Q&A: Crypto-guru Bruce Schneier on teaching tech to lawmakers, plus privacy failures – and a call to techies to act
'Politicians are reluctant to disrupt the enormous wealth creation machine technology has turned out to be'
RSA Politicians are, by and large, clueless about technology, and it's going to be up to engineers and other techies to rectify that, even if it means turning down big pay packets for a while.
This was the message computer security guru Bruce Schneier gave at last week's RSA Conference in San Francisco, during a keynote address, and it appeared to strike a chord with listeners. Schneier pointed out that, for lawyers, doing pro bono work was expected and a route to career success. The same could be true for the technology industry, he opined.
We sat down with Schneier to have a chat after he had finished autographing copies of his latest book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, to go over the ideas in more detail, and to get his views on where governments are going to take us in the future. Below, our questions are in bold, and Schneier's responses are not.
Q. Your RSAC keynote highlighted the growing mismatch between public policy and technological development. Why are lawmakers having such problems with the technology sector?
A. Tech is new. Tech is specialized and hard to understand. Tech moves fast, and is constantly changing. All of that serves to make the tech sector difficult to legislate. And legislators don’t have the expertise on staff to counter industry statements or positions. On top of that, tech is incredibly valuable.
Lawmakers are reluctant to disrupt the enormous wealth creation machine that technology has turned out to be. They’re more likely to acquiesce to the industry’s demands to leave them alone and unregulated, to innovate as they see fit.
And finally, some of the very features we might expect government to regulate – such as the rampant surveillance capitalism that has companies collecting so much of our data in order to manipulate us into buying products from their advertisers – are ones that they themselves use when election season rolls around.
Q. With technology evolving so rapidly, can any government hope to keep up on a legislative level? Or are there core values in law that can be applied?
A. Technology has reached the point where it moves faster than policy. A hundred years ago, someone could invent the telephone and give legislators and courts decades to work out the laws affecting it before the devices became pervasive.
Today, technology moves much faster. Drones, for example, became common faster than our legislators could react to their possibility. Our only hope is to either write laws that are technologically invariant, or write broad laws and leave it to the various government agencies to work out the details.
Q. You've called for public-interest technologists to help bridge the impasse between policy and government. How would that work exactly?
A. We need technologists in all aspects of policy: at government agencies, on legislative staffs, working with the courts, in non-government organizations, as part of the press. We need technologists to understand policy, and to help – and in some cases become – policymakers. We need this because we will never get sensible tech policy if those in charge of policy don’t understand the tech.
There are many ways to do this. Some technologists will go into policy full time. Some will do it as a sabbatical in their otherwise more conventional career. Some will do it part time on their own, or part time as part of the “personal projects” some companies allow them to have.
Q. Why would tech companies go for this? What's in it for them?
A. Largely, the tech companies won’t go for it. The last thing they want are smart legislators, judges, and regulators. They would rather be able to spin their own stories unopposed. But I don’t need the tech companies do to anything; this is a call to tech employees.
And technologists need to understand how much power they actually have. Even the large tech monopolies that don’t compete with any other company – that treat their users as commodities to be sold – compete with each other for talent.
As employees, technologists wield enormous power. They can force the companies they work for to abandon lucrative US military contracts, or efforts to assist with censorship in China. If employees start to routinely demand the companies they work for behave more morally, the change would be both swift and dramatic.
But in the end, tech companies will value the policy experience of people who have done a tour in a government agency, or worked on a government panel. It makes them more rounded. It gives them a perspective their peers will lack.
Q. And what about the concern that this could turn into a lobbying effort by the tech sector? Is there a way to keep this honest?
A. The tech sector is already lobbying. This is the way to keep them honest, by having tech experts on the other side.
Q. The EU has instituted GDPR and the first effects are being felt. What effect do you think that'll have globally?
A. It’s interesting to watch the global effects of GDPR. Because software tends to be write-once-sell-everywhere, it’s often easier to comply with regulations globally than it is to differentiate.
We see this most obviously in security regulations. Last year, California passed an IoT security law that, among other things, prohibits default passwords. When that law comes into force in 2020, companies won’t maintain two version of their products: one for California and another for everyone else. They’ll update their software, and make that more secure version available globally.
Similarly, we’re already seeing many companies implement GDPR globally because it’s just easier to do that than it is to figure out who is an EU person and thus subject to the constraints of that law. The lesson is that restrictive laws in any reasonably large market are likely to have effects worldwide.
Q. Do you think the US will implement similar laws federally, or are we looking at a state-by-state basis?
A. We’re seeing two opposing trends in the US. The first is at the state level. Legislators, frustrated by the inaction in Congress, are starting to enact state privacy and security laws. California passed a comprehensive privacy law in 2018. Vermont took the first steps to regulate data brokers. New York is trying to regulate cryptocurrencies. Massachusetts and other states are also working on these issues. These are all important efforts, for the reasons I outlined above.
The other trend is that the big tech companies are starting to push for a mediocre federal privacy law that would preempt all state laws. This would be a major setback for security and privacy, of course, and I expect it to be one of the big battlegrounds in 2020.
Q. Globally, is this going to fracture or is there a broad consensus to be reached?
It’s already fracturing in three broad pieces. There’s the EU, which is the current regulatory superpower. There are totalitarian countries like China and Russia, which are using the Internet for social control.
And there’s the US, which is allowing the tech companies to create whatever world they find the most profitable. All are exporting their visions to receptive countries.
To me, the question is how severe this fracturing will be. ®
Sponsored: Becoming a Pragmatic Security Leader