My latest Forbes column is entitled “Why Doesn’t Society Just Fall Apart?” and it’s a short review of Bruce Schneier’s latest book, Liars & Outliers: Enabling the Trust that Society Needs to Thrive.  It’s an interesting exploration of the societal pressures that combine to ensure that (most!) societies don’t go off the rails and end in anarchic violence. In particular, he identifies and discusses four “societal pressures” combine to help create and preserve trust within society. Those pressures include: (1) Moral pressures; (2) Reputational pressures; (3) Institutional pressures; and (4) Security systems. By “dialing in” these societal pressures in varying degrees, trust is generated over time within groups.

Of course, these societal pressures also fail on occasion, Schneier notes. He explores a host of scenarios — in organizations, corporations, and governments — when trust breaks down because defectors seek to evade the norms and rules the society lives by. These defectors are the “liars and outliers” in Schneier’s narrative and his book is an attempt to explain the complex array of incentives and trade-offs that are at work and which lead some humans to “game” systems or evade the norms and rules others follow.

The most essential lesson Schneier teaches us is that perfect security is an illusion. We can rely on those four societal pressures in varying mixes to mitigate problems like theft, terrorism, fraud, online harassment, and so on, but it would be foolish and dangerous to believe we can eradicate such problems completely. “There can be too much security,” Schneier explains, because, at some point, constantly expanding security systems and policies will result in rapidly diminishing returns. Trying to eradicate every social pathology would bankrupt us and, worse yet, “too much security system pressure lands you in a police state,” he correctly notes.

Schneier’s framework is particularly useful when addressing a variety of security dilemmas in the field of information policy. “Parasites are all over the Internet,” he notes, and “new technologies, new innovations, and new ideas increase the scope of defection in several dimensions.” Whether its spam, malware attacks, data theft, copyright piracy, or cybersecurity, the defectors have a first-mover advantage in that “they get to try the new attack first.” The Net and new digital networks and technologies have created a never-ending cat-and-mouse game: “It’s a race between the ability to deceive and the ability to detect deception,” Schneier notes. Again, there are no silver-bullet solutions because “this process never ends.” As he correctly concludes, we must accept the fact that “security is a process, not a product.”

I recommend Schneier’s book and encourage your to read my entire review over at Forbes.

(HT: Schneier) Here’s a refreshingly careful report on cybersecurity from the Organization for Economic Cooperation and Development’s “Future Global Shocks” project. Notably: “The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.” There will be no cyber-“The Day After.”

Here are a few cherry-picked top lines:

Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact.

The vast majority of attacks about which concern has been expressed apply only to Internet-connected computers. As a result, systems which are stand-alone or communicate over proprietary networks or are air-gapped from the Internet are safe from these. However these systems are still vulnerable to management carelessness and insider threats.

Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.

The hyping of “cyber” threats—bordering on hucksterism—should stop. Many different actors have a good deal of work to do on securing computers, networks, and data. But there is no crisis, and the likelihood of any cybersecurity failure causing a crisis is extremely small.

(Second in a series.)

The Register quotes security guru Bruce Schneier saying: “Facebook is the worst [privacy] offender – not because it’s evil but because its market is selling user data to its commercial partners.”

Facebook’s business model is to guide advertisements on its site toward users based on their interests as revealed by data about them. It is not to sell data about users. Selling data about users would undercut its advertising business.

It’s easy to misspeak in extemporaneous comments, and The Register is not your most careful media outlet. But we’ve almost got enough data points to show a consistent practice of misrepresentation on Bruce Schneier’s part. Perhaps that should be actionable as an unfair or deceptive practice under section five of the FTC Act.

I’ve been quite depressed to witness Bruce Schneier’s ongoing conversion from opponent of government intervention in the high-tech economy (at least on encryption) to vociferous proponent (at least in terms of privacy regulation).  Anyway, his latest cheerleading piece for government privacy regulation in The Wall Street Journal includes lots of fear-mongering about private website data collection for, God forbid, purposes of trying to better target advertising and market us products we might actually want.

Schneier uses the term “deceptive” several times in the piece to refer to privacy policies that don’t make it explicitly clear that some of the information you leave on a site, or that is collected preemptively by them, will be used to craft more targeted marketing efforts.  Like many other would-be privacy regulators, Schneier seemingly wants companies to fly blimps over your desk as you surf the Net with big signs that basically say: ‘Hey stupid, your info may be used to market you stuff.’  It’s hard to be against more disclosure, of course — and most sites spell out what they do with data in their privacy policies — but it never seems to be good enough for most privacy advocates, who paint consumers out to be mindless sheep who cannot be trusted to make wise decisions for themselves.  Sorry, but I just don’t buy it.

Specifically, I think there’s a pretty easy solution to the concern Schneier articulates about cloud computing when he says:

Cloud computing services like Google Docs, and social networking sites like RealAge and Facebook, bring with them significant privacy and security risks over and above traditional computing models. Unlike data on my own computer, which I can protect to whatever level I believe prudent, I have no control over any of theses sites, nor any real knowledge of how these companies protect my privacy and security.  I have to trust them.

Huh?  Why do you just “have to trust them”?  How about just not using those services?!  Or, use privacy self-help solutions when possible to manage your privacy preferences.  And for God’s sake Bruce, you wrote the definitive textbook on cryptography!  How about using encryption if you’re so concerned about who might be collecting your data online??

Meanwhile, Schneier doesn’t bother telling us what economic engine is going to power the Internet economy going forward once the privacy regulations he favors get on the books and make targeted advertising and data collection a federal crime.  Should we expect all these free Internet sites and services to just fall like manna from heaven?  Again, while the supposed harms from private data collection are largely conjectural, the harm to the Internet economy from heavy-handed, top-down privacy regulations would be all too real.  As we always say here, there is no free lunch.

I was reading this Sun Magazine interview with the always-interesting Nick Carr and I liked what he had to say here about the public’s inconsistent views on privacy:

If you ask people whether they’re concerned about the ability of the government or corporations to gather information about them online, they’ll say yes. But if you look at how they behave online, they don’t display much fear of exposing themselves. What that says about people — and it’s true for most of us — is that we will readily forgo our privacy in exchange for convenient and useful services, particularly if they’re free. That’s a trade-off you make all the time on the Internet. Even if people were more conscious of how this information might be exploited, I doubt most would change their behavior.

This reminds me of the classic “hamburgers for DNA” quip from security expert Bruce Schneier who once famously noted that:

If McDonalds in the United States would give away a free hamburger for an DNA sample they would be handing out free lunches around the clock. So people care about their privacy, but they don’t care to pay for it. In the United States we have frequent shopper cards, which will track down people’s purchases for a 5 cents discount on a can of tuna fish. I don’t think you can convince the public to care about it.

The key point here, as Berin Szoka and I noted in our recent paper on targeted online advertising, consumers vary widely in their attitudes towards the inherently nebulous concept of privacy. As our TLF colleague Jim Harper has demonstrated:

Privacy is a state of affairs or condition having to do with the amount of personal information about individuals that is known to others. People maintain privacy by controlling who receives information about them and on what terms. Privacy is the subjective condition that people experience when they have power to control information about themselves and when they exercise that power consistent with their interests and values. […] An important conclusion flows from the observation that privacy is a subjective condition: government regulation in the name of privacy is based only on politicians’ and bureaucrats’ guesses about what ‘privacy’ should look like.

In a nutshell, ask anyone if they care about their privacy and almost 100% of them will say, yes, absolutely. But then ask them about what they do both online and offline on a daily basis and most of them will reveal a very different set of preferences or values when it comes to what “protecting privacy” would mean in practice. That’s because privacy is, as Harper notes, a highly subjective condition, and that’s true even in a micro sense. We’re constantly making privacy trade-offs on the fly. Every time we enter a contest, sign up for a shopper discount card, enter absurd amounts of personal info on social networking sites, and so on, we are making privacy trade-offs. Sometimes we think them through carefully; other times we don’t. But most of the time people will trade away their supposed “privacy rights” in for even the most trivial things. A Big Mac, 5 cents off a can of tuna fish, or whatever else.