Destroying Trust in the Digital Age

International Herald Tribune

August 13, 2012

Bruce Schneier ordered a Coke, no ice, at the Rio casino on a Saturday afternoon. I ordered Diet Coke, also no ice, and handed the bartender an American Express card. He said he needed to see proof of identity. Credit cards are often stolen around here, he quietly explained, and eight casino workers had recently been fired for not demanding ID. The bartender wanted to keep his job.

Mr. Schneier, 49, is a student of interactions such as this, offline and on. He is a cryptographer, blogger and iconoclast in the world of computer security, and his latest subject of inquiry is trust: how it is cultivated, destroyed and tweaked in the digital age.

Offline, he likes to point out, we have ways to establish trust, as in this casino, where we expect the bartender to serve us a soda, not a poisoned chalice. We establish trust based on how we speak, whether we appear drunk or deranged, whether we meet at a casino or a toy store—and also, irrationally, on attributes such as race and age.

Online, this becomes even more complicated, Mr. Schneier argues. We no longer think twice about letting our friends see our vacation pictures on Flickr, now owned by Yahoo. So habituated have we become to revealing intimate details, Mr. Schneier says, we forget that Facebook, the company, can read our missives at any time, potentially forever.

Mr. Schneier is in charge of technology security at BT, the British telecommunications company. His latest book, Liars and Outliers, is filled with foreboding: less about technology than about the vulnerability of the heart and mind. “The technology changes how our social interactions work, but it’s easy to forget that,” he wrote. “In this way, our traditional intuition of trust and security fails.”

That failure brings new dilemmas in the internet age. How do you know whether the email that looks as if it’s from your bank is real? Should you trust Apple with your credit card information? A recent hack of a technology blogger’s Apple account raised this sobering question.

Can you trust the authorities to respect your online privacy? The Department of Homeland Security has been known to comb through Twitter for words—such as pipe bomb, plume and listeria—that might signal trouble.

Law struck down

Distrust recently helped scuttle what was to be a landmark law to protect critical infrastructure from cyberattack. The measure would have encouraged companies to share information with the government on cyberthreats.

Suspicion of authority animates the chat rooms of activist hackers associated with Anonymous. A prominent member who went by the alias Sabu turned out last year to be an FBI informant who helped indict several fellow hacktivists.

Trust, Mr. Schneier wrote, is the glue that binds societies. Over centuries, humans have invented various means of ensuring it: moral codes, reputation within a certain community, laws and, of course, security tools from embankments, the most primitive kind of defense, to facial-recognition technology.

The liars he worries about most these days are not cyberwarriors or even cybercriminals, but rather private companies and government agencies advancing their own interests, whether for surveillance or commerce. Apple controls the memory on our iPhones. Google keeps tabs on what we search for and whom we write to when we use Gmail. We unknowingly pledge allegiance to the companies we do business with.

“Now we have to trust all these entities,” Mr. Schneier wrote. “Google has great customer service. Problem is, you’re not the customer. … ‘Security’ is now a catchall excuse for all sorts of authoritarianism, as well as for boondoggles and corporate profiteering.”

Mr. Schneier is not exactly hiding in a cave. His Twitter feed has nearly 20,000 followers. His author page on Facebook links to reports and papers on topics such as how to hack hotel room keys, how to devise “implicit authentication,” which relies on subconscious memory rather than hard-to-remember passwords, and how to fool eye scanners.

“We already know you can wear fake irises to fool a scanner into thinking you’re not you,” he wrote, “but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you’re someone else.”

Fight for your rights

A native New Yorker who lives in Minneapolis, Mr. Schneier is something of a contrarian. He saves what hair he has left for a ponytail. He sued the Transportation Security Agency over its use of body scanners and exhorts audiences to opt out of security screenings—not because of radiation or because they are ineffective but because, as he says, it is worth preserving the right to opt out.

Mr. Schneier takes occasional potshots at security consultants; extols hackers, who he says look at things in “a certain sideways way”; and advocates for the right to be anonymous online in certain circumstances.

Stewart Baker, who also has written about cryptography, served as the National Security Agency’s chief lawyer and debated Mr. Schneier on occasion, sees an inherent conflict among some of Mr. Schneier’s ideals. Mr. Baker argues that people cannot insist on anonymity and simultaneously expect to enforce a system of trust.

“His individual response to rules is to celebrate rule-breakers and to see value in transgression and to discount the value of authority,” Mr. Baker said of Mr. Schneier. “His personal sensibility is to run with outlaws, but when he looks at society, he realizes we can’t all run with the outlaws.”

I asked Mr. Schneier what kept him up at night. His answers surprised me. He’s more worried about the international cyberarms race than about outright cyberwar. He also is concerned about cybercrime. But his greatest fear is ubiquitous surveillance: license-plate readers, sensors, geolocation tracking and so on.

He is troubled, too, by the internet’s refusal to let our memories fade. He predicts a presidential race in the near future in which a candidate’s bad junior high school poetry will be resurrected as a political weapon. “You should be mindful,” he warned, “that the internet never forgets.”