Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act

'Politicians are reluctant to disrupt the enormous wealth creation machine technology has turned out to be'

RSA Politicians are, by and large, clueless about technology, and it's going to be up to engineers and other techies to rectify that, even if it means turning down big pay packets for a while.

This was the message computer security guru Bruce Schneier gave at last week's RSA Conference in San Francisco, during a keynote address, and it appeared to strike a chord with listeners. Schneier pointed out that, for lawyers, doing pro bono work was expected and a route to career success. The same could be true for the technology industry, he opined.

We sat down with Schneier to have a chat after he had finished autographing copies of his latest book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, to go over the ideas in more detail, and to get his views on where governments are going to take us in the future. Below, our questions are in bold, and Schneier's responses are not.

Q. Your RSAC keynote highlighted the growing mismatch between public policy and technological development. Why are lawmakers having such problems with the technology sector?

A. Tech is new. Tech is specialized and hard to understand. Tech moves fast, and is constantly changing. All of that serves to make the tech sector difficult to legislate. And legislators don’t have the expertise on staff to counter industry statements or positions. On top of that, tech is incredibly valuable.

Lawmakers are reluctant to disrupt the enormous wealth creation machine that technology has turned out to be. They’re more likely to acquiesce to the industry’s demands to leave them alone and unregulated, to innovate as they see fit.

And finally, some of the very features we might expect government to regulate – such as the rampant surveillance capitalism that has companies collecting so much of our data in order to manipulate us into buying products from their advertisers – are ones that they themselves use when election season rolls around.

Q. With technology evolving so rapidly, can any government hope to keep up on a legislative level? Or are there core values in law that can be applied?

A. Technology has reached the point where it moves faster than policy. A hundred years ago, someone could invent the telephone and give legislators and courts decades to work out the laws affecting it before the devices became pervasive.

Today, technology moves much faster. Drones, for example, became common faster than our legislators could react to their possibility. Our only hope is to either write laws that are technologically invariant, or write broad laws and leave it to the various government agencies to work out the details.

Q. You've called for public-interest technologists to help bridge the impasse between policy and government. How would that work exactly?

A. We need technologists in all aspects of policy: at government agencies, on legislative staffs, working with the courts, in non-government organizations, as part of the press. We need technologists to understand policy, and to help – and in some cases become – policymakers. We need this because we will never get sensible tech policy if those in charge of policy don’t understand the tech.

There are many ways to do this. Some technologists will go into policy full time. Some will do it as a sabbatical in their otherwise more conventional career. Some will do it part time on their own, or part time as part of the “personal projects” some companies allow them to have.

Q. Why would tech companies go for this? What's in it for them?

A. Largely, the tech companies won’t go for it. The last thing they want are smart legislators, judges, and regulators. They would rather be able to spin their own stories unopposed. But I don’t need the tech companies do to anything; this is a call to tech employees.

And technologists need to understand how much power they actually have. Even the large tech monopolies that don’t compete with any other company – that treat their users as commodities to be sold – compete with each other for talent.

As employees, technologists wield enormous power. They can force the companies they work for to abandon lucrative US military contracts, or efforts to assist with censorship in China. If employees start to routinely demand the companies they work for behave more morally, the change would be both swift and dramatic.

But in the end, tech companies will value the policy experience of people who have done a tour in a government agency, or worked on a government panel. It makes them more rounded. It gives them a perspective their peers will lack.

Q. And what about the concern that this could turn into a lobbying effort by the tech sector? Is there a way to keep this honest?

A. The tech sector is already lobbying. This is the way to keep them honest, by having tech experts on the other side.

Q. The EU has instituted GDPR and the first effects are being felt. What effect do you think that'll have globally?

A. It’s interesting to watch the global effects of GDPR. Because software tends to be write-once-sell-everywhere, it’s often easier to comply with regulations globally than it is to differentiate.

We see this most obviously in security regulations. Last year, California passed an IoT security law that, among other things, prohibits default passwords. When that law comes into force in 2020, companies won’t maintain two version of their products: one for California and another for everyone else. They’ll update their software, and make that more secure version available globally.

Similarly, we’re already seeing many companies implement GDPR globally because it’s just easier to do that than it is to figure out who is an EU person and thus subject to the constraints of that law. The lesson is that restrictive laws in any reasonably large market are likely to have effects worldwide.

Q. Do you think the US will implement similar laws federally, or are we looking at a state-by-state basis?

A. We’re seeing two opposing trends in the US. The first is at the state level. Legislators, frustrated by the inaction in Congress, are starting to enact state privacy and security laws. California passed a comprehensive privacy law in 2018. Vermont took the first steps to regulate data brokers. New York is trying to regulate cryptocurrencies. Massachusetts and other states are also working on these issues. These are all important efforts, for the reasons I outlined above.

The other trend is that the big tech companies are starting to push for a mediocre federal privacy law that would preempt all state laws. This would be a major setback for security and privacy, of course, and I expect it to be one of the big battlegrounds in 2020.

Q. Globally, is this going to fracture or is there a broad consensus to be reached?

It’s already fracturing in three broad pieces. There’s the EU, which is the current regulatory superpower. There are totalitarian countries like China and Russia, which are using the Internet for social control.

And there’s the US, which is allowing the tech companies to create whatever world they find the most profitable. All are exporting their visions to receptive countries.

To me, the question is how severe this fracturing will be. ®

Other stories you might like

  • Walmart accused of turning blind eye to transfer fraud totaling millions of dollars
    Store giant brands watchdog's lawsuit 'factually misguided, legally flawed'

    The FTC has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "hundreds of millions of dollars."

    In a lawsuit [PDF] filed Tuesday, the US regulator claimed the superstore giant is "well aware" of telemarketing fraudsters and other scammers convincing victims to part with their hard-earned cash via its services, with the money being funneled to domestic and international crime rings.

    Walmart is accused of allowing these fraudulent money transfers to continue, failing to warn people to be on their guard, and failing to adopt policies and train employees on how to prevent these types of hustles.

    Continue reading
  • HPE unveils Arm-based ProLiant server for cloud-native workloads
    Looks like it went with Ampere – which means a certain Reg writer lost a bet

    Arm has a champion in the shape of HPE, which has added a server powered by the British chip designer's CPU cores to its ProLiant portfolio, aimed at cloud-native workloads for service providers and enterprise customers alike.

    Announced at the IT titan's Discover 2022 conference in Las Vegas, the HPE ProLiant RL300 Gen11 server is the first in a series of such systems powered by Ampere's Altra and Altra Max processors, which feature up to 80 and 128 Arm-designed Neoverse cores, respectively.

    The system is set to be available during Q3 2022, so sometime in the next three months, and is basically an enterprise-grade ProLiant server – but with an Arm CPU at its core instead of the more usual Intel Xeon or AMD Epyc X86 chips.

    Continue reading
  • US weather forecasters power up latest supercomputers to keep you out of the rain
    NOAA makes it rain for HPE, AMD

    Predicting the weather is a notoriously tricky enterprise, but that’s never held back America's National Oceanic and Atmospheric Administration (NOAA). After more than two years of development, the agency brought a pair of supercomputers online this week that it says will enable more accurate forecast models.

    Developed and maintained by General Dynamics Information Technology (GDIT) under an eight-year contract, the Cactus and Dogwood supers — named after the fauna native to the machines' homes in Phoenix, Arizona, and Manassas, Virginia, respectively — will support larger, higher-resolution models than previously possible. The cost to build, house, and support and operate these machines, now operational, will cost $150 million over the next five years, we understand.

    “People are looking for the best possible weather forecast information that they can get,” Brian Gross, director of the Environmental Modeling Center for the National Weather Service, told The Register.

    Continue reading
  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading
  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading

Biting the hand that feeds IT © 1998–2022