Transcript
Transcript: Exploring AI and Democracy, with Bruce Schneier
[00:00:00 Taki Sarantakis and Bruce Schneier are shown sitting next to each other.]
Taki Sarantakis (President of Canada School of Public Service): Welcome to the Canada School of Public Service. As always, we have a treat for you yet again today. Today, we have one of the world's quirkiest, most interesting kind of cybersecurity people, but cybersecurity doesn't really do him justice. I'll use an old-fashioned word, he is a polymath. He is interested in a lot of different things and that's why he writes so many books, and we're going to have a conversation today based on your books and a few other statements you've done. And so, we'll get going. So, Bruce Schneiner, he is…
Bruce Schneier (Adjunct Professor at Munk School of Global Affairs & Public Policy): Schneier.
Taki Sarantakis: Schneier. I practiced for 10 minutes.
Bruce Schneier: We practiced.
Taki Sarantakis: I can't do names, which is ironic given my first name and my last name.
Bruce Schneier: I couldn't do your last name off the top of my head.
Taki Sarantakis: Exactly, exactly. So, he is late of Harvard, the Harvard Kennedy School. This year, he is a visiting Canadian. So, he is at the Munk School of Global Policy and Public Policy. I should know because I'm a fellow there, but I keep getting that name wrong.
Bruce Schneier: I think it's Public Policy and Global Affairs.
Taki Sarantakis: Yeah, he's at the place that Janice Stein runs, that's how I think of it, and we're going to have a conversation about a bunch of different things, including his latest book. So, we're going to start. Your first book that I read was Data and Goliath.
[00:01:36 The cover of the book 'Data and Goliath' by Bruce Schneier is shown.]
Tell us a little bit about that book and the ideas behind that book.
Bruce Schneier: It was probably the ninth or so book I've written. So, you came late. I wrote that book in 2014 and it was about data and privacy. So, I really wrote it in the wake of Edward Snowden. I read some of your secrets too, so good for you people, and I was actually one the people involved in reading those documents very early on. Snowden himself actually suggested to Glenn Greenwald that he fly me down to Brazil to read the NSA secrets, which is super weird. I assure you, someone hands you an entire pile of U.S. government secrets and says, here's some interesting stuff, that is very weird, and we wrote some stories. So, I'm writing this book about data and privacy and what the world is like, nothing new to me but certainly a lot of things new to the world, how much global surveillance the NSA in particular and Five Eyes in general was doing in the world and how bad that was. So, that was that book.
Taki Sarantakis: So, talk to us. Let's stick a little bit on that theme. So, one of the things I've heard you say, and I think you've written a couple of articles about it, is how kind of spying, snooping by the NSA and the other kind of Four Eyes, it makes us less safe. That seems to be very counterintuitive to people.
Bruce Schneier: It's less the spying and more the re-engineering of systems so they can be spied on. So, right now, U.K. is… this pops up pretty regularly in different countries. U.K. is now where it's happening, I think, the most. The government wants the ability basically to break systems so they can spy easier, right? So, it's like the government saying you can't have a good door lock, you got to have a crappy door lock in case we need to break into your house because we expect you of a crime. And when I say it that way, it is obvious why that's a stupid idea, because criminals can also break in and steal stuff.
[00:03:57 Bruce Schneier picks up a smartphone.]
Bruce Schneier: So, the fact that this object is secure, is valuable to us, and yes, in my country, the FBI has trouble breaking into it. So, they arrested a journalist last week, a Washington Post journalist. Her phone had the maximum… I forget what it's called, the maximum protection on the iPhone enabled, and the FBI cannot get into her phone, right? So, that would be bad if it was a drug dealer. It's actually really good because it's Trump's FBI and it's a journalist, and there are lots of countries where that would be a really good thing. So, this is very much a security versus security debate, right? There is security benefit in the police being able to unlock the phones of suspected criminals. There is security benefit in every single member of parliament and CEO and judge and nuclear power plant operator and police officer having their phone secure so that nobody can break into them.
Now, on the other hand, there are risks of doing it the other way. And as long as this device is in everybody's pocket, defence wins over offence to me. Yes, all right, your law enforcement, my law enforcement, all the good guys on the planet will have trouble breaking into phones, but all the good guys who have these phones, they're more secure. That's the debate and that is where I come down on it. If you are law enforcement, that is not what you think because law enforcement only thinks, I'm going after the criminals and everyone else should just keep their hands in public view, but that's not the right way to look at the equities.
Taki Sarantakis: Now, you talked about secrets and indirectly encryption and keeping things kind of private. By profession, I think you're a cryptographer. So, tell us a little bit about that before we kind of jump back into your books, because some of us think that a cryptographer is like Harrison Ford in Raiders of the Lost Ark, but it's not that, right?
Bruce Schneier: Either they'll mishear cartographer and talk about maps.
Taki Sarantakis: Right.
Bruce Schneier: Sometimes, they think it's kind of like horoscopes. Those are the two mistakes. And actually, I started out as a cryptographer but I haven't done math in a long time. And right now, I teach at the Munk School. I teach cryptography to students who deliberately did not take math as undergraduates, which is a different way of teaching the science. And really, my career has been a series of generalizations. So, my first books, which you have not read because they're math.
Taki Sarantakis: I haven't read.
Bruce Schneier: Because they were math. It is cryptography, but the math and computer science of encryption. And then, I write about general computer security, network security, general security technology, the economics of security, the psychology of security. You're getting on the public policy of privacy. After that, I'm writing about more public policy and safety and Internet of Things, and then about sort of hacking, taking the ideas of computer security into broader social systems, and then this about A.I. democracy. So, that's the arc and it's very much me always generalizing, trying to figure out where things fit in context. But yes, I started out in math.
Taki Sarantakis: All right. Now, the next book, which I did read and I loved, and I especially love the title.
Bruce Schneier: I'm good at titles.
Taki Sarantakis: Click Here to Kill Everyone.
[00:07:44 The cover of the book 'Click Here to Kill Everybody' by Bruce Schneier is shown.]
Bruce Schneier: That's a great title.
Taki Sarantakis: That's a great title.
Bruce Schneier: It is great. You see it at an airport and you're going to pick it up.
Taki Sarantakis: Yeah, what year? Because this is ahead of its time.
Bruce Schneier: So, probably 2015.
Taki Sarantakis: Yeah.
Bruce Schneier: Google knows these things, I don't.
Taki Sarantakis: Tell us a little bit about Click Here to Kill Everyone, which is ahead of its time.
Bruce Schneier: So, here, I am writing about what happens, and it is, because right now, this is the world we're talking about today, when computers can affect the world in a direct physical manner, and so really writing about when hacking or even your computer crashing doesn't mean you lose your spreadsheet data. It means your automatic defibrillator crashes and you lose your life, or your car crashes, right? So, what happens when these embedded systems… which are all just freaking computers. A car these days is a computer with four wheels and an engine. Don't think it's anything but. Your refrigerator is a computer that keeps things cold and your microwave oven is a computer that makes things hot. These are computers and they had all the same problems that I was talking about for decades. And now, they are on the internet because everyone knows your refrigerator needs to be on the internet.
Taki Sarantakis: And your microwave.
Bruce Schneier: And your microwave because they've got to talk to each other.
Taki Sarantakis: Yeah.
Bruce Schneier: I don't know what they're going to say, right? Your humidifier and dehumidifier need to sort it out. And so, these computers are now becoming more critical. So, we can talk about the power grid. We can talk about all of these things, and they are vulnerable, and these are the years when Russia, China, U.S., probably others are hacking each other's power grids and we are starting to see ransomware against these embedded systems. We did see refrigerators send spam for a while, that was super awkward, but all of these things are happening and that's really what I'm writing about there.
Taki Sarantakis: Now, for the sophisticates amongst us and I am not one of them, this is called the Internet of Things and this is kind of the stage that we're about to get into for real. We've had it, but there's only about 15 billion connected things right now.
Bruce Schneier: And it's going to go up in orders of magnitude.
Taki Sarantakis: Exactly.
Bruce Schneier: And you have to sort of understand the economics of this because if you asked why, why is your refrigerator on the internet, I can explain why your fridge is on the internet. So, 30 years ago, someone wants to build a refrigerator. They build some special refrigerator circuitry and some refrigerator control system, and that is the way a refrigerator is built. That's not what happens today. It is cheaper for the refrigerator manufacturer to pull a standard Raspberry Pi, a computer that's this big, off a shelf and write the refrigerator stuff.
[00:10:45 Bruce Schneier indicates a small size with his fingers.]
And this thing that they're using comes with a microphone port. It comes with a video out. It comes with an IP stack. It comes with internet. It comes with all of these things. So, the cost of putting it in is negligible because it's there already. It's more work not to do it. So, your vacuum cleaner, your appliances, all these things have these capabilities. Why does your Roomba have a microphone? Because the chip came with a microphone and that's what you got. Then, they stuck that in the whole Roomba casing. So, we are seeing all of these things that never had computers, never had connectivity, they have connectivity. The Raspberry Pi has Bluetooth connectivity in it. It's just a matter of turning it on. It's already there. There's no work. So, all of this stuff becomes internet-capable because it's just the economics of hardware versus software.
Taki Sarantakis: So, we're going to see, and it's not going to be too long from now because as you said, our vacuum cleaners, our refrigerators, our lightbulbs, our front door openers, our garage door openers, our pacemakers are all kind of connected in one way or another. Soon, we're going to see this chair will be internet-enabled, this table. So, people will be able to draw pretty good pictures of what's going on. If you are connected to somebody's vacuum cleaner that's automatic, you know the layout of their house. If you're connected to their thermostat, you kind of know when they're home, you kind of know when they're not home. So, these things are all incredibly, incredibly convenient. So, are we as a society making a little bit of a Faustian trade-off?
Bruce Schneier: It's hard to tell. Security is always a trade-off, right? I mean, it is useful to have these things and they are incredibly invasive. So, in some ways, we are giving up a lot of privacy.
[00:13:08 Bruce Schneier picks up a smartphone.]
But this fundamentally is the most effective security surveillance device ever invented. It knows where you are at all times. It knows who you're with. It knows where you work, where you sleep, because we can correlate that. Everyone has one. It knows who you sleep with, right? It knows your calendar, your contacts, your messages. It knows who you're talking to, what you're saying, right? It is a scarily impressive surveillance device and we all put it in our pocket every morning. Now, that is a trade-off. It's one we make. The problem is, and I come from the U.S. where there's zero privacy regulations, I do not have the same kind of privacy ministers you have in Canada, you have both national and provincial, but a few more regulations on collection and use might be nice.
Taki Sarantakis: We don't put them in our pocket in the morning. We sleep with them on our pillow.
Bruce Schneier: Because it now says how well you sleep.
Taki Sarantakis: Exactly.
Bruce Schneier: Measuring vibration of your bed.
Taki Sarantakis: It tells you your heartbeat.
Bruce Schneier: It tells you a lot more about who you sleep with then.
Taki Sarantakis: Exactly. The latest that I've heard, actually, is when you go to book a trip and you've given certain things access to your calendar, it actually can tell that you've blocked off vacation time two months from now and it starts giving you different pricing based on how much it knows about you.
Bruce Schneier: Yeah, it's always hard to know how much of that is real and how much of that is a folk tale. Regularly, you'll hear the rumour that Facebook turns on the microphone. Usually, we can tell they never do. And yes, occasionally, things you talk about, you see ads for, but often, you forgot you searched it. There's a lot of interesting projection going on, on the device. But yeah, I mean, the whole goal of surveillance-based advertising is to know exactly what you want at the moment and it's really interesting. My suspicion is this will be an illegal business model in 20, 30 years and the companies are going to be sad, and too bad, and I think about we used to send five-year-olds up chimneys to clean them. And at some point, we said that is an illegal business model. Yes, we're sorry that your business is going to suffer, too freaking bad. We're just not going to do that anymore.
Taki Sarantakis: Yeah.
Bruce Schneier: And my guess is surveillance advertising falls under that. It really feels fundamentally, at a deep level, unethical and that we're allowing it. It's sort of this mistake we've made in these early years of the internet when we were afraid to regulate. But spying on everything you do and manipulating you as effectively as possible, why do we want companies to do this? I forget.
Taki Sarantakis: Yeah. So, that speaks to the notion that the real currency right now is attention. Talk to us a little bit about that.
Bruce Schneier: It is a currency. The real currency is money. I mean, let us not pretend that money is not the real currency.
Taki Sarantakis: It's a currency that gets us together.
Bruce Schneier: It is certainly a currency and it is a limited resource, and I think we as humans in the early decades of the century are being really sloppy about attention, and some of it is these technologies are designed to be addictive. I mean, I read a statistic two weeks ago that half of U.S. males regularly bet on sports now, right? And that is a major societal change. I mean, I think about it as intention but it's major in a lot of ways, and we just let that happen. That's really interesting. I don't know, how's Canada on apps and sports?
Taki Sarantakis: We're not great. You can't watch a hockey game without… basically, all the ads are getting in the way.
Bruce Schneier: So, I'm not a sports ball person but I was told that there were more betting ads than beer ads on the Super Bowl.
Taki Sarantakis: Yeah, and when you and I didn't have grey hair, people would kind of bet on the outcome of the game. Now, people bet on the coin flip, whether the next play will be a pass or a run.
Bruce Schneier: And so, this falls into U.S. loopholes because they're not considered gambling in the same way because there's information. So, the argument is it's more like the stock market, which is actually also gambling but let's not talk about that, and these are proposition bets and the benefit of them is the odds are determined after the fact. So, it doesn't matter what you're betting on. The people betting either side there… and then the sportsbook just takes a rake, right? So, anything can be bet on.
So, going back to attention, this is something that we are giving away and we're letting ourselves be manipulated by companies basically who hire hundreds of people to figure out the best way to manipulate you. This is not a fair fight, and the way to make this a fair fight is through government regulation. That is, in a sense, our champion in this fight. And in the U.S., that just isn't happening at all. EU, I consider them the regulatory superpower on the planet, and they are trying. We had GDPR in the nineties. Since then, the Digital Markets Act, the Digital Services Act, the EU A.I. Act. We can talk about these laws and there's pluses and minuses, I teach some of them in my class, but at least they're freaking trying in a way no other country really is, and they are a big enough market that it matters.
We all have more privacy because of GDPR, even though we are not European. If the EU blocks a merger that the U.S. regulators don't, the merger doesn't go through. The Digital Markets Act is opening up Apple and Google stores to competitors. We're all benefiting from these EU actions and that's kind of neat. It's an interesting thing about software. So, right now, the car I buy in the U.S. is not the same car I could buy in Mexico, right? Because the auto manufacturers will tune the engine to local regulations, but the Facebook you get in the U.S. is the same Facebook you get in Mexico because software really is, write once, sell everywhere. In the U.S., California is the big regulator and they passed an Internet of Things security law some years ago. One of the provisions is no default passwords, super basic, can't have a default password.
Taki Sarantakis: So, what's a default password?
Bruce Schneier: Like Password1, a common password.
Taki Sarantakis: Password123 or Password.
Bruce Schneier: Right, to everything, but no thermostat manufacturer is going to make two versions of their box, one for California, one for everybody else. So, everything you buy in Canada is compliant to this Canadian regulation. And so, a good regulation in a big enough market moves the planet, and that's kind of neat.
Taki Sarantakis: Very cool. Now, regulation. Your President, I think, in the mid-nineties, Bill Clinton, said that you can no more regulate the internet than you can nail spaghetti to the wall.
Bruce Schneier: And yet China.
Taki Sarantakis: How big of a mistake was that?
Bruce Schneier: That was a huge mistake. So, these are the early years when the companies are generating so much freaking money that no one wants to touch this. No one wants. It's like right now in A.I. If we do anything, this bubble will burst and it'll all be really bad, so let's just stay away and let them do whatever shenanigans they can to keep the stock market propped up. I think they made a big mistake. Now, we didn't know, and regulating is hard. I think of this in drones. I remember it in drones. It's too early to regulate because the market's too new, suddenly everyone gets one for Christmas, and then it's too late to regulate drones, they're everywhere, and the time to regulate drones was like 4 a.m. on Christmas Day on this particular year and that was it, and we just didn't do it then, so now, it's too late. In those early years, I'm on the internet, it's being used for nothing important ever. We're talking about Star Trek. That's what the internet is for. And in these early years, we kind of don't know what regulation is needed. And then, at least in the U.S., profits, lobbyists' money, and now it's impossible, and this is a U.S. root problem of money in politics, which is a root problem of a lot of things. I think they made a huge mistake, and we're making it again with A.I.
Taki Sarantakis: So, we're going to get to A.I.
Bruce Schneier: All right, sorry.
Taki Sarantakis: So, let's go back to another big, big landmark moment where I think, in retrospect, we got it really wrong. I forget if it was a ruling or legislation that said something like, the owners of a platform are not responsible for what goes on their platform.
Bruce Schneier: And I don't think we got it wrong. I mean, could not have comments on my blog without this. Basically, it means YouTube is not responsible for when videos get posted. If something happens, they'll take something down they have to. Look up the number of hours per second of videos posted on YouTube. It's some insane number, number of comments on Facebook, the number of videos on TikTok. The number of things that get posted globally are so huge, there is no way to prior police. That is just not possible. And without that indemnification, if I run a blog and I have a comment section and someone is posting a comment right now, it's not my fault because this isn't my fault. When I get off and someone sends me an e-mail saying, hey, this awful thing is on, I'd go on, I'd delete it within an hour. I'm just doing my best here, right? That's okay. This has gotten expanded in ways that didn't make sense from actual publishing, and companies like Tinder use this as a shield when really bad things happen there, but it's really hard to craft this rule better. Big companies, I think, should have more responsibility, especially when you get to these large tech monopolies, but these rules really protect non-power, and this is a problem.
We have a problem with restrictions in general. We write these restrictions thinking they will protect the powerless. They end up being co-opted by the powerful, right? So, going back to GDPR, there's a right to be forgotten, controversial, but basically, what the law says is, your resume, all of you, are the 10 ten hits on Google. And sometimes, there's a news article on something you did 15 years ago that's now the top hit on Google and it is forever dogging you, and you should be able to go to Google and say, hey, you should downgrade this, take this down. You can't go to the newspaper but you can go to Google. I mean, that sounds like a good idea. It is right now being used mostly by the rich and powerful to suppress legitimate stories about themselves, and this always freaking happens. I mean, this is the ACLU, back to the U.S., their main point, you restrict speech in ways that you think are a good idea and then they turn against you. All the restrictions we have are now being used by President Trump in ways we did not want and did not expect and did not plan for, and that's the problem always.
Taki Sarantakis: So, that was kind of Click Here to Kill Everyone. Let's go to the next one, and don't let the title turn you off because it's a lot more than computers. So, A Hacker's Mind.
[00:26:29 The cover of the book 'A Hacker's Mind' by Bruce Schneier is shown.]
Bruce Schneier: It's a good title.
Taki Sarantakis: It's a good title but people might start thinking…
Bruce Schneier: So, I'll give you, if anyone wants to write books, this is my waterfall theory of titles. The title just gets you to stop and read the subtitle, and the subtitle was how the rich and powerful subvert society systems and what we can do to fight back, I forgot the title, right? The title gets you to the subtitle.
[00:26:57 Bruce Schneier picks up his book 'Rewiring Democracy' and opens it to the flap copy.]
The subtitle gets you to open the book and read these 200 words, and that's what sells the book.
Taki Sarantakis: So, it's like the loss leader.
Bruce Schneier: Yeah, right. All I want the title to do is get you to stop and pick it up, or if you're on Amazon or somewhere, to stop and read further. The title gets you to read the subtitle, that gets you read the blurb, and that sells the book.
Taki Sarantakis: That's attention. You're grabbing people's attention.
Bruce Schneier: Totally, that's the way to do it. All right.
Taki Sarantakis: What's a hacker?
Bruce Schneier: So, I think this is a really important book, and I think it's important even today.
Taki Sarantakis: Can I just pause? It's really important for people in public policy. It's incredibly important.
Bruce Schneier: So, hackers are generally considered to subvert computer systems. The tax code is not computer code but it's a series of algorithms. It's inputs and outputs. It has logic and it has vulnerabilities. We call them loopholes. It has exploits, we call them tax avoidance strategies. It has black hat hackers, we call them accountants. So, what I'm doing in this book is I'm making the point that any system of rules, the tax code, regulations, can be hacked. The filibuster is a hack invented in Ancient Rome, 50 A.D. I think his name is Pliny the Elder. And basically, he's in Senate and he looks around and he says, the rules say that all business must be conducted by sundown. Now, if I never stop talking, we'll never get anything done, and he's now just hacked that rule. The United States, gerrymandering, totally a hack. All of these inadvertent ways to follow the letter of the law subvert the spirit for your own advantage. These are hacks. What we're talking about in the book is all of these hacks of economic, political, and social systems, and I have great stories. I have a story from India of someone was running for office and the opposition finds 10 people with the exact same name and gets them to run against this person.
(Laughter)
And that doesn't break the rules, but you all laughed, right? Because that breaks all the rules, just like finding a tax loophole, just like realizing that if you read the text of this law, if I do this, this, and this, and I register my ship in Panama and I have a tax haven in this country, I'm now evading all sorts of taxes, the Double Dutch Irish Sandwich, which is how Google and Apple and companies avoided U.S. law, and it involved a company in Netherlands, a company in Ireland, and an offshore tax haven in the Caribbean. All the laws working together means you avoid billions in U.S. taxes. So, that is what this book is about, and I think it's really important because we have to understand this. We need to start stress-testing our rule systems because I assure you that there are lawyers and accountants who will do that. I mean, there are people in the basement of Goldman Sachs right now who are studying every sentence of all of your laws. And then, I make a point in the book, which I might get to later, that A.I. is going to do this.
Taki Sarantakis: Yeah.
Bruce Schneier: And then, it gets really bad.
Taki Sarantakis: So, there are people in this room that have drafted legislation. There are people in this room that write rules for programs. There are people in this room that recommend policies to ministers. One of the things that's really, really important is you kind of think about, how would a bad actor take this and turn it around. I think one of the things that we haven't been as good at, maybe it's because we're Canadians, we don't put ourselves in the position of a bad actor when we're writing things. And the latest one that I think everybody remembers, if you look at CERB, which is an acronym you don't know but everybody in this room knows, we wrote a certain set of rules to quickly get money to people during the pandemic and it was for people that kind of desperately needed the money, but the rules were such that a lot of people hacked the rules. They didn't necessarily do something illegal, which is your point in hacking, the actual rules themselves create the bad thing.
And that's a funny notion for bureaucrats to think about because we think rule equals automatic good, but rule could be something that gets weaponized against you, and I see some colleagues from Treasury Board and I see some colleagues that used to be at Treasury Board, and Treasury Board writes a gazillion rules and a lot of those rules are now kind of weaponized in ways that I think the authors of those rules would be shocked that years ago, they wrote a policy on this and a policy on that. And now, people in 2026 are like, look what it says, I can… so, that's a big, big takeaway for people in this room.
Bruce Schneier: I give a lot of examples from sports. Sports is full of hacking because winning is so important, and there are stories of Formula One racing. Someone in the seventies shows up on the track with a six-wheeled car, and everyone says you can't have a six-wheeled car. He pulls out the rulebook and says it doesn't say, and it didn't, right? The rules were silent on the number of wheels a car could have because who would have considered that a car could have six wheels? They fixed that, right? And so, they patched, and now, if you read the Formula One rulebook, a car could have no more than, or no less than, don't getting any ideas, four wheels, right? But basketball, baseball, soccer, all of these games, if you look at their history, there would be rules added as people figured out things that the rules didn't prohibit but didn't work in the game, gave someone what was perceived as an unfair advantage. Some of them are allowed. Sometimes, the game does change because someone figures out… I forget his name. He's a swimmer in the backstroke in the Olympics, and he basically did most of the pool underwater, like he's not stroking but he's on his back, and the rules allowed that. They fixed that because that was felt to be not what we want in a backstroke. Sports is full of fun examples of this.
Taki Sarantakis: The rules in baseball change every hundred years like clockwork, every 70 years like clockwork, every 60 years, and it's analogous to our rules. We don't write legislation every single day. We don't tweak the same piece of legislation 20 times a day. In fact, we might not even touch a piece of legislation for 20 years.
Bruce Schneier: But I don't think this works.
Taki Sarantakis: That's the point though.
Bruce Schneier: For your computers, your Windows machine, first, second Tuesday, every month, you get like 80 patches, right? So, there have been problems found in the set of rules on your computer, and every month, you get patches. It would be great if we could figure out how to do that with legislation, right? And I don't know how but in the U.S., let's say a loophole is found and suddenly people start using it and now there's a lobbying interest that likes it, and now, it's two years later and there's a lot of money in don't ever fix this. The carried interest loophole which was designed for shipping, transoceanic shipping, is being used by venture capitalists to evade taxes. There's an incredible amount of money in never fixing that loophole. So, being able to be agile means you can fix it before interests glom onto it. It feels really important. I don't know how to do it. I mean, the processes of legislation in a democracy are way different than the processes of writing software in Microsoft or Apple or elsewhere. I'm going to give you my baseball hack. I don't know, that might be too much baseball for Canadians.
Taki Sarantakis: We were in the World Series.
Bruce Schneier: It was super fun to be in a city that was in the World Series and wasn't used to it. That was super fun. The infield fly rule.
Taki Sarantakis: Yeah, he lived in Boston.
Bruce Schneier: My guess is somewhere in the 1920s, there's the flyball going up high, the second baseman who looks up and says, if I just let this drop, it's going to be better.
Taki Sarantakis: It's going to be a triple play.
Bruce Schneier: Right. And then, he does it and everyone says, what? And they fix it. That is my guess of what happened.
Taki Sarantakis: Yeah, but it's even more important for us to kind of anticipate, to do red-hating, to go, what would somebody do with this? Because the bad actors are going to do this every day until they find something. They're going to poke. They're going to hit.
Bruce Schneier: And even worse, you're going to have legislators that have been given language, in the U.S., by lobbyists that have a surreptitious loophole in there and the legislators might not even know this. So, in the U.S., a lot of legislation is written by lobbyists. The legislators just don't get the staff to do the work, and it's really considered a subsidy on government. It's all going to have agendas. So, I worry about loopholes being deliberately added. So, in addition to red-teaming, for accidents, you've got to worry about deliberately inserting loopholes. So, it's like someone from another country is working for a software company, slipping in loopholes.
Taki Sarantakis: Now, I want to congratulate myself.
Bruce Schneier: Someone has to.
Taki Sarantakis: We've gone over 40 minutes without my mentioning A.I. I'm going to mostly congratulate you because you only mentioned A.I. once. Now, let's go into A.I. Talk about your current book, which we will give some of you as a souvenir.
Bruce Schneier: So, it is about security but it's not about security. So, with a co-author, Nathan Sanders, a data scientist who I met at Harvard, he works for the Harvard Data Science Review now, we're writing about A.I. and democracy and we're writing about this very broadly. This is not a book about deepfakes. This is not a book about misinformation. This is a book about all the ways that A.I. will change our democracy. There are five parts. The first part is politics, all of the interesting things that are happening in politics using A.I., including authorized avatars and unauthorized avatars. A.I. is involved in polling, A.I. is involved in get-out-the-vote door-knocking, all of the things going on in politics, messaging. The second part is A.I. and legislation. A.I. is being used to help write and pass law, and that is happening. France has built an A.I. model that is designed and optimized on French law for French legislators. Part three is government administration, all the ways A.I. is working in bureaucracy, and there's a Canadian document about a few hundred pilots going on, sort of that piece, and it's things like benefits administration, A.I. in the patent office, A.I. writing regulations, drafting, testing, all the things. Part four is the courts, both judges, the courts, and attorneys using A.I., and the fifth part is citizenship. So, it's A.I. that's being used for organizing, for watchdogging, for consensus building, and we have examples from all over the world. I like that. The U.S. is not a great place for examples right now, but I have examples from Brazil and Chile and Japan and Taiwan, Germany, I mentioned one from France, Scotland, Canada, the U.S., sort of all over, I mean, really neat things being done.
Taki Sarantakis: Now, we're moving into an era. We're not quite there yet but I think at the rate at which things are going, we will get there sooner rather than later. We're moving into an era that some people call algorithmic government and algorithmic democracy. Talk to us a little bit about kind of what you see as good and kind of not so good.
Bruce Schneier: So, this is hard because there's a really interesting grace. Let's talk about one aspect of it, voting. So, this is the way I vote. I'm not going to lie, in the United States, voting is super complicated. When there's a local election, the night before, I go online, I find a voting guide, I read it, I figure out who to vote for, and I vote. That is as much attention as I pay to city and local and school board and local judgeships. We could vote on 50 things in an election, and California is even worse, right? So, that's what I do today. You can imagine the future. So, Germany has this. Germany has a very complicated set of political parties and the government publishes a voting guide. This year or last year, they experimented with a chatbot version of it, you can go online to this government website and a chatbot will talk to you and you can tell the chatbot what issues are important to you and what you think, and the chatbot will say, I think this party is the one that represents you the best. Kids love it. So, we can imagine that I will go online and talk to a chatbot, and the chatbot will listen to you, and here's who I think you should vote for these city offices.
Go one step further, I have an A.I. assistant who I've had for a couple years. The night before, the A.I. says, I've been watching you for the past couple of years, here's who you should vote for, right? I know you, here's your list. Is it much different than what I'm doing? Not much. Another step is, I know who you should vote for and I'm going to vote for you. Why not? Voting is automatic, we're in a future where this is possible, all right, not the same. The next step is, I'm everybody's personal assistant so I'm just going to vote for everybody, right? I know what the entire city is going to vote for, I'm just going to run the election for you people, you can stay home and relax. And then, the next step is, well, this whole election thing is kind of dumb, I just know what policies you all want so I'm going to just implement the policies.
[00:43:11 Bruce Schneier holds up his right hand, then his left hand far apart from each other.]
So, from here to here, the steps are all reasonable.
[00:43:16 Bruce Schneier shakes his left hand.]
But this is like, my God, what's going on here? So, that's the trajectory. To me, the way to think about it.
[00:43:30 Bruce Schneier shakes his right hand, then shakes his left hand.]
To understand why this is okay and this is horrific, is that elections serve multiple purposes. One is to get the right answer, what should the policy be? The second is to give the answer legitimacy, and the process does that, and the third is to engage people in the process.
[00:43:59 Bruce Schneier holds up his right hand, then his left hand far apart from each other.]
And as we move from here to here, legitimacy decreases and the amount of engagement really decreases, and this is going to be hard, right? So, I think we as a society would have to have to resist some of these steps that are perfectly reasonable because of where they're heading, right? The point of a democracy is not to figure out what the policy should be, or let's say our personal preferences are not lying on the ground waiting to be discovered, right? They are created through the process of engaging in politics. I mean, what's lost in the United States is civics. We just don't have the engagement in politics that makes people good citizens anymore. So, we have politics of sports. So, we need to make sure we keep that even as the lure of automation makes things better. Now, sometimes, I don't care. I mean, right now, A.I. is better than humans at reading chest X-rays. I'm totally in. If it's better, I want the best chest diagnosis. I don't care who does it. But even if, and I'm told that, A.I. is better at figuring out which country you should go to war with, it's like, well, wait a second, I'm not sure that's better.
Taki Sarantakis: But it's not Canada, right?
Bruce Schneier: Not yet. I mean, back when it was funny, the joke was always that you're all amassing at the border.
Taki Sarantakis: Yeah.
Bruce Schneier: But now, that's just not funny anymore.
Taki Sarantakis: Well, I take comfort from the fact that you're now on the other side of the 49th, so you have intelligence. Talk to us about what gives you hope right now as we sit here in 2026, and talk to us a little bit about kind of the opposite of hope, which I think might be despair.
Bruce Schneier: And hope is in short supply for 2026. I tend to be short-term pessimistic, long-term optimistic. I mean, humanity does figure stuff out. I mean, it might take us a world war but we do figure things out and I just don't think this is going to be the end of society. I mean, the worries are, I mean, historically, fascism never gets defeated at the ballot box ever, once a totalitarian government gets in power, they are never removed peacefully. I don't know where we are in the U.S. in that yet. Sort of normal on the tech side, I worry about the amplitude of bad things, right? So, we as a society figure stuff out but kind of the damage people could do before we figure it out is limited, and with technological empowerment, it's greater, right? A single bad person with a bioprinter can do way more damage than a single bad person without a bioprinter, and I worry about the amplitude of the outliers. That's another book you didn't talk about, Liars and Outliers.
[00:47:12 The cover of the book 'Liars & Outliers by Bruce Schneier is shown.]
Taki Sarantakis: I didn't read that one.
Bruce Schneier: It's another good title. It's on sociology and security, and I'm thinking about, security, our job is to deal with kind of the dishonest minority, the defectors, the few who break the rules, and it only works because most people follow the rules. If most people break the rules, the rules no longer work, right? The system collapses. So, the only reason a law against murder is worthwhile is because almost nobody murders anybody ever, right? If the murder rate were 20%, the law is irrelevant. So, what do we do with a society where those few defectors can ruin it for everybody? Going back to the tax code, there are people finding loopholes. If everybody finds loopholes, there's no tax code. I mean, the system collapses, and I worry, in a technologically-infused future, the systems are more brittle. So, that is a worry. Now, my optimism comes from the fact that I think humanity figures it out, that I think we are basically good people who are trying to make things work. Pessimism comes from the empowerment of those who aren't.
Taki Sarantakis: Mark, you get our first question.
Question: Thanks, Taki. I'm very curious, someone who thinks about the hacking of laws and policies and those things, have you given any thought to the equivalent to the three laws for A.I.? Is there some fundamental things that you think should be built into all A.I. technology?
Bruce Schneier: So, Asimov's Three Laws, I don't know if you read the books, I read them as a kid, the books are all about how those three laws were insufficient. I mean, the books all talked about popular belief was those laws were good but there are so many places where those laws don't work. So, the problem is, fundamentally, and this is my previous book, this is A Hacker's Mind, that any system of rules is insufficient, kind of like Gödel's theorem, more general. In human speech and thought, goals and desires are always underspecified. So, if I ask you to bring me some coffee, you would probably go over there, get me a cup, or maybe you're going to go to Tim Hortons and buy me a cup. You would not bring me a pound of raw beans. You would not buy me a coffee plantation. You would not rip a cup out of his hands and give it to me. I wouldn't have to specify any of that. You would just know. So, with anything, any goals, there's a whole lot that is unwritten. And more to the point, I cannot specify all of those things because if I give you a list, there'll be something else that wasn't on the list, and this is kind of rules hacking. So, sort of by definition, any set of rules I give an A.I. will be insufficient.
So, I keep a lovely collection of A.I. doing this naturally. So, a lot of it happens in virtual worlds because that's where we have close sets of rules. So, there was an A.I. playing a video game that involved a boat going and getting points, and the A.I. figured out if the boat spun around really fast, it would get a lot of points. There was a stacking game where you'd stack blocks, and the A.I. figured out if it flipped the block, it got the points without stacking them. My favourite, sort of this evolutionary simulation where the goal is to cross a distant finish line really fast, and instead of growing more muscles and longer legs, it got really taller and then fell over, and this is the A.I. thinking out of the box because it doesn't have any conception of the box. So, if you give an A.I., and I will guarantee this is happening in the basements of investment bankers, the entire tax code, and say, find me the loopholes, it's going to do that. So, right now, there's a lot of research in A.I. finding vulnerabilities in software. It's okay at it, not great. It's getting way better, (inaudible) fast. It's going to do that in the tax code. It's going to do that in regulations. Here's the entire U.S. code of law, tell me how to make money, and it'll figure out a way. Who's your person who grows one tree a year and now claims some deduction, right? So, it'll find those and it'll find complex ones that are probably more complex than humans. They'll be technically legal.
Taki Sarantakis: Sir.
Question: The opening note in the book was written in April of '25. So, thinking almost one year later, do you have more conviction with any of the assumptions or the beliefs that you may have started off with in writing the book?
Bruce Schneier: I assure you writing a book like this is always terrifying because of that delay. Forever in the book, while writing it, we were replacing "this will happen" with "this did happen" and an example. So, nothing in the book, I think, is obsolete. I think our predictions are the same. There are some cool examples that aren't in the book. And so, that is what's different, because there are just things happening all over the world. So, 2024, Takahiro Anno is his name, he's running for Mayor of Tokyo. He's this 30-year-old software engineer. He's a kid, he's not a politician, and he comes in fifth out of 50 because he has an authorized deepfake avatar answering questions on YouTube, like a 17-day marathon. It's a cool story, it's a great use of an A.I. avatar that's authorized, and it would be a footnote. But last October, he wins a seat in Japan's Upper House and he has a new political party called Team Mirai which picked up seats last week. In Japan, if you're a political party, you get money from the government. He's building software tools to engage with constituents and to have their comments automatically fed into a party platform, into legislation. That wasn't in the book and that's freaking awesome.
Taki Sarantakis: Lucy?
Question: So, thank you very much, Taki and Professor Schneier, I'm now afraid of my vacuum, my microwave, and my dishwasher.
Bruce Schneier: It's only when they start talking to each other.
Question: Right. Just a question about your hope for humanity in your last sentence.
Bruce Schneier: Uh oh.
Question: We talk a lot in the public service, my name is Lucy, I work in the Treasury Board of Canada Secretariat, we put a lot of emphasis on the code of values and ethics so that we have public servants that know how to act in the right way, follow a rules-based kind of society. In your research and your books, what would you have to say about the importance of values and ethics just writ large in all societies around the world?
Bruce Schneier: I think we need to fall back on them more because I think we're learning that the rules are subvertible, and this is kind of the Confucian way of government. You have fewer rules but try to build a smart, educated class of decisionmakers who can apply global values to individual situations, so fewer rules and more emphasis on judgement. That feels like something we need more of now. I think we've gone too far in the formal rules, and that's what there is. To the extent of the United States, you have textualists who basically their belief is the letters of the law are all that matters and nothing else, but I think we do need more, especially in a fast-changing world. So, yes, I like softer things that can be applied generally. So, example, Peter Thiel.
Taki Sarantakis: One of our overlords.
Bruce Schneier: One of the supervillains in the United States, was able to use something called a Roth IRA, which was designed to be a middle-class retirement vehicle, to save billions in taxes, with a B, right? The law was not intended for that, but as written, he was able to do that. I would love a judge to say, sorry, Mr. Thiel, I get it but you got to give back that money, right? But you need a legal system that allows for that kind of interpretation and we don't have one.
Taki Sarantakis: We do have that in Canada. Does anybody know what that is?
Bruce Schneier: This is now like a class. Excellent.
Unidentified Speaker: (inaudible)
Taki Sarantakis: Well, that was kind of the analog of what he used, but we have something called GAAR, kind of like general anti-avoidance, which is like you followed the rules to the letter, to the letter, you have not broken the law, but the only reason why you're doing this is to avoid taxes, there's no underlying business rationale, there's no underlying thing. And so, that's kind of an example.
Bruce Schneier: That is, right. So, that's general principle-based.
Taki Sarantakis: Yeah.
Bruce Schneier: Interesting.
Taki Sarantakis: Yeah.
Bruce Schneier: I like that.
Taki Sarantakis: So, this is our last question. I was hoping you would ask a question, because we have another security expert in the room. So, introduce yourself, tell us your security expertise, and then ask your question.
Bruce Schneier: And he means (inaudible) summarize it.
Taki Sarantakis: (laughs)
Question: Thank you very much. I'm Gitanjali Adlakha-Hutcheon. I'm from Defence, straddling the world between defence and security and working towards, how are we going to hack the future for the School? So, thank you, Taki, for bringing me in. My big question is, so, if we can hack every rule, how are we hacking the future, given that somebody is writing the code for that level of automation? So, bringing in the School perspective, the education perspective, how are we building the guys and gals who will code the future, right? The children, and it's going faster and faster. So, building on your example of fewer rules, more judgement, more emphasis on values, if the young man in Tokyo can now be in the Upper House, and even a younger girl will be writing the code, right? So, what are we hacking next?
Bruce Schneier: What I like about what's going on is agility is now prized. I mean, things are moving so fast. If you are a kid these days, you learn how to keep up. You learn how to be agile, and that's going to be, I think, an important skill, and there's going to be huge generation gap. I mean, you see it. I mean, I don't know about your legislator but ours is like super old, and that's bad, that we just need people who understand tech and the speed of tech, and I don't know how we get that. Do you have term limits?
Taki Sarantakis: We have age limits for certain things, for elected Supreme Court judges.
Bruce Schneier: (inaudible)
Taki Sarantakis: No.
Bruce Schneier: Yeah, and this is sort of a natural hack. The United States' Supreme Court was lifetime and that worked great when life expectancy was 50 something or 60 something.
Taki Sarantakis: Right.
Bruce Schneier: It's failing when it's 80, 90.
Taki Sarantakis: Yeah.
Bruce Schneier: Right, so the same rule because of developments in medicine over here, now this rule is no longer fit for purpose.
Taki Sarantakis: Yeah.
Bruce Schneier: So, you see some of those interactions.
Taki Sarantakis: Yeah.
Bruce Schneier: We need to figure out how to be more agile.
Taki Sarantakis: Also, in our upper house, we have an age limit, again, of 75. I want you to close this off with some words of wisdom, specifically for people that work in government, like the people here all work for government. The people online, most of them will work in government. What do we need to know or feel or kind of work towards that you think we're not doing as well as maybe we're doing now?
Bruce Schneier: So, I'm going to close with the five things, four, that I put in the book about dealing with A.I. and what we need to do. The first, and this is all for you people, to reform the A.I. ecosystem, that we need to put regulation limits on these companies. The A.I. ecosystem as a wholly for-profit venture, U.S. tech monopolies, largely libertarian white men running this, is just not working and we need to fix that. The second is to resist harmful uses of A.I. in government, and there are lots of them. We're seeing a bunch in the U.S. right now. The third is to actually to responsibly use A.I. where it makes sense in government. Right now, there is no excuse not to offer every government service in all languages of your population. That is easy. That is done. Just do it, right? What are you waiting for? And the last one is to reform the ecosystem of democracy. A lot of the problems of A.I. and democracy are not unique to A.I. They are problems with democracy exacerbated by A.I., right? So, in the U.S., things like campaign finance reform, things like multi-member districts, ranked choice voting, transparency laws, things that we've always needed, now we really need, and that is something I want sort of for everybody. So, I call those the four Rs.
I want to close with one last thing. I spend a lot of time in the book, sort of your question, talking about public A.I., A.I. systems that are not controlled by for-profit corporations. There's been a move in the past two years for public A.I., thinking of it as a public utility, as something that a government can do or a university can do, and this was largely theoretical. In October, somebody did it. Switzerland has an A.I. model called Apertus. This was developed by a consortium of Swiss universities, funding from the government, Swiss Supercomputer Centre. It uses no illegally copyrighted materials. It uses all renewable hydropower, existing supercomputer centre. So, no new chips, no new rare earth mining, cost was about 20 million plus existing infrastructure, so figure about 60, 70 million U.S., performance is about a year-and-a-half behind the current best models, but Switzerland did not set out to create a model up here. They decided to create a model broadly useful for people. It is freely available. You can go online and use it right now. It is an example of an A.I. not created the way these companies tell you it must be done. So, when OpenAI goes to Canada and says we want to build a data centre in your country and give you an instance of our system, tell them freaking no, all right? Canada is bigger than Switzerland the last I checked. You have a supercomputer centre. It's a big one in Ontario, right? You have universities with all the expertise. You can do this. You can build Canadian public A.I., which now can become substrate for everyone to use and it is not beholden to an American company, which, last I heard, being holden to an American company is less good an idea than it was two years ago.
Taki Sarantakis: First, what I heard you say was we have some agency, we have the capacity to make choices, and we don't have to accept the world as it is, and I think that's a wonderful message.
Bruce Schneier: Excellent.
Taki Sarantakis: For people in this room. Please join me in thanking Bruce for a wonderfully stimulative hour.
(Applause)
