Bruce Schneier, columnist for Wired and chief security technology officer of BT, started out as an expert on cryptography. He has gradually become the go-to guy for fresh ideas about all kinds of security questions, digital and physical. His most recent book on the subject is Schneier on Security (Wiley). In January, Associate Editor Katherine Mangu-Ward spoke with Schneier about privacy, economics, and the security state.
Q: What's the central problem with the Transportation Security Administration?
A: The TSA focuses too much on specific tactics and targets. This makes sense politically but is a bad use of security resources. Think about the last eight years. We take away guns and knives, and the terrorists use box cutters. We confiscate box cutters and knitting needles, and they put explosives in their shoes. We screen shoes, and they use liquids. We take away liquids, and they'll do something else. This is a dumb game; the TSA should stop playing. Some screening is necessary to stop the crazy and the stupid, but it's not going to stop a professional terrorist attack. We don't need more and better screening. We need less.
On the other hand, I like seeing the direction they're heading in terms of behavioral profiling, though we need to be careful. Done wrong, it's nothing more than stereotyping; but done right, it can be very effective. It needs more focus on people and less on objects. We can't manage to keep weapons out of prisons. We'll never keep them out of airports. Oh, and stop the ID checking; the notion that there is this master list of terrorists that we can check people against is just plain silly.
Q: In Schneier on Security, you emphasize that technology isn't the only, or even the most important, part of a security solution.
A: We live in a technological world, and it's common for us to believe that technology can solve our security problems. It solves so many of our other problems, so it's a plausible belief. It's also easier to believe that a shiny new piece of technology—a new ID card, a new airport scanner, a new face recognition system—can solve our problems than [it is to believe that] boring old concepts like culture and economics [can]. Admitting that technology isn't the answer is admitting that there isn't an answer that will solve the problem, and many people can't do that yet. We've forgotten that risk is an inherent part of life.
Q: Are security and privacy in opposition?
A: The security vs. privacy dichotomy is a false one. Only identity-based security is in opposition to privacy, and there are limitations to that approach. I believe that approximately two security improvements since 9/11 have made airplane travel safer: reinforcing the cockpit door, teaching passengers they have to fight back, and—maybe—sky marshals. None of those measures has any impact on privacy. It's things like ID cards, wholesale eavesdropping on telephone calls and Internet conversations, and large government databases that affect privacy, and their security value is minimal. The real dichotomy is liberty vs. control. There might be less crime in a society with strong government controls and police-state-like surveillance, but I don't think anyone would feel safer in that society.
Q: What's your reaction when you hear people say that we live in a "security state"?
A: We live in an information state, which is subtly different. All computer processes produce data as a byproduct. As more parts of our lives are mediated by computers, more personal information about us is produced. This information is collected, and then bought and sold, by other institutions, both government and commercial, without our knowledge and consent. Some of this is driven by security concerns, but a lot of it is driven by economics. The problem is that personal data is looked at as property, which can be bought and sold, instead of as a right. Long term, we need to fix that.