Ellen Nakashima and Jim Dempsey
Washington Post Staff Writer and Privacy Expert
Tuesday, January 16, 2007 2:00 PM
Washington Post staff writer Ellen Nakashima and privacy expert Jim Dempsey from the Center for Democracy and Technology were online Tuesday, Jan. 16 at 2 p.m. ET to discuss how our private lives can be tracked and exploited by everyday technology.
Nakashima, who covers privacy for The Post's business section, traces a day in the life of a 56-year-old real estate agent, in her story: Enjoying Technology's Conveniences But Not Escaping Its Watchful Eyes, highlighting how and where technology collects snippits of personal data.
Dempsey is a policy director for CDT where he served as Executive Director from 2003 through 2005. His areas of expertise include privacy, electronic surveillance issues and national security issues. He also heads CDT's international project, the Global Internet Policy Initiative.
The transcript follows.
Ellen Nakashima: Hi. Welcome to our chat about how the digital era has changed our lives, in ways we're not even aware. Jim Dempsey, director of the Global Internet Policy Initiative of the Center for Democracy and Technology, is with us today.
Boston: Great article. What do you consider to be the best response to people who say that giving up some privacy is necessary for security and that if you do nothing wrong, you have nothing to worry about? I find that the most difficult argument to respond to without sounding paranoid or guilty of something. Thanks.
Jim Dempsey: Good questions. Of course, we live in a world of trade-offs, but in addressing security, we shouldn't start from the assumption that we can purchase security by giving up privacy. It is not a mathematical formula - 1o units of privacy surrendered equals 10 units of security purchased. All of those who have seriously looked at the issue, from the left and the right, have said we can and must find ways to enhance security while preserving privacy.
In terms of what do you have to hide, there are two responses: First, I fear inaccurate government decision-making. There is a lot of information available, but it is still fragmentary and could easily be misinterpreted. People (mostly non-citizens, but also some citizens) were detained after 9/11 because of a small and innocent connection with a suspected terrorist. Secondly, there is the chilling effect - we want a society in which people use technology without fear of the government looking over their shoulder. A free, open society in which people are comfortable expressing themselves and engaging in a wide range of activities is not a weakness, it is a defense.
Anonymous: what is the best program in the market to clean your pc of spyware
Jim Dempsey: I can't really endorse specific products. Visit the FTC's OnGuard Online spyware page to find an anti-spyware product: http://onguardonline.gov/spyware_tools.html
Jim Dempsey: Great article Ellen, You managed to put a human face on some things CDT has been saying for years: this is great technology, but it has huge impact on privacy and the law is not keeping pace. I was really impressed with the way you pulled together a lot of complex ideas - the law in this area is very complicated - you made it quite clear.
Jim Dempsey: Hi Ellen. Great article. You put a human face on what CDT has been saying for several years: this technology is great, we all rely on it, but it has huge implications for privacy and the law is not keeping pace.
Ellen Nakashima: Jim, one of the things that struck me about Kitty Bernard is that she is like so many of us - she uses shopper cards, a speedpass, an EZpass, because it saves us time and money. The surveillance capability is built into the technology -- she didn't sign up for it, but its there. What do you think?
Jim Dempsey: Oops - still getting used to this chat technology myself.
Alexandria, Va.: What are the legal limits to setting up surveillance cameras, whether in a business, public areas or in a home. If we are recorded in a public or private venue by one of these cameras without our knowledge can that data be stored, used, shared without our consent? What limits are there?
Jim Dempsey: Unfortunately, right now, there are few legal limits on surveillance cameras. In public places, the Supreme Court ruled quite some time ago, you have no privacy right in terms of what you expose to public view.
The technology, of course, changes the equation, since what was ephemeral and visible only to those present at the moment can now be recorded, saved, and shared with those who weren't present.
And in a store or other private place, the owner can do pretty much what he wants.
There have been some efforts to limit cameras in dressing rooms or lockers, for example. And there have been some efforts at the municipal level to limit deployments of cameras.
The law traditionally says there is no expectation of privacy in public, driving down the street, getting on the Metro. It's what Mark Rasch, a privacy expert and former fed prosecutor, called the "breeze rule" "If you can feel a breeze, you don't have an expectation of privacy."
Jim Dempsey: Ellen, that's precisely the issue: we love the technology, increasingly we have to adopt it to function in the world, but it comes with a price in terms of privacy, and little choice over whether to pay the price. I'm sure Kitty Bernard got a notice from VDOT telling her that it was collecting data via the EZPass and that it would disclose it under certain circumstances. I would guess Kitty didn't read the notice. Even if she had, she probably could have adopted EZPass for the convenience. The challenge therefore is to preserve the convenience but put some checks and balances on disclosure of the information.
Washington, D.C.: Is there any hope that Congress will address this privacy issue? Has there been any mention of bills, studies or investigations into the matter?
Jim Dempsey: I think this could be the year for some meaningful privacy legislation. There is bi-partisan interest. And key tech companies last year called for legislation - a major development. The challenge will be dealing with conflicting jurisdiction among committees. CDT is seeking legislation that would establish a federal baseline, and protections that would be " robust but flexible."
Rockville, Md.: It seems to me that most (if not all) of these "trackers" are voluntary. I don't HAVE to use EZPass. I don't HAVE to use the SpeedPass. I don't HAVE to use the shopping cards. I don't HAVE to use credit cards. I don't HAVE to use GPS.
I CHOOSE to use EZPass, Speedpass, and credit cards to make my trip easier and faster. I CHOOSE to use the shopping cards to save money (aside - aren't they jacking up the prices so you can "save"?) I could go buy a map and avoid the GPS system.
If I wanted to, I could easily avoid tracking etc but I am WILLING letting the corporations "inside" my life so I can have things faster and easier. It's my choice. I trust the companies to not sell or give the information away and I trust the courts to prevent Bush from looking. But it's a choice. And if my "trust" is broken, I could also go "off the net".
Jim Dempsey: Sure, you don't have to participate in modern society. The question is, can we structure a social contract so that you can engage, you can use the technology to your professional and personal benefit, without giving up privacy. That depends on the legal rules, user education, and the way products are designed.
Ellen Nakashima: Today's article addressed mostly what is in use today and by a person who is not an "early adopter" of tech gadgets. But technology is advancing so fast - there are pilot programs in cities like Chicago, San Francisco and NY, where participants with an RFID keyfob drive past certain billboards and receive targeted messages. There's technology that allows cars to talk to cars --stop! you're about to hit me! How can policy makers keep up? What should they do?
Jim Dempsey: Ellen, the first step is articles like yours, to educate both members of the public and policymakers. The next step should be hearings, which I expect to occur in the coming months, since this issue has been building.
As I suggested in response to a prior post, there is no silver bullet. Yes, we need to update our laws. Consumers need to be better educated, since there are some things they can do. See http://www.getnetwise.org. And the technologists designing these great products and services need to build them so as to minimize data collection and give users greater control.
Ellen Nakashima: The Senate Judiciary Committee - chaired by Sen. Leahy -- and the House Energy & Commerce Committee are concerned about the issues surrounding collection of people's personal information - whether by government or the private sector: How is the data used? Who owns it? Who do they share it with? What rules govern that collection and sharing? Last year, the Energy & Commerce committee held a series of hearings on 'pretexting,' or obtaining personal data by impersonating someone else. Legislation passed that would criminalize phone pretexting, but consumer advocates are hoping to get legislation passed that would address the telecom carriers' role in this.
Jim Dempsey: Ellen - the responsibility of data holders - the telephone companies in the pretexting case - is an important aspect of privacy. The companies that collect our data should be seen as custodians of that data. Security is never 100%, of course, and bad guys will try to get around any security measures, but the holders of data need to be more conscious of protecting it.
Minneapolis, Minn.: Jim, Of how much concern are recordings made for "Quality Assurance Purposes" by telephone support arms of corporations. Is there a lingering record which can potentially impede privacy? Is there recourse to have such recordings removed from company archives and/or obtain copies of these recordings?
Jim Dempsey: Right now, there are no limits on how long companies can keep those recordings, or the records that relate to your transaction, whatever it was. There is a privacy principle that data should be held no longer than necessary for the purpose at hand. The European Union has written that principle into law. The US has not
Ellen Nakashima: Another interesting point is that Kitty Bernard's success depends on her getting her name and email address out there. She's also opening herself up to a lot of marketing pitches -- I saw how many email and snail mail adverts she tossed in a day. One marketing professional I met said to prevent automated email spam, he has taken to adding an extra space in his email address so that someone has to physically type it in, if they want to e-mail him. Striking the right balance is always tricky when your livelihood depends on putting your name out in public.
Calgary, AB, CANADA: Years ago, I read of an instance where a stalker had obtained information about his victim's buying habits from a grocery store's database. Apparently, he used the information to psychologically terrorize her. Since then, I have felt differently about using my Safeway card, but am still "held hostage" to the savings it offers. Thus, although I felt frustrated by Kitty Bernard's response to the barrage of assaults to her privacy, I can also understand how the seduction of convenience that these technological advances offer can overcome our better senses. The concern for "law abiding" citizens, however, is not that they have nothing to hide, but rather the realization that, when we, as a society become lax about our protections for privacy rights, unforeseen consequences can arise, (not to mention the principles) ... What would you suggest, in terms of the seemingly innocuous information gathering items, such as the grocery cards?
Jim Dempsey: You have well-stated the dilemma, and your question is actually a good response to some of the earlier comments.
In terms of grocery cards, right now you don't have a lot of choices to control the data if you give your true name and identifiers. Some people, of course, create a fake id for these cards, or transpose some of their identifiers. That is probably not illegal if not done for fraudulent purposes. In fact, I think grocery stores and others with "loyalty" programs should allow consumers to create and use such pseudonyms.
Fairfax, Va.: Can a satellite radio like XM Radio or Sirius be used as a tracking device if it's in your car? Also, can they track your listening habits from the car?
This is another perfect illustration of how great new services have privacy implications for which there is no precedent. In the past, radio listening and TV viewing were entirely anonymous.
Ellen Nakashima: Jim, the other big issue is how the government is using technologies developed by the private sector - data mining techniques used for years to detect credit fraud are now being adapted for counterterror purposes. Some analysts say that such applications cannot be effective - and the privacy implications are great. What do you think and what issues need to be raised as part of the public debate here?
Jim Dempsey: The Senate Judiciary Committee held a hearing on just this issue last week. Leslie Harris of CDT testified.
Jeff Jonas, of IBM, who does data analysis for a living, is skeptical that pattern-based data mining will work for counter-terrorism purposes. See http://jeffjonas.typepad.com/jeff_jonas/2006/12/effective_count.html
Jim Dempsey: We're coming up to the top of the hour. I will try to sneak in a couple of answers to questions in the queue.
Washington, D.C.: Does anyone really believe that the RFID passports will not be hackable, leading to the most dangerous kind of identity theft?
Jim Dempsey: CDT recently published a lengthy analysis of the issues associated with RFID in the proposed PASS Card, a passport-lite for use in travel to Mexico and Canada. The government's approach is woefully insecure. Check out http://www.cdt.org/headlines/958
Silver Spring, Md.: You've discussed collection and analysis, how about access and disclosure?
Ellen Nakashima: In the post 9/11 world, the government places a great premium on security - and secrecy. So for instance if they issue a national security letter to a bank or a library or any entity, seeking your phone call or e-mail or ISP transaction data, the party giving up the data may not tell you the govt sought it. The rationale: Not to tip off a person that the data is being sought. But if there's a mistake, and someone is erroneously targeted, that person may never know how their data was disclosed. Similar issues arise with other govt data analysis programs used for homeland security and counter-terror purposes. It's part of the debate Congress is weighing in on.
Jim Dempsey: Ellen, congrats again on a great story. I hope policymakers pay attention
And thanks to your readers for all the questions - I'm sorry I couldn't get to them all. Check out cdt.org for more info
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.