Q&A: Got Data? Beware Privacy Pitfalls, Big Brother 2

Jim Dempsey of The Center for Democracy & Technology discusses corporate data privacy policy.

With controversy swirling around ID theft and electronic surveillance by the government, what should corporations do to protect customer data? Jim Dempsey, policy director at The Center for Democracy & Technology (CDT), spells out controversial advice such as "gather less data" and seemingly dire warnings such as "if you gather the data, the government will come calling." Whether you view CDT as an advocate or an adversary, its voice is being heard on Capitol Hill, so it's important to be aware of its stance on important corporate data policies and related issues.

Intelligent Enterprise (IE): CDT was created in 1995 and is funded in part by companies including Google, Yahoo, AT&T, Verizon, HP and Microsoft, but what's the group's policy background?

Jim Dempsey (JD): We were founded on the principal that the Internet and other new digital communications technologies have a unique potential to promote democracy because they're decentralized, they're user controlled and they're global. Yet we felt that in order to achieve their democratic potential, these technologies needed a certain policy environment that the government could either promote, by enforcing competition, for example, or that it could interfere with, through censorship, limiting the free flow of information or by failing to protect privacy, thereby undermining trust in the technologies.

IE: Many of our readers compile and analyze consumer data. How does that data figure in today's controversies over consumer privacy and government surveillance?

JD: Any company that is collecting personally identifiable information needs to recognize that ultimately the government is going to come calling. Companies have to consider carefully what they're collecting, and I think there's an obligation for companies to think more about how they can minimize data retention. It's a privacy principle that personally identifiable data should be kept for no longer than is necessary to complete the transaction for which it was created.

Designers of systems and designers of business processes have to be aware that if you keep information, the government or a civil litigant will figure that out and they'll come asking for it. Then you'll be put in a difficult position of having to comply even though your customers may be upset when they find out about it.

IE: This certainly applies in the case of the Department of Justice seeking data from search engine companies, but many people would say, "Hey, the DOJ is trying to fight pornography on the Internet, so I'm okay with that."

JD: The issue, though, is the ability of the government to accurately draw inferences from the data and how the data is being used for purposes beyond that for which it was collected. I'm more than happy to fight terrorists; I just don't want to be wrongly flagged as a terrorist. I'm happy to fight pornography, but I'm unwilling to be wrongly labeled a pornographer. The issues have to do with inaccuracy, false positives, misinterpretation or misuse of data. There's very little data that the government should not be entitled to get if it exists; the question is, what are the standards, what are the checks and balances, what sort of confidence level do we want to have and how do we prevent fishing expeditions or government mistakes?

IE: In the wake of 9/11, do you think most citizens would say it's okay for the government to use computers to analyze, say, phone or Internet traffic to a suspected terrorist?

JD: I think that the public is of two minds. The public wants to fight terrorism, but it also wants government to be effective. We have seen lots of ways in which the government is ineffective. Also, the standards are different when it comes to communications privacy. Unlike stored data privacy, communications privacy is about what is secret or hidden. By constitutional law and by statutory law, we are entitled to believe, and I think people objectively and reasonably do believe, that their communications are private, secret, that they are hidden from any other than the intended recipient.

To erode that sense of confidentiality has a very destructive effect on expression, association, democratic participation; it has what the courts call a chilling effect. It would be very destructive for democracy for people to believe that their phone conversations and their e-mail are being scanned by the government.

Forget about privacy; just look at this from a point of view of how can we effectively fight terrorism? Doing that requires the trust of the public. If you lose the trust of the public, it's going to be harmful to the national security goals, even if you consider those goals single-mindedly.

IE: You contrast data at rest from communications, yet today we have VoIP (voice over Internet Protocol) and e-mail. It's harder to draw distinctions between the two, isn't it?

JD: There's still a distinction between the credit-card data that I give to Expedia, for purposes of completing my airline reservation, and the flow of that data over the Internet. I don't expect my ISP to intercept and keep my credit-card number and my travel itinerary as it flows across the network.

Voice over IP, e-mail and Web-based e-mail are very interesting technologies in this regard because my credit-card information, my travel itinerary and even the words of this conversation, if it were on VoIP, might be getting stored by the intermediary service provider. You could configure the system to record telephone conversations, so the distinction is blurring. The law is struggling to maintain it, but I think we are going to have to revisit the laws to take into account the way the technology is changing.

IE: Given those changes, what are the biggest gaps you see in existing laws?

JD: The biggest gaps are caused by the storage revolution. The laws provide relatively strong protection to communications in transit, but they provide weaker protection to communications and other data in storage. That's a major problem. Of course, right now, we're having a major debate over the fact that the President claims that he doesn't have to follow those laws and that he's authorized electronic surveillance in the name of national security without complying with the judicial oversight requirements of the Foreign Intelligence Surveillance Act.

IE: That's certainly a debate for citizens and our society, but what's the issue for commercial businesses that collect and analyze data?

JD: It's also a commercial issue because there's a huge question about the extent to which service providers have cooperated with that warrant-less surveillance. That needs to be explored, and my guess is that service providers have cooperated. I don't think the government has done this only from outside the switching facilities of Internet and communications companies.

IE: Switching to the subject of identity theft, what's CDT's stand on requirements for disclosures of possible consumer data exposure?

JD: Security is another element of privacy, and I think companies that hold data need to start thinking of themselves as custodians or trustees. They are holding data and they can use and benefit from it in some ways, but in other ways it's not their data. Consumers retain an interest in ensuring that the data is used for purposes that they have knowingly consented to, and they have an interest in knowing that that data does not fall into the wrong hands. There are other custodial responsibilities.

IE: Such as?

JD: The responsibility to ensure that the data is accurate, that it's used fairly, that individuals have a right to correct data about them and that individuals have true choice over how data is used.

IE: Did CDT have a specific stand on the California ID theft law or on passing a federal law?

JD: The California law turns out to have been a good idea. It has certainly drawn attention to security deficiencies on the part of both companies and governmental entities, and it has raised public awareness. We have supported the establishment of a federal law, and we believe it should be no less comprehensive than the California law.

There is an effort by a number of companies to preempt or overturn the California law by creating a less comprehensive federal law. We think that's misguided. I don't see the over-notification problem, or I think it can be dealt with.

IE: What's the over-notification problem?

JD: The justification for a watered-down federal law is that the California law, if applied nationwide, would result in over-notification; people would get so many notices that they would stop paying attention, and so far that hasn't happened with the California law.

IE: Beyond requiring disclosures, are there technologies or techniques or practices that CDT recommends on identity theft?

JD: We don't believe it's appropriate for the government to dictate the technologies. At most, the government should set some baseline standards, but how they are implemented is not up to the government. Government hasn't put its own information security house in order, so it's not in a good position to be dictating to private companies.

IE: CDT has taken strong stands that not everyone agrees with, such as opposing extension of the Patriot Act. How in touch do you think CDT's positions are with the citizenry, the government and businesses?

JD: CDT is committed to developing and promoting balanced solutions. On the government side, we recognize that the government has legitimate interests; the public has legitimate interests in ensuring that the government has the tools necessary to prevent terrorism, to investigate and solve crimes, to protect the public. At the same time, those powers should be exercised carefully and under a system of checks and balances and controls. We have to ensure that they are applied in a focused manner, in a way that doesn't result in too many mistakes or avoidable errors.

On the corporate side, businesses live and die by information, and it's an information-based economy. There are many legitimate uses of information — for fraud detection and prevention, for providing more efficient services for developing new marketing opportunities. At the same time, consumers have a right to be treated fairly and to have some control over how information about them is used. What CDT is trying to do is find balanced solutions that take those sometimes-competing sometimes-complimentary interests into account.

I think we're well positioned for that. The fact that we were called to testify before Congress last year on Patriot Act issues six times shows that our policymakers are listening to us and are taking our views and recommendations into account. On the corporate side, the fact that we coordinate a series of working groups with companies and consumer organizations and that many of the leading technology and information services companies participate in our working groups, shows that people find value in our perspective and that our positions are balanced and reasonable.

IE: What's your best advice to corporations on the topic of data privacy?

JD: We very strongly promote the concept of privacy by design. Service and product developers need to think about privacy at the outset, bake that into the design and be aware of what's being collected. They should only collect what is necessary and consider how it's being stored, how it's going to be used and look for ways to collect information in an anonymous form. Minimize the collection of unnecessary information. Give users control and the ability to turn a feature on or off.

These are things that can be built in, and the challenge for designers is to serve the corporate needs and maximize shareholder value while at the same time taking into account these privacy issues. We like to talk about corporate self-interest, and we believe that companies can maximize profit while at the same time respecting privacy. The only way to maximize profit in the long run is to respect privacy.


IE: What's the last book you read?

JD: "Where I Was From," by Joan Didion, which is about California. I moved here last August, and I'm still trying to figure it out.

IE: Where did you live before?

JD: Washington, D.C.

IE: What's your alma mater?

JD: Law school at Harvard and college at Yale.

IE: What's your hobby? I don't have any hobbies. I work and I cook and do laundry.

IE: Is CDT where you thought you'd end up?

JD: My ambition was always to work in some public interest arena. I originally thought that would be more civil rights than civil liberties, but then I got a job on Capitol Hill, working for the House Judiciary Committee on civil liberties issues. That was in 1985, and I've been doing that ever since.