September 9, 2015
In 2012 Congress passed the FAA Modernization and Reform Act, which requires the FAA to integrate drones into the national airspace. Soon after this Act was passed, EPIC led a coalition of over 100 experts and organizations in petitioning the FAA to establish privacy protections prior to the deployment of commercial drones.
In November 2014, the FAA initially responded by denying to initiate a new rulemaking, but indicating it would consider privacy in the context of the agency's upcoming rulemaking on small commercial drones. The FAA ultimately backtracked on that statement in its notice of proposed rulemaking for small drones and decided not to consider privacy. EPIC subsequently filed suit in federal appeals court in Washington, DC for the agency's failure to protect the privacy of Americans.
It is important to address privacy as we integrate drones into the national airspace because one of the primary uses for drones will be the bulk collection of data in public spaces, often of the public. The public deserves to know upfront how drones are going to be used to collect data and not after the fact when reliance-based interests make it extremely hard to set rules protecting privacy even when supported by the majority of Americans. A PEW research poll earlier this year showed that an overwhelming majority of Americans thought that for both online and offline interactions being able to control who can get information about you and controlling what information is collected about you were important.
Drones are aerial surveillance platforms and they create the possibility of a surveillance infrastructure for the public space that rivals what the internet became for surveillance of our online activities.
Private industry has already begun collecting data in mass about the public through, for example, the use of license plate readers. Drones threaten to intensify this collection of data in public space. A marketing firm has already tested using drones to scan cellphone location data to use for targeted ads. It's not a far leap to think commercial industry might add facial and license plate recognition capabilities to drones to increase their ability to amass huge databases about the public to sell to local businesses, marketers, and law enforcement.
The result will be a constant tracking of our offline activities in the public space--where we go, who we are around, what activities we participate in. No longer will we be relatively anonymous in public. Our public activities will be collected, aggregated, and analyzed for opportunities to make money off the data of our lives and sold to law enforcement without the protections of judicial review.
It's clear some baseline privacy protections need to be implemented. In comments to the FAA, EPIC has recommended the following drone privacy rules for commercial operators:
- Use and Data Retention Limitations: Data collected via drones should only be used for the specified purpose and only retained as long as necessary to fulfill this purpose.
- Transparency and Public Accountability: There should be a publicly available repository of all commercial drone operators, drone operators should publicly list their collection, use, and retention policies, and independent audits should be conducted to ensure compliance.
- Minimum Security Standards: Security standards should be established to prevent loss of positive control of drones and to prevent unauthorized access to the drone's surveillance capabilities and the data collected.
I've often heard opponents of commercial drone regulations suggest that any type of regulation will stifle innovation. To that I say that if you can't innovate around some basic privacy protections then you're not being very innovated.