The process of developing drone policy in the United States is typically ugly, dirty, and no fun. It often involves trade-offs, with everyone involved trying to get more than they give. Over the last couple months, stakeholders from civil society and business have convened to find consensus on how best to address privacy with regard to drone use, and this process was no exception to the rule. While Access Now commends the various stakeholders for striving to reach compromise, we believe they ultimately missed the mark. What started as a process to create best practices for drones in the U.S. resulted in standards riddled with loopholes. Sure, the outcome document (PDF) may lead to improved privacy protections for devices that will be observing us from above — but it is far from a gold standard.
Background
Earlier this year, U.S. President Obama asked for a multi-stakeholder process to create “best practices” on privacy and transparency for drone use. Access Now has been participating and pushing for strong protections for privacy and security while tracking the process on this blog. We supported negotiating around a strong model text put forward by the Center for Democracy and Technology. Unfortunately, what was ultimately adopted as best practices — officially the Voluntary Best Practices for UAS Privacy, Transparency, and Accountability — is simply not something we can agree has earned the title.
Privacy is downplayed in the outcome document
Drones can be really cool. Beyond being just fun, drones can provide internet access to people who are unconnected in remote or hard-to-reach locations. They can help during emergencies and make industry more efficient. So when the outcome document spends a long first paragraph talking about the transformative power of drones, we’re on board. However, the document falters from there, especially on privacy.
From the outset, the outcome document fails to recognize that drones augment the ability of companies and others to invasively collect data, particularly data about our interactions in the physical world. Drones pose privacy threats that are significant and predictable. They will further intrude upon our expected zones of privacy, and the outcome document should have spelled out that threat with ample weight.
Instead, the outcome document undersells the very real threats that drones pose to individual privacy as merely “privacy concerns.” This framing cheapens a time-tested fact: the cheaper and easier it is to collect information, the more often it will be collected, stored, analyzed, and used in ways that may be either useless for or actually harmful to the data subject.
The outcome document has insufficient privacy protections
While the entire outcome document is created to be voluntary, it is riddled with caveats. Take, for instance, a provision that requires drone operators to make “reasonable efforts” to avoid using or sharing data outside the operator’s privacy policy. This cannot possibly be a best practice because the U.S. Federal Trade Commission (FTC) has repeatedly taken action against companies that make promises in their privacy policies and then betray those promises. In other words, a government body charged in part with protecting consumer privacy enforces a stricter standard.
Additionally, the outcome document is too narrow in its scope. It includes two huge carve-outs: one for news-gathering and another for emergency services. On their face, both of these may seem like valid exemptions — Access Now particularly understands the desire to make sure that journalists are protected, as we frequently support the safety of journalists through our free 24-hour Digital Security Helpline. However, it’s unclear why journalists need a carve out for drone use. Even news gatherers would benefit from knowing best practices in using drones in their reporting or in analyzing data collected by drones for their stories. Exempting emergency services from these standards also fails to consider that you can plan ahead for many emergencies. In fact, some industries may adopt drones as their preferred emergency response vehicles. Why shouldn’t they follow best practices in their collection of data?
Finally, the outcome document only examines data collected by drones with respect to names or personally identifying information — even though studies have shown that anonymous or pseudonymous accounts can be linked to particular persons with only two location points. The outcome document should have taken a broader approach to data to include all information linkable to an individual, even if the person is not identified or immediately identifiable.
Drones demand a stronger privacy-respecting framework
There is plenty to like in the outcome document, such as the inclusion of the section on data security. In conjunction with the American Civil Liberties Union and Electronic Frontier Foundation, we asked for changes (PDF) that would have increased the document’s protections for the potential pervasive collection of data via drones in the U.S. Those changes were rejected by the other parties involved. As a consequence, the combined document ultimately does not represent any “best practices,” and can’t be labelled any better than “kind of okay practices.” We urge all stakeholders to continue pushing for legal and regulatory standards that better protect privacy. Drones are coming. Now is the time to protect our privacy.