In his book, Data and Goliath, cryptographer Bruce Schneier argues that consumers must organize to break free of an increasingly powerful digital surveillance system built on collecting and controlling our data. He details just how pervasive this data collection process is, tapping into every internet-connected device and sweeping up almost every possible type of information. Furthermore, Schneier reveals how both governments and companies use our data to create ubiquitous surveillance or build comprehensive profiles on everyone for their own gain. To support his case, Schneier uses a wide range of sources including legal cases, the Edward Snowden files, think tank reports, academic journals, and his own original research.

Bruce Schneier approaches this topic with a wealth of knowledge from his previous work and experience. He is a fellow at Harvard’s Berkman Center for Internet and Society as well as the Chief of Security Architecture at Inrupt Inc., a company dedicated to creating a web that puts users in control of their own data. He is a well-respected cryptographer, computer security professional and privacy specialist. He was dubbed a “security guru” by The Economist, and he is a self-described ‘public interest technologist’. Additionally, he is a best-selling author of fourteen books related to security and technology, and is regularly quoted in various high-profile publications.

Data and Goliath is broken up into three parts: “The World We Are Creating,” “What’s At Stake,” and “What To Do About It.” The first details how our data is collected through any internet-connected device, then very efficiently sorted and analyzed via artificial intelligence tools. Schneier then describes how that data can be used to surveil people in very intrusive ways, whether through the National Security Agency’s (NSA) mass surveillance programs that monitor your every move or companies that manipulate your interactions online. Furthermore, private sector domination over our data has left users with little input on how their own data is used, to whom it is sold to or where it is stored. This leaves it to be sold to the highest bidder, be that an abusive government or a profit-motivated advertisement company. This first part of the book takes a deep look into how the NSA and other government intelligence agencies, both in the United States and abroad, are able to infiltrate private companies to extract data. The government’s reach means that they can access the data collected for whatever use they desire, Schneier argues.

From there, part two of the book, “What's At Stake,” points out all the potential abuses that we are vulnerable to with the current trajectory of data collection. Schneier sees threats to political liberty and justice, meaning governments could potentially squash political dissent and social change, put in place government censorship, or accuse users of crimes in the future based on redefining previously acceptable behavior for example, creating a post on Facebook that criticizes a political candidate or their rhetoric. Before a change in law or authoritarian leadership, this could be an acceptable form of free speech, but afterwards it earns you the label of enemy of the state, he asserts. Schneier argues there is massive potential for political manipulation on social media platforms, and that individual identification and anonymity are threatened due to the capacity to aggregate data about your every move online and profile you. Trying to create a new identity and separate yourself from this online profile is very difficult, he writes. Couple this with constant surveillance, and people’s freedom to do as they please is vastly diminished. Finally, he makes the case that our physical security is threatened by the collection and exploitation of online data. Schneier accuses the NSA of deliberately weakening the internet, for example by putting backdoors into popular hardware and software products, to facilitate its hacking and surveillance goals. But that NSA practice leaves users vulnerable to other bad actors who can do the same.

Finally, in the third section, “What to Do About It,” Schneier calls for a key shift regarding data and the internet and proposes starting with the following general principles: 1) pursue security and privacy, 2) prioritize security over surveillance, 3) insist on transparency from the government and private sector, and 4) strengthen oversight and accountability. He gives many solutions to government surveillance, including improving oversight of the IC and the NSA by Congress and the Privacy and Civil Liberties Oversight Board, increasing protection for whistleblowers, reverting to targeted surveillance with judicial approval for a warrant, and breaking up the NSA into smaller organizations. For corporations, Schneier suggests making private companies that protect or hide online activity (such as Crowdstrike) liable for privacy breaches, regulating data use and collection, giving people inviolable rights to their own data, and fighting government surveillance in the courts. He closes the book with a hopeful message as to what individuals can do, from simply noticing and talking about surveillance, to mitigating personal harms by altering personal privacy settings.           

Data and Goliath is a great example of an engaging and informative book that makes the reader aware of the severity of the online privacy situation while also giving practical solutions to facilitate change. Bruce Schneier’s ability to write in a way that is dense with facts and complex concepts yet easy to follow demonstrates both his mastery of the subject and his skill as an author. I found the breakdown of how invasive our current data climate particularly helpful, as it created a sense of urgency. Additionally, Schneier’s wealth of experience shows in his knowledge of the NSA and their capabilities in collecting information on Americans, as well as people throughout the world.

Nonetheless, it should be noted that with its 2015 copyright, Data and Goliath is now outdated in some ways, since technology has advanced so quickly in the past seven years. And, my main critique is that the book is very U.S. and American focused. It would have been useful to include some information on how other countries or individuals might protect themselves. For instance, many of the solutions Schneier proposes would be impossible to accomplish in authoritarian states, which now pose an increasingly urgent problem for privacy protection and human rights worldwide. Nonetheless overall, the book is a great resource for understanding the complex data environment, how it affects each of us, and what we can do about it.