How Congress Should Tackle the Drone Privacy Problem
The Federal Aviation Administration (FAA) has issued more than 300 licenses to fly drones in the U.S. The FAA is ready to start issuing a lot more drone licenses, now that Congress passed a law requiring the agency to open the skies to government and private drones of all kinds within a few years. Yet nothing in the drone law requires the government to create any civil liberties protections.
(CDT has made a timeline of deadlines for drone rules that are required by the law.)
The drone law – officially titled the FAA Modernization and Reform Act of 2012 or P.L. 112-95 – requires the FAA to conduct studies on the safe use of drones, as well as develop operation rules and certification standards. These studies and rules could cover privacy issues, but the FAA may claim it only has authority over traditional safety issues, such as making sure drones don’t crash into airplanes. The FAA is more likely to leave the task of developing privacy rules for drones to Congress or, perhaps, the Department of Transportation (DOT).
On its own authority, the DOT can – and should – conduct a study on the possible negative effects of flying drones in U.S. airspace. The study should be based on the Department of Homeland Security’s (DHS) template for “Privacy Impact Assessments” or PIAs, which are intended to ferret out potential privacy problems and find solutions. The study should inform – but cannot replace – formal regulations for drones and privacy.
If the U.S. had baseline privacy legislation that covered commercial and governmental data collection, there might be less to worry about because rules for aerial surveillance would already be in place. However, the U.S. has no baseline privacy law, and there is no real chance that Congress will pass such a law before the FAA starts issuing its drone rules, as soon as next month.
In the absence of a baseline consumer privacy law, Congress should consider a targeted approach to privacy and drones: amend the drone law to require the FAA and DOT to add civil liberties protections to its drone approval and oversight process.
Here is a basic sketch of what such an amendment to the current drone law might look like:
a. Congress should require studies and rules on privacy and transparency for government and non-government use of drones in the United States. Congress should require the DOT to issue rules for privacy, and the FAA to issue rules for transparency. FAA/DOT should be provided with specific authority to conduct these rulemakings and enforce these regulations.
- The privacy rulemakings should adopt protections based on the full set of Fair Information Practice Principles (FIPPs) as issued by the Department of Homeland Security (DHS) in 2008.
b. Establish clear processes for law enforcement use of drones.
- Law enforcement should be prohibited from weaponizing drones.
- To use drones for extended surveillance of a particular target, law enforcement should be required to obtain a warrant and provide the target with notice after the fact of the surveillance.
- Law enforcement should be required to apply for authority from an independent official to use drones for generalized surveillance of an area in a manner that collects personally identifiable information (including, but not limited to, video footage containing facial features or license plates). The application must include the items listed below, in subsections (c) and (d), as they relate to the generalized surveillance for which law enforcement seeks authority. Authority can be granted for no more than 30 days, after which the law enforcement agency must renew the application.
- Limited exceptions to the approval requirements in (b)(2)-(3) should be provided for border searches and emergencies.
c. All applications to the FAA for a drone license should include a data collection statement defining whether the drone will collect information about individuals and, if so, the circumstances under which that information will be retained, used, and disclosed. Using the DHS FIPPs framework, an applicant should describe:
- The purpose for which the drone will be used and the circumstances under which its use will be authorized and by whom,
- The specific kinds information the drone will collect about individuals,
- The length of time for which the information will be retained,
- The possible impact on individuals’ privacy,
- The specific steps the applicant will take to mitigate the impact on individuals’ privacy, including protections against unauthorized disclosure,
- The individual responsible for safe and appropriate use of the drone, and
- An individual point of contact for citizen complaints.
d. Law enforcement agencies and their contractors should be subject to extra disclosure requirements. Transparency requirements should not include the names of law enforcement surveillance targets or the exact times or locations of drone deployment; transparency requirements should focus on the criteria and supervisory controls under which drones will be deployed. In addition to the above items, law enforcement agencies and their contractors should also disclose:
- The officials who can authorize use of the drone,
- The applicable data minimization policies barring the collection of information unrelated to the investigation of crime and requiring the destruction of information that is no longer relevant to the investigation of a crime, and
- the applicable audit and oversight procedures that ensure agencies and their contractors use drones only as authorized, within the scope of the data collection statement, and in compliance with data minimization policies.
e. The FAA should make all approved licenses, with the associated privacy statement of the drone operator, available online to the public in a searchable format. Note that the FAA already makes aircraft licenses available online in a public registry, searchable by license-holder name, craft tail number, or craft make and model. Although aircraft license-holders can opt out of the public registry if they have a security concern, the privacy and security risks associated with drones are different than those of traditional aircraft. The requirement that drone licenses be made public may have an exception for national security purposes, but generally not for law enforcement or private individuals.
While a strong general consumer privacy bill would be preferable, the approach to drones outlined above would be consistent with the larger privacy framework CDT has recommended for general privacy legislation. Moreover, the tight timeline set by the FAA Modernization and Reform Act of 2012 and the seriousness of the privacy issues raised by drones demand that regulatory steps be taken sooner rather than later.