Privacy Advocates, After NTIA Facial ID Boycott, Attend Agency's First Drone Meeting

Privacy issues proposed by participants for further discussion included examining federal and state laws and regulations on data collection; how data can be retained; what's an area where an individual has a reasonable expectation of privacy; location tracking; retention and sharing of sensitive information; how Fair Information Practices affect drone use; determining the difference between physically flying over private property and flying over private property and collecting information; operators' ability to fly anonymously; distinguishing between identifiable and unidentifiable data; whether best privacy practices should apply to manufacturers as well as operators; ability for consumers to protect themselves from drones with measures like geofencing; crash issues; what privacy policies look like for UAS; ensuring privacy protections don’t chill free speech rights; and data security.

Consumer distrust about commercial drone use could hamper growth in the industry, which is why NTIA brought together representatives from academia, civil society, industry and the technical community to come up with best practices for drone use, said NTIA Deputy Assistant Secretary Angela Simpson Monday during the drone meeting. Best practices aren't binding or enforceable like a code of conduct, said NTIA Director-Internet Policy John Morris, saying NTIA isn't trying to direct participants to achieve a predetermined outcome. Not all unmanned aerial systems (UAS) may raise privacy concerns, but most raise transparency and accountability issues, Morris said.

Transportation Department attorney-adviser Anne Bechdolt said an interagency committee that's developing policies for domestic use of drones is reading through all public comments that were due in April. Bechdolt didn’t say when the interagency policy would be released, nor would she discuss specifics of what was included in the comments. Federal Aviation Administration attorney Dean Griffith said some privacy rules on drone use are listed under FAA Modernization and Reform Act Section 333 operations like obtaining permission to fly over private property, operating drones only during the day and requiring operators to be in sight of their UAS at all times. But a presidential memorandum that led to the creation of the interagency committee doesn’t have statutory authority over privacy, nor does any federal agency when it comes to drone privacy, said Bechdolt. How to enforce privacy is the next step after the rules are created, she said.

The goal in developing best practices isn't to enforce the best privacy practices against companies, but to inform and guide companies, said NTIA Director-Privacy Initiatives John Verdi. Griffith wouldn't comment on whether federal law would pre-empt state law. Bechdolt clarified that when the FAA says drones can’t fly over someone, that means it’s illegal to fly a drone over individuals who are considered to be unaware that a drone is in use. Drones are newer than the Internet, but many federal agencies and academics have done some work on the privacy issues, Verdi said. NTIA will “shamelessly adopt” the work of others in its best privacy practices document, and is happy to host presenters to communicate items learned throughout the multistakeholder process, Verdi said.

Amazon, Google and Verizon are just a few of the companies that have expressed interest in using drones, said AirMap Co-founder Gregory McNeal. It’s a blurred line between consumer and commercial use, McNeal said. Drone-maker DJI sells about 20,000 small drones per month, he said. Most users aren't using drones with cameras that have zoom capabilities, but that’s a possibility, he said. Most hobbyists don’t use the autonomous flight setting to track individuals, but that could happen, he said.

CDT Advocacy Director Harley Geiger said after his former CDT colleague Justin Brookman and other privacy advocates walked out of the facial recognition multistakeholder meetings in June that CDT had an internal discussion on how the process could have gone differently and suggested a charter be created for the drone multistakeholder undertaking outlining the goals, timeline and what happens if the goals aren't achieved. In the facial recognition meetings, participants were polarized -- wanting either extensive rules or no rules, Geiger said. It may be helpful to have two to three chairs, who have substantial experience and are able to get a conversation out of sinkhole, he said. NetChoice Policy Counsel Carl Szabo cited concerns if someone had the ability to veto or mute another participant.

AirMap's McNeal proposed developing a tiered best practices document that would allow users who can’t comply with every recommendation to find room for improvement. Geiger recommended dividing recommendations based on use, noting that commercial uses are different from journalism, agriculture and artistic photography uses. CEA Regulatory Affairs Director Alex Reynolds said stakeholders shouldn't delve into hypothetical scenarios to keep the recommendations as realistic as possible. Any concerns that surface later can be added on, Reynolds said.

​NetChoice's Szabo questioned the need for the multistakeholder process, saying people’s main concern seems to be someone flying a drone over their backyards and spying on them. He said trespassing and Peeping Tom laws already take care of that issue. Future of Privacy Forum Policy Counsel Joseph Jerome, CDT’s Geiger, New America International Security Program Fellow Konstantin Kakaes and Access U.S. Policy Manager Amie Stepanovich disagreed. The best practices should help restore or maintain public confidence with drones as people come to grips with the possibility that the sky will be blanketed with cameras, Geiger said. With drones comes the added concern of there being no easy way to know if the drone is looking at you or a building, Jerome said. It’s going to be difficult to build a framework since some issues don’t exist yet, Kakaes said, but it’s necessary because as Stepanovich said, technology advances quickly and the privacy framework should try to prevent privacy issues from occurring in the first place. The next meeting is scheduled for Sept. 24.