Book Review: Data and Goliath

I recently finished reading (well, listening) to Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. The author is Bruce Schneier. If you don't know who he is already, you can read more about him on his Wikipedia entry and his personal website. These are my thoughts about the book and some of the interesting points that I found.

Main Topics

The main topics of the book are data, privacy, and crime. He demonstrates through real stories how much data is actually being recorded and stored. In many cases, the data is stored forever. The data being stored is incredibly private and personal. The book is full of real anecdotes, news stories, and leaks. It gives you perspective when you hear the large collection of stories about how our information is being used. The book covers some information about NSA mass surveilance but talks about many other stories as well.

Data, Privacy, and Crime

One thing that stood out was just how much information the social media networks keep and share. They track every person you search for, every profile you viewed, every image you viewed, every letter you type, every letter you backspace, where your mouse hovers on the page, and more. When you are physically in a store, they track your movements to see what sections to spend the most time in.

Would you want your browser history shared? This recently got media attention with recent legislation being discussed that has privacy implications. Our location data from our cell phones makes it possible for advertisers to serve us ads of nearby stores.

In the future, everyone will be wearing Google Glasses type of headwear and using visual recognition systems you would essentially have walking security cameras everywhere you go. To demonstrate what kind of technology already exists, check out this TED talk from 2007 about a tool called Microsoft Photosynth (public version shut down). Jump straight to 3 minutes and watch until about 5:20 to catch the best part.

It makes you take pause when you realize they keep your search history forever. There is an entire data broker industry which apparently pre-dates the internet. Some directed advertising crosses the line in the eyes of many people. For example, the teen girl who was targeted as a pregnant mother and started receiving coupons in the mail for baby items before she told her parents.

Fake cell phone towers and Stingray phone trackers act like the legit cell phone towers and persuade cell phones to connect through them passing them all of your data.

When the owner of Lavabit was being forced by law enforcement to turn over the privacy of his users without telling them, he chose to shut down his company. He first tried to fight the order in court but he lost. I recommend reading more about that case if you are not familiar with it.

One crime that is particularly terrible because of the victimization is sextortion. There are also stories like Robbins v. Lower Merion School District where school officials who took photos of children through their laptop webcam while they were in their bedroom. There are also kids toys with video or audio recording capabilities. Earlier this year, one toy maker, CloudPets, used an insecure MongoDB installation and two million voice recordings of kids were stolen and ransomed back to the company.

Backdoors in products and services allow law enforcemnt to log in and view personal data stored by companies. In 2015, the NSA director defended plans to maintain backdoors in tech companies. Some backdoors are malicious and not part of government or law enforcement operations. InfoWorld describes "The 12 biggest, baddest, boldest software backdoors of all time."

He covers some of the basics we can do to protect ourselves. That includes full disk encryption like Windows BitLocker or VeraCrypt, end-to-end encryption like off-the-record (OTR) plugins for chat applications, and PGP/GPG for email messages.

The book touches on importance of occasionally talking about it and sharing posts socially so we keep the conversation going and keep people informed. It also mentions the importance of being active politically on issues regarding our privacy, because laws we enact now may stand for decades.


Overall it was a good book that was easy to read through. There was nothing groundbreaking in it, but I don't think that was the purpose. There were no particular golden nuggets of information, it was more a collection of stories to give you a big picture view of the state of privacy. Most of the book was recounts of news stories over the years. As someone who follows the security industry and news I had already heard the majority of stories but it was a good refresher. It was interesting enough to keep my attention through the entire book. In the end, I would recommend reading it, especially if you are outside of the security industry because it is very easy to digest for non-technical people.