Thinking Differently about Internet Privacy and Anti-Terrorism

Bruce Schneier, author and security expert, spoke with EconTalk host Dr. Russ Roberts recently about power, the internet, and anti-terrorism strategies. These notes are from the transcript on the Econtalk website. In essence, Schneier asserts that most people aren't bothered by increases in surveillance and eavesdropping because they are too busy to understand the implications for their personal freedom. This is the same reason why most people do not bother to update their anti-virus software, or process the never ending stream of Windows security patches, or update their iOS applications. The rightly feel they have more important things to think about or they just are not aware of the action expected of them. Schneier is also critical of our anti-terror domestic security measures, arguing that acts of terrorism are too rare to justify the concern we currently attach to is (riding in a car is much more dangerous than airline travel). Authorities are always defending against the *last* threat with their limited resources and PC approaches so the security procedures at airports amount to more theater than real security. I try not to think about this when accidentally taking an iPhone through the metai detector earns me a full body frisk *and* a metal dector wanding. Yikes!

Econtalk is one of my favorite podcasts for the range of topics, interesting guests, and conversation moderated by Dr. Roberts. These notes are from the transcript on the Econtalk website. The entire session transcript is available here:

(http://www.econtalk.org/archives/2013/06/schneier_on_pow.html).

Schneier is very critical of how we have used our resources to fight terrorism. During the interview, he talked about what he thinks are two major mistakes. The first is that we exaggerate the threat. This is an effect of the psychology of terrorism - it's big, it's spectacular, and scary. The media repeats it endlessly. In our brains we think it's a much larger problem than it is. We don't think things like: well, every month a 9/11's worth of people die in car crashes in the United States because the deaths are not reported widely. We don't say that pigs (bad food) kill more people than terrorists every year. We believe terrorism a huge problem and needs an inordinate amount of security and spending to mitigate. The second error we commit is that we worry about the specifics of what happened rather than the generalities of what could happen (what the 9-11 Commission referred to as "failure of imagination"). We worry about terrorists taking over airplanes with box cutters even though pilots are armed and cockpit doors are armored. Now we're worried about finish lines of marathons even though there is no practical way to provide security at such events. It's almost magical thinking that we somehow have to secure the finish lines at marathons in this country. Think of the history of airline security threats. We take away guns and bombs, they use box cutters. We take away box cutters, they put a bomb in their shoes. We screen shoes, they use liquids. We take away liquids, they put a bomb in their underwear. We put in full body scanners, they are going to do something else. Do we really think we have closed all the security gaps? Again, this overly specific focus on the details of the plot rather than the broad generalities.

Most people aren't bothered by increases in surveillance and eavesdropping. Why? The basic reason is diffuse versus concentrated interests. When people go about their day, they have lots of things to worry about (drop something off at the Post Office, go grocery shopping, take chidren to little league). It's very hard to get riled up about one particular issue because we've got so much to do. Meanwhile, entrenched government and corporate interests all have their support networks (lobbyists or those interesting in aggregating their organization's power) that are dedicated to is making sure their interests are being pushed. This makes it extremely hard to deal with that imbalance. That is hard to array against the general populace that's just busy with a hundred other things. Most people don't even see it as a negative. It's not that they are not aware of it. Another factor is fear. When someone is actually afraid, they'll do pretty much anything not to be afraid any more. If they are told: terrorists, terrorists, terrorists, fear, fear, fear, we'll save you with scanners and cameras. They'll say, great, save me. Read my mail, put cameras in, make me stand in long security lines at airports, search grandmothers in wheelchairs. Just do it and make me feel safe because that message is being pushed--and it's a propaganda message--by government, by police, by the vendors of whatever technology is being sold. Schneier is told regularly on the radio by callers that he is overreacting, that the caller has nothing to hide so why should they care? His response is: What's your salary? What are the names and ages of your children? What is your street address? And they'll say, um, um, um, um; and he'll say: See? Something to hide isn't about illegal activity. It isn't about something you ashamed of. It's about how you present yourself to the world. It's not about secrecy versus non-secrecy. People will go to a doctor and take off their clothes, but it doesn't mean they will do that in any circumstance. The basic reasons for willingness to accept accretion of government power to combat terrorism are multiple: when people are scared, they're willing to not be scared; the privacy arguments are subtle and hard to understand, and the negatives from lack of privacy you only notice when you are missing them.

A particularly pernicious tendency in our society is the search for scapegoats after an attack. People have a deep human need to name a cause for their fear, to have someone to blame. After an attack, there are always signs that were "missed," as if someone were watching them flow past in the stream of all the other things they are monitoring. After the attack, there are recriminations. People complain, why didn't "someone" connect the dots? Schneier argues this question reflects a fundamental misunderstanding of the way intelligence works. Intelligence is, you have a million pieces of information; they are unnumbered; you don't know if any of them mean anything; and you are trying to pick a terrorist plot up out of it. It's a very different analysis than connecting the dots in a children's puzzle book. Hindsight bias causes people to over-estimate how obvious something was after the fact. Once you know the story, it's easy to pick out the pieces that make a good story. Before the fact it is extremely difficult. This is important: things that are perfectly reasonable to do at the time might seem irresponsible in hindsight. And that is a bias. "Connecting the dots" is a poor metaphor. What you are really doing is trying to find a needle in a haystack. That's the correct metaphor.
Schneier thinks it is better to accept some forms of terrorism risk just like people accept the risk of getting in a car rather than tolerating more and more infringement of our liberty to safeguard us from vanishingly small risks. It's really hard to find anything people do where driving to the event isn't the most dangerous part of the activity except possibly for sky diving. By far the drive to the airport is the most dangerous part of a plane ride. The drive to the marathon is the most dangerous part of the day. So we are able to accept some risks. We tend to accept risks that are normal parts of our life. For many years in our country we have recognized that the price of liberty is the possibility of crime. We deliberately restricted police power because we believe we have a better society because of it, even though the occasional criminal gets through. Those sorts of tradeoffs, those sorts of acceptances, become harder as people seek to live in a world where risk systematically gets removed, which endless tort litigation and sensational media coverage are pushing us towards. Where medical science, where product safety--where all of these things reduce risk, suddenly we look at our residual risk and we are aghast. What do you mean, we haven't fixed terrorism? We have warning signs on ladders, for heaven's sake. People seem to think, "What do you mean we can't fix terrorism? The government should just go fix it." That's a perfectly reasonable reaction in a society that has just gotten rid of risk after risk after risk. Here's another one risk; just get rid of it. Can't I take a medication to get rid of this risk like I do with all the other ones? People think we need technology to save us.
Because terrorism is so rare, it's really hard to critically accept the argument that we haven't had any terrorist attacks because all the countermeasures we have taken are effective and justified. This was an eye opener for me. If something happens frequently, we can notice the impact of a corrective action, whether it increases or reduces the crime rate, for example. If it's something like meteor strikes against the planet, which happen perhaps once every 800 - 1000 years--it's really hard to judge whether your countermeasure works because there aren't enough instances. Where we ought to spend money is investigation, intelligence, profiling (yes, profiling), and emergency response. Focusing on tactics and targets is overly specific, and money spent on that only makes sense if you guess the plot correctly. If you spend billions of dollars on the Transportation Safety Administration (TSA), and the terrorists respond at a marathon, you've wasted the money because you've guessed wrong or there are too many potential targets to protect them all.
You may disagree with any or all of these points. I certainly did before I listened to the podcast. Still, it is worth thinking about.