Schneier: Steps to combat file-sharing are misguided

So-called 'three strikes' laws ignore due process and are technologically unfeasible to implement, according to security guru Bruce Schneier
Written by Tom Espiner, Contributor

Leading security expert Bruce Schneier was in London this week on a whirlwind lecture tour. ZDNet UK caught up with the ex-NSA man, who is now BT's chief security technology officer, at lectures in parliament and at University College London.

Schneier talked to ZDNet UK about his views on behavioural advertising, the efforts of various governments to tackle unlawful file-sharing, cyber-warfare and vendor lock-in.

Q: The UK government is currently trying to pass the Digital Economy Bill, which includes provisions to penalise unlawful file-sharing. Is this technically feasible?
A: The problem with a lot of these measures is that they only affect the average user. Professionals, hackers, clever people can get around them.

No, I don't think this is technically feasible. The ones they don't care about, the average user, are the ones they are going to stop, and the detection mechanisms are sloppy. There are so many examples of the industry getting it wrong.

If you look at the economics, file-sharing is good for music companies. They've got it wrong. Records were originally sold to promote live performances. When they realised people wanted to buy the records, they changed their business model. They are going to have to change it back. Or Steve Jobs will.

The bill does not require a court order to disconnect people from the internet. Is that reasonable?
I'm not a fan of vigilante justice, which in general is what these laws are. Similar laws are being developed in the US, in Germany, in France, in the UK, and the notion they are lacking is due process.

What is your view of copyright?
The costs of a movie are tens of millions of dollars, but then distribution costs nothing — a couple of pounds for a DVD, files are just about free.

That means the industry has to invent anti-capitalist cheats, like patents and copyright, that are effectively legally guaranteed monopolies in distributing the thing. These are all ways to try to recover fixed costs.

A lot of computing devices we buy have that strategy, combined with switching costs — the cost to switch from a product to a competitor. Sometimes those costs are high.

Are you thinking of any devices or software in particular?
The cost to switch from Internet Explorer to Firefox is high — you have to change your default browser, change bookmarks, and so on. I still use Opera, because switching costs are high.

You can get companies stuck in a product because switching costs are so high. They have a system with six years worth of data bound up in it. Throughout IT, companies try to keep up switching costs. With iTunes, you might have £500 worth of music, which you will lose if you switch.

It's the same with proprietary formats. Microsoft doesn't want other people using its formats, because that will keep the switching costs high. It makes the effort to use different document formats high.

How is the security industry changing?
IT is becoming part of the infrastructure — it's just there. IT is becoming a utility, something you just expect in a job, like a desk or a stapler.

A car comes with security features fitted in. You don't buy a car and they say to you, 'Oh, by the way, we really recommend you stop off at a third-party supplier and get some brakes'. I don't buy bottled water and expect it to kill me. Security will stop being a separate thing and become part of the thing.

There are numerous organisations using deep packet inspection at the moment, for reasons ranging from law enforcement to behavioural advertising. Do you think using deep packet inspection for behavioural advertising is necessary?
I don't like it, I think it's an invasion of privacy, but we live in a world where anything legal can be done. As long as they are allowed, companies will do it — because otherwise they would be crazy not to.

In the US, we have separate carriers and content. The carrier is not supposed to touch the content. In the US DPI is an extremely bad can of worms.

A lot of countries have come out in the past couple of years and said they are developing or have developed cyber-offensive capabilities, including the UK and the US. Is this necessary?
I think it's stupid not to do it, but a cyber first strike will never happen, because the collateral damage would be too great. Unintended consequences.

Do you think the internet itself, or internet provision for a particular country, could be brought down?
It's hard to say. The internet on the one hand is so resilient, and on the other hand so fragile. If you really wanted to take it down, you could. The DNS system is so fragile. My belief as to why it hasn't been done yet is because it would require a lot of specialist knowledge. There just aren't a lot of people who could hack the backbone.

There are only 14 critical nodes in the switching network, and we see outages caused by physical accidents like undersea cables being cut.

The weird thing is, we are talking about emerging properties. You don't know when a worm is released what the extent of the damage will be. There was a blackout in the north-east quadrant of the US when Blaster was released, that was probably caused by Blaster. We're dealing with emerging properties, in tightly coupled non-linear systems. The way to figure out what will happen is to try it.

Editorial standards