Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act

'Politicians are reluctant to disrupt the enormous wealth creation machine technology has turned out to be'

RSA Politicians are, by and large, clueless about technology, and it's going to be up to engineers and other techies to rectify that, even if it means turning down big pay packets for a while.

This was the message computer security guru Bruce Schneier gave at last week's RSA Conference in San Francisco, during a keynote address, and it appeared to strike a chord with listeners. Schneier pointed out that, for lawyers, doing pro bono work was expected and a route to career success. The same could be true for the technology industry, he opined.

We sat down with Schneier to have a chat after he had finished autographing copies of his latest book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, to go over the ideas in more detail, and to get his views on where governments are going to take us in the future. Below, our questions are in bold, and Schneier's responses are not.

Q. Your RSAC keynote highlighted the growing mismatch between public policy and technological development. Why are lawmakers having such problems with the technology sector?

A. Tech is new. Tech is specialized and hard to understand. Tech moves fast, and is constantly changing. All of that serves to make the tech sector difficult to legislate. And legislators don’t have the expertise on staff to counter industry statements or positions. On top of that, tech is incredibly valuable.

Lawmakers are reluctant to disrupt the enormous wealth creation machine that technology has turned out to be. They’re more likely to acquiesce to the industry’s demands to leave them alone and unregulated, to innovate as they see fit.

And finally, some of the very features we might expect government to regulate – such as the rampant surveillance capitalism that has companies collecting so much of our data in order to manipulate us into buying products from their advertisers – are ones that they themselves use when election season rolls around.

Q. With technology evolving so rapidly, can any government hope to keep up on a legislative level? Or are there core values in law that can be applied?

A. Technology has reached the point where it moves faster than policy. A hundred years ago, someone could invent the telephone and give legislators and courts decades to work out the laws affecting it before the devices became pervasive.

Today, technology moves much faster. Drones, for example, became common faster than our legislators could react to their possibility. Our only hope is to either write laws that are technologically invariant, or write broad laws and leave it to the various government agencies to work out the details.

Q. You've called for public-interest technologists to help bridge the impasse between policy and government. How would that work exactly?

A. We need technologists in all aspects of policy: at government agencies, on legislative staffs, working with the courts, in non-government organizations, as part of the press. We need technologists to understand policy, and to help – and in some cases become – policymakers. We need this because we will never get sensible tech policy if those in charge of policy don’t understand the tech.

There are many ways to do this. Some technologists will go into policy full time. Some will do it as a sabbatical in their otherwise more conventional career. Some will do it part time on their own, or part time as part of the “personal projects” some companies allow them to have.

Q. Why would tech companies go for this? What's in it for them?

A. Largely, the tech companies won’t go for it. The last thing they want are smart legislators, judges, and regulators. They would rather be able to spin their own stories unopposed. But I don’t need the tech companies do to anything; this is a call to tech employees.

And technologists need to understand how much power they actually have. Even the large tech monopolies that don’t compete with any other company – that treat their users as commodities to be sold – compete with each other for talent.

As employees, technologists wield enormous power. They can force the companies they work for to abandon lucrative US military contracts, or efforts to assist with censorship in China. If employees start to routinely demand the companies they work for behave more morally, the change would be both swift and dramatic.

But in the end, tech companies will value the policy experience of people who have done a tour in a government agency, or worked on a government panel. It makes them more rounded. It gives them a perspective their peers will lack.

Q. And what about the concern that this could turn into a lobbying effort by the tech sector? Is there a way to keep this honest?

A. The tech sector is already lobbying. This is the way to keep them honest, by having tech experts on the other side.

Q. The EU has instituted GDPR and the first effects are being felt. What effect do you think that'll have globally?

A. It’s interesting to watch the global effects of GDPR. Because software tends to be write-once-sell-everywhere, it’s often easier to comply with regulations globally than it is to differentiate.

We see this most obviously in security regulations. Last year, California passed an IoT security law that, among other things, prohibits default passwords. When that law comes into force in 2020, companies won’t maintain two version of their products: one for California and another for everyone else. They’ll update their software, and make that more secure version available globally.

Similarly, we’re already seeing many companies implement GDPR globally because it’s just easier to do that than it is to figure out who is an EU person and thus subject to the constraints of that law. The lesson is that restrictive laws in any reasonably large market are likely to have effects worldwide.

Q. Do you think the US will implement similar laws federally, or are we looking at a state-by-state basis?

A. We’re seeing two opposing trends in the US. The first is at the state level. Legislators, frustrated by the inaction in Congress, are starting to enact state privacy and security laws. California passed a comprehensive privacy law in 2018. Vermont took the first steps to regulate data brokers. New York is trying to regulate cryptocurrencies. Massachusetts and other states are also working on these issues. These are all important efforts, for the reasons I outlined above.

The other trend is that the big tech companies are starting to push for a mediocre federal privacy law that would preempt all state laws. This would be a major setback for security and privacy, of course, and I expect it to be one of the big battlegrounds in 2020.

Q. Globally, is this going to fracture or is there a broad consensus to be reached?

It’s already fracturing in three broad pieces. There’s the EU, which is the current regulatory superpower. There are totalitarian countries like China and Russia, which are using the Internet for social control.

And there’s the US, which is allowing the tech companies to create whatever world they find the most profitable. All are exporting their visions to receptive countries.

To me, the question is how severe this fracturing will be. ®

Similar topics

Other stories you might like

  • IPSE: More than a third of freelancers have quit contracting since IR35 reforms

    Exodus, movement of the people... to the Middle East or elsewhere

    More than a third (35 per cent) of contractors in the UK have become permanent employees, retired, shifted to work overseas or are "simply not working" since IR35 tax legislation was revised earlier this year.

    This is according to the Association of Independent Professionals (IPSE) which found 35 per cent fewer freelancers among those it surveyed since 6 April when the government pushed through the delayed reform.

    "This research shows the devastating impact the changes to IR35 have had on contractors, needlessly compounding the financial damage of the pandemic," said Andy Chamberlain, director of policy at IPSE. "Now, just when contractors are needed the most - amid mounting labour shortages across the UK and particularly in haulage - government decisions have drive out a third of the sector."

    Continue reading
  • New Relic guzzles down CodeStream to help devs jump straight from app error telemetry to offending code

    'I can debug production from the IDE,' said CS boss Peter Pezaris

    Observability company New Relic has acquired CodeStream, specialists in developer collaboration, with the aim being to connect observability data with code in the development environment.

    CodeStream, founded in 2017 by Peter Pezaris, adds instant developer communication to coding environments. For example, a developer puzzling over some code written by a colleague can click next to that code, type a message to the other dev, and they will receive it either in the IDE if they happen to be working on the same project, or in a messaging tool such as Slack, complete with a reference to the code in question. They reply, and a discussion begins.

    Although it may seem a small thing, given that they could just use Slack (or any number of other messaging services) directly, the context and convenience makes it a worthwhile collaboration tool. CodeStream also integrates with pull requests from GitHub, GitLab, BitBucket, and issue management from Jira, Trello and others.

    Continue reading
  • Analogue tones of a ZX Spectrum Load set to ride again via podcast project

    Remember the R Tape Loading Error?

    The glory days of audio-cassette loading are set to return in the coming weeks, with retro fans to be treated to a broadcast for them to hit Play and Record to.

    Audio cassettes were the medium of choice for software back when Sinclair and Commodore's 8-bit hardware ruled the roost. The floppy disk seemed impossibly glamorous for the average home computer user and code was instead delivered via audio.

    While the sound of those files was unintelligible for most, for some enthusiasts it was possible to discern the type of data being loaded. Right up until the all-too-common R Tape Loading Error (which usually seemed to come right at the end of a lengthy period staring at a loading screen).

    Continue reading

Biting the hand that feeds IT © 1998–2021