Leaders of innovation constantly challenge the federal government to maintain pace with the rapidly developing demands of emerging technologies. A nascent area of development that has recently garnered policy and regulatory interest surrounds machines that defy gravity — drones. As previously discussed on DisCo, drone use policies have been nebulous, with the Federal Aviation Administration’s (FAA) ban on commercial use and the hovering possibility that production and sale would move overseas due to outdated and tenuous laws. Recently, regulatory agencies have shifted their views towards recreational and commercial drone use, enabling innovation to flourish under the nation’s airspace.
Last month the National Telecommunications and Information Administration (NTIA) released voluntary Best Practices for unmanned aircraft systems (UAS), focusing on privacy, transparency, and accountability. These guidelines stem from a presidential memorandum last year requesting a policy-by-design approach to address issues related to the private and commercial use of UAS. Shortly thereafter, the FAA announced Rule 107, which regulates the operation of routine commercial drones.
NTIA’s best practices are “intended to encourage positive conduct that complements legal compliance” in an effort to support active growth within industries. The main points, containing similar language to two legislative bills introduced in 2013, include provisions that encourage UAS operators to “inform affected persons of UAS use and the collection of data; take care in the collection and storage of information that identifies a particular person; limit the use and sharing of such data; secure data; and monitor and comply with the law as it evolves.” The major exception stated in the best practices is for news reporters and newsgathering organizations. The public benefit of reporters’ First Amendment rights is seen as too valuable to restrict the capture, storage, retention, and use of data or images in public spaces via UAS.
These voluntary best practices and new FAA regulations are small steps towards shaping the legal landscape for new technology, and generally speaking, show that regulators are receptive to the exploration of drone technology in the private sector. This responsiveness encourages further conversations on the policy questions that remain in the jetstream that relate to data and privacy.
Will there be a bifurcation of policies and procedures for UAS data collection?
Currently the NTIA best practices recommend limited sharing and retention of data, including post-data collection mechanisms for removing or deleting images of individuals. While this approach draws on similar mechanisms to which online service providers are currently subject, it presents a divide in the data collected by drones versus other devices with similar capabilities, such as smartphones and security cameras.
Despite their potential for cost-efficiency and greater reach, drones do not present fundamentally different challenges than other widely-available technology products with similar recording capabilities, such as manned aircrafts or mobile devices. Having separate compliance mechanisms by which companies and UAS operators must abide, rather than a technology-neutral approach, may not be the best long-term policy framework to implement.
Would UAS operators be accountable for inadvertent data collected?
Section 2 of the best practices does not disclose specifics on collecting, using, storing or sharing data. It suggests establishing a process for receiving and managing privacy or security concerns, but doesn’t elaborate further. Also not addressed is the extent to which operators are responsible for deleting or obfuscating covered data (defined as information collected by a UAS that identifies a particular person) that has become publicly available. In other words, if a drone inadvertently captures an individual’s image in a public place, are businesses required to implement protective measures to protect that data? It would be unreasonable for UAS operators to be responsible for censoring a flood of requests for inadvertent data collection in a public place, which parallels arguments made by U.S. online platforms opposing individual European requests to remove all content and information about them.
How does data collected by UAS relate to the Fourth Amendment framework?
Finally, it would be remiss not to mention the potential Fourth Amendment questions surrounding law enforcement’s interest in the data collected by UAS operators. The NTIA best practices state in multiple places that the guidelines do not replace or take precedent over any other law, but they do not address law enforcement’s ability to access UAS operators’ data or recommendations for compliance with such requests.
The question of whether surveillance by drones is constitutional has yet to be answered, but the existing jurisprudence errs on the side of protecting individuals’ right to privacy. In California v. Ciraolo, the Supreme Court held that warrantless, naked-eye aerial observation of one’s backyard did not violate the Fourth Amendment. On the other hand, the Supreme Court ruled in Kyllo v. United States that using thermal-imaging to penetrate an individual’s home to scan for illegal activity constituted an unlawful search under the Fourth Amendment framework. The implication of these cases is that visual surveillance of an individual’s property without a warrant is lawful, but infiltrating the parameters of one’s home through technological means requires probable cause. Drones have the capability to survey much more than the human eye, so it will be imperative to implement policies that carefully consider the Fourth Amendment and law enforcement’s drone use for surveillance.
The third-party doctrine may also be implicated in the commercial operation of drones. This doctrine permits law enforcement to acquire information from a third party without a probable cause warrant if the information was originally offered to that third party voluntarily by the person with the relevant privacy interest. For example, if a real estate business gives a drone operator permission to collect aerial views and other neighborhood data, the real estate company may no longer have a reasonable expectation of privacy in the data collected by the UAS operator. This design implies that even though the real estate company entrusts the UAS operator with the data and it is assumed that the information will only be used for limited purposes, law enforcement may still be able to obtain that footage without first seeking a proper warrant.
Anticipating these concerns, the Center for Democracy and Technology issued model best practices for UAS last year with provisional language limiting law enforcement’s ability to obtain data through proper administrative, judicial, or other legal processes. However, none of their recommendations or cautionary language is present in the NTIA document, leaving a potential loophole unresolved.
Striking the balance between protecting individuals’ rights to privacy and the rights of UAS operators is difficult. The value of having informed policies has dramatically increased with advanced technologies and systems’ interoperability. NTIA’s multistakeholder process approach should be applauded for finding the necessary consensus to develop a baseline framework for future policymakers, as commercial drone usage and the corresponding lift in data collection has taken flight.
*Sidenote: check out the amazing photographs taken by Dronestagram.