Jim Dempsey | Survival Guide: Perspectives from the field
Interview with Jim Dempsey, Center for Democracy and Technology
- By Alice Lipowicz
- Mar 10, 2006
Pity those poor celebrities with no place to hide from the tabloids' cameras: Britney Spears driving with her infant son in her lap; Kate Moss inhaling a drug at a party; Jude Law sunbathing on his balcony. But Jim Dempsey, policy director for the Center for Democracy and Technology, a Washington think tank, warns that we all could become victims of the explosion in video surveillance throughout major cities and transportation centers, of cell phone tracking, e-mail and keystroke logging systems and other technologies used for homeland security and other purposes.
It won't happen all at once, and lost privacy may never become as intense as it is for many celebrities. But once the invasion begins, we all may experience the glare of unwanted publicity.
Dempsey's recent report, "Digital Search and Seizure," highlights the risks of privacy lost as a result of new technologies, and urges Congress to consider stronger privacy protections.
Dempsey has been with the center since 1997, serving as executive director from 2003 through 2005. He has been special counsel to the National Security Archive, a group seeking to declassify documents on U.S. foreign policy. From 1985 to 1994, he was assistant counsel to the House Judiciary Subcommittee on Civil and Constitutional Rights, overseeing FBI, privacy and civil liberties. He spoke recently with Staff Writer Alice Lipowicz.WT:
Your report highlights the privacy risks of Internet e-mail accounts such as Google's Gmail, Hotmail and Yahoo, cell phone tracking, and keystroke logging software. Are government agencies using these technologies?Dempsey:
They are using all three of them, mostly for ordinary criminal cases as well as in the collection of intelligence against terrorism.
A lot of people are unaware of the privacy risks of online e-mail accounts. People see the convenience, which is significant, but they don't realize that the law draws distinctions that are not really intuitive and not really understood by people. For remotely stored e-mail, the problem will have to be addressed by amendments to the law, so that the government has to meet the full, constitutional, probable-cause standard to access that e-mail.WT:
What should IT companies be doing about these privacy risks?Dempsey:
This is one of the main directions in which the debate has to go. IT designers have to be aware of what they are collecting, whether it is personally identifiable information, and for how long they are keeping it. The fact is if you are keeping information, sooner or later the government is going to come and ask for it. Keeping information indefinitely is not good or bad in the abstract. You want to look at user control: What types of choices does the user have?
There is an obligation on the part of vendors not to hype their products and to think about the social implications. For example, public video camera systems should be built with access controls, with audit logs and with an explicit purge setting to discard old data.WT:
What about outdoor video cameras in public spaces?Dempsey:
The old law would say it's a public street, you have no privacy. Anyone could have taken a picture of you. Up until now, no court has said outdoor cameras pose constitutional issues. Clearly, though, the cameras change the nature of the public space.WT:
What do the IT companies really think of privacy?Dempsey:
I think the IT companies are of two minds. They want strong legal protections so they can say to their customers: Look, your data is secure with us, the government can only get it with a court order of some strength. On the other hand, I think IT companies are always a little bit leery of more regulation and more laws.
There is increasing recognition that the government is whipsawing IT companies and presenting them with requests that don't have solid legal footing. There needs to be stricter legal standards, so the government will be more focused in its requests. There is a cost burden and a consumer trust factor. IT companies should adopt notification requirements, so that if the government comes calling, they have to notify the consumers.WT:
Do you worry about your own privacy?Dempsey:
I am a little schizophrenic on this. I don't go to great ends to protect my privacy; I don't encrypt my e-mail, for example. On the other hand, I don't use things like blogging sites. I do my travel planning online which, obviously, creates a record.
I guess I'm a private person. I'm not sure the younger generation is fully aware of the implications of blogging. It's not just for a close network of friends, and it's not anonymous.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.