Bruce Schneier is a smart and interesting guy. His sound thinking on computer security has influenced me a great deal, and it extrapolates well into related fields like national security. So I’m always interested to find writings of his with which I disagree. A recent essay in Wired, entitled “Our Data, Ourselves” is one. It calls for “a comprehensive data privacy law.”

This law should protect all information about us, and not be limited merely to financial or health information. It should limit others’ ability to buy and sell our information without our knowledge and consent. It should allow us to see information about us held by others, and correct any inaccuracies we find. It should prevent the government from going after our information without judicial oversight. It should enforce data deletion, and limit data collection, where necessary. And we need more than token penalties for deliberate violations.

If he really believes that these rules should govern the collection and use of data — “all information about us!” — what an administrative nightmare that would be to implement. The benefits of doing so would be quite small in comparison.


Some of these things are agreeable, such as judicial oversight of government data collection (the Fourth Amendment is that law) but even a solid libertarian like myself wouldn’t endorse judicial oversight of government officials looking up information about me on public Web sites, for example.


And should I have a right to review any email in which people discuss this blog post and its author? Incredible.


The flaw in this article (beyond its carelessness) is Bruce’s treatment of these information practices as all‐​new, and needing an all‐​new regulatory regime, just because decision‐​making is now undertaken using “data.”

Whoever controls our data can decide whether we can get a bank loan, on an airplane or into a country. Or what sort of discount we get from a merchant, or even how we’re treated by customer support.

But it’s always been true that decisions like these are made using “data” — perhaps not in digital form, but data/​information all the same. When has a decision ever been made not using “data”? We don’t need to throw out old rules about privacy, fairness, and so on just because information is digitized.


Many of Schneier’s premises are correct. The change from analog to digital data systems does cause a lot more tracks to form behind people as they traverse the economy and society. This creates lots of efficiency, convenience, wealth, and problems — threats to privacy, fair treatment, personal security, seclusion, and liberty. Let’s deal with them — each one — on their merits rather than trying to write a single law to overhaul the use of information in society.


Reversing the course of a river would be a tiny problem compared to what Schneier proposes.