] is not the first mainstream article on an NSO Group. You can probably find New York Times articles going back three to four years.
What’s happening is it’s becoming more mainstream. That software spies on you isn’t new. That’s as old as the public Internet. That’s the mid-90s.
In mainstream journalism, I think they’ve been writing about it for a while. I don’t even think I’d say they’ve finally woken up. It’s because it’s taking on a new urgency with the rise of authoritarianism. It’s being pulled along by the tech that supports it.
We’re seeing journalists being hacked, arrested, tortured, and occasionally murdered because of this software. It’s becoming more real in that respect, but it is not new. None of this is new. There is a new publicity.
You could argue this topic still isn’t mainstream, and we have never seen a presidential debate question on this topic. That’s interesting. We’ve never seen, that I know of, a Senate candidate who has campaigned on this issue. There are legislators who think it’s important, but it’s not a campaign issue. That makes it a secondary issue even with everything that’s happening today. That hasn’t changed.
What can the press do about it? I want you to report on it. I want these articles to make the headlines. It’s hard. The world is such a dumpster fire that this probably isn’t going to be above the fold very often, but once in a while, it should be. It shouldn’t just be when the Chinese [break into] Equifax and steal the data of 140.7 million Americans.
On holding Big Tech accountable
We’re seeing this techno-optimism: “Elon Musk is going to save Twitter and save the world.” [We’ve] seen the moral panics: “Oh, my god, Internet porn, everything’s going to be bad.” They’re both caricatures of what’s going on, which is complex and nuanced.
How could a journalist expose Theranos as a massive fraud? It took a whistleblower inside the company to figure it out and then talk to a journalist.
One of the things I do in my [Harvard Kennedy School cybersecurity policy] classes is have the students really look at the press releases that these companies produce. Lots of it is PR bullshit faithfully regurgitated as news, when it’s not. How do we [acquire] the critical skills to recognize PR bullshit for what it is? I don’t know the answer, but we need to, at all levels.
The CEOs of tech companies go to a congressional hearing, and everybody wants their autograph. This is not going to be the recipe for successful oversight. This is a bigger problem. It’s the problem that we just don’t have the governance structures in place, and the tech companies, because they’re paying all the money, have all the expertise.
I wrote an op-ed a couple of weeks ago that criticized Microsoft. And I had trouble publishing it with think tanks and policy organizations, because they were afraid of offending Microsoft. The company is basically buying the silence of NGOs. This seems bad. It’s very hard to speak truth to power when power is paying your bills.
On blockchain
I wish you’d do good journalism on this. It’s hard. The New York Times published “The Latecomers Guide to Crypto” a few weeks ago. It’s terrible. Some group did “The Annotated Latecomers Guide to Crypto,” which tries to put some balance into that article.
Cryptocurrency — which is built on blockchain — is speculative. It’s embarrassingly insecure. It’s an investment bubble. Blockchain has no actual value. These are not controversial views. Everybody in computer security says this. Blockchain is very much a product of Silicon Valley libertarian crypto-bros and is their way to stick it to the man. That’s pretty much all it is. I would like to see better journalism [on blockchain].
If you ask me if there’s any journalistic uses for the blockchain, the answer is no. Not one. Anytime you see a journalism application that uses the blockchain, look at it and remove the blockchain; you’ll get all the value, and it’ll be better. Blockchain does not give you security, nor does it reduce trust. It is all hype.
On how journalists can become more tech savvy
First, protect yourselves. The Committee to Protect Journalists is a good resource for tech to protect you and your sources. We have a famous early hacking attempt, what, 2010, 2012? That one was China hacking The New York Times, trying to get the name of a source for an anti-corruption story.
We’re having a lot of journalists being targeted by governments for the work they’re doing. I worry less about U.S. journalists, more about journalists inside those countries and the sources of U.S. journalists inside those countries. Educate yourself on the tech. Use good tech. There are other resources. The Electronic Frontier Foundation has a security self-defense guide. Look at the resources and use secure communications. Use good tech, and that protects you and your sources.
Download Signal. Then think about using SecureDrop as a way for whistleblowers to give you information securely.
Think about your data hygiene. Think about where your data is stored. Covering the news is a lot harder because I want you to have the skills to be an intelligent analyst of these stories. I think the solution is going to be putting technologists on your staff. The New York Times has data scientists on their staff. This is critical.
Knowing tech is a skill set. There’s a class-action lawsuit going on right now where Google is being accused of basically deceiving people about incognito mode, its private browsing mode. The merits of that case are all about the technical details of what Google can do compared to the statements it made in its privacy policy, in the press, and to its Chrome users of what they would do.
That’s a tech story. You can’t report it properly unless you can understand the technology. Otherwise, you’re going to mindlessly repeat the positions of the plaintiff or the defendants. I don’t want you to do that. Companies rely on the fact that you can’t [parse the nuances of the technology]. Governments do, too.
[In] a lot of ways, this is no different than tax havens reporting on the Pegasus Papers, the Paradise Papers, all those tax haven papers. That was hard. Those were complicated stories. It was hard to report on them. That [tax loopholes are deliberately made hard to understand] is by design.On why Americans are less concerned about privacy
In the United States, people tend to mistrust governments and trust corporations. In Europe, people tend to mistrust corporations and trust government. Europe has far fewer controls on government surveillance than the US.
The E.U. has far more rules against corporate surveillance than the US. Why do we allow so much [corporate privacy invasion in the U.S.]? Largely because it’s not salient. We know it’s true, but when we pick up our phone, we don’t say, “I’m going to put the most sophisticated tracking device ever invented in my pocket.” We put our phone in our pocket.
When we use Google, we don’t really think about that Google knows what kind of porn everybody likes. We just use it. That lack of salience makes it normal. There’s been this normalization of all of these things. It’s weird if you don’t have your phone with you.
Privacy is abstract. Abstract rights are things we tend not to notice until they’re gone.
Also, a lot of this tech is driven by middle-class white American men, which is going to lead to a certain type of thinking that doesn’t translate when you start shifting power structures. That’s a big part of it. I see it in my class. They’ll be, “I had no idea that we were being tracked like this.”
What are you going to do about it? You can’t do anything about it, and your friends are on Facebook, so you don’t really want to do anything about it. You want to talk to your friends. It’s actually hard to make people aware of these issues in a political sense. I’m not sure how to do it.
On how newsrooms should protect their journalists
I want you to invest in the tech tools to keep you safe. Journalism is getting more dangerous. The average female political reporter in the United States is being harassed. This is now what normal looks like. I think we really need to protect journalists.
Journalism is becoming a more dangerous profession. That’s bad. I don’t need to lecture you on how important journalism is. I need quality journalism, so I want you to go back and say, “Hey, these threats are real. We need to invest in journalist protection.”
Then also look at tech-driven journalism. A lot of news stories can be uncovered through data science. Latanya Sweeney, [at Harvard’s] school of government, has a class called “Data Science to Change the World.” She’s the one who used data science to figure out that Uber was discriminating against disabled passengers. That’s a real story.
There are going to be hundreds of those stories. Governments, corporations, anybody in power. We had an MIT student who’s tracking Russian oligarchs. He’s tracking their planes using public data, putting it on the web. That’s important stuff.
We’re detecting Russian troop movements through the location data from online games. That’s a new world. That’s interesting. Let’s use that.