The FAA's Drone Privacy Plan: Actually Pretty Sensible

By M. Ryan Calo

Posted on November 26, 2013


Thursday felt like drone day. The Federal Aviation Administration released both its roadmap (PDF) to integrate private drones into domestic airspace and the privacy requirements (PDF) that that will apply to the half-dozen locations selected to be testing areas for this integration. The Joint Planning and Development Office—a collection of six agencies plus the White House—released little remark third document entitled Unmanned Aircraft Systems (UAS) Comprehensive Plan as well.

As a long time commentator on the domestic use of drones, I spent a good portion of my day discussing these developments with colleagues and the press. In particular, I was asked about whether the FAA had made any strides in terms of safeguarding privacy and civil liberties. My view was that indeed they had, but I couldn’t help but notice other voices—voices I respect—criticizing the FAA’s plan as not going far enough.

For example, in an email accompanying a new draft bill, privacy champion Representative Ed Markey (D-Mass.) observed of the FAA’s roadmap that it showed “disregard for the need for strong and comprehensive privacy safeguards,” and called instead for “federal legislation to protect innocent individuals from expanded use of commercial and government drones.” Many privacy advocates on Twitter and elsewhere were similarly skeptical.

So, are these folks right? Was the FAA paying mere lip service to privacy? I’m not ultimately sure, but what follows is my evidence that the FAA is taking privacy seriously and following a relatively defensible path forward. But first let me pause long enough to note the baseline: the FAA was, until recently, claiming through its officials that privacy was not a part of its expertise or mission. I thought that was a terrible argument, in part because agencies develop new expertise when they need to, and in part because the FAA’s mandate is to integrate drones into domestic airspace. This task requires them to address sources of, say, enormous public resistance. The National Highway Traffic Safety Administration addresses privacy concerns in its discussion of block boxes or vehicle-to-infrastructure communication, and “safety” is literally its middle name.

In any event, the FAA is now changing its approach. The agency is requiring, for starters, that its test sites develop privacy plans. The privacy plan has to explain how data that is collected will be used and what the site’s policy is around retention. The site must make these plans publicly available, create a mechanism for receiving and addressing public comment, conduct annual reviews, and have a way to update and enforce the plan. I thought it particularly telling that the FAA referred to well-known (if imperfect) privacy standards, noting (page 12) that site privacy plans must be “informed” by the same “Fair Information Practice Principles” that the Federal Trade Commission looks to in policing Internet privacy.

The FAA did not just announce its privacy rule, it also responded (in its final notice) to calls for the agency to go further. There was one goofy answer by the FAA in there. The agency received a request during its comment period that it take privacy into account in the selection process, i.e., select one or more test sites where strong privacy protections had already been put in place by the legislature. Great idea, as any fan of federalism or architect of experimental studies understands. The agency responded by saying, essentially, that the criteria for selection were already set. Even if you think this answer is responsive (I don’t), then what it shows is that the FAA asked for privacy input at the wrong time.

But the right word for the agency’s other answers is, I think, “sensible.” The FAA pointed to tort laws that can help address individual grievances, which is true in the worst cases. It cited the fact that the test sites would be public institutions subject to political pressure and freedom of information requests, and the fact that local legislatures could act to curb privacy abuses should they materialize. Left unstated was Margot Kaminski’s argument that, in addition to privacy, drone policy must be sensitive to free speech principles; the best way to reconcile the tension between privacy interests and use of drones by citizens or the press to foster accountability may be to let the states each strike their own balance.

What is really getting lost in the debate, however, are the subtle signals the Administration is sending about the future of drone regulation. The FAA didn’t just pass test site rules. It referred to privacy (at page 16), for the first time, as a “regulatory driver.” It listed privacy (at 32) as one goal of “developing and implementing the [drone] system requirements established by the FAA.” The agency says (at page 42) that “new or revised regulations and supplemental procedures” may be necessary and, if so, they will be implemented “in coordination with relevant agencies to address related security and privacy implications.”

In other words, the privacy rules for the test sites are just the beginning: the test sites will test privacy, just as they test congestion, safety, and everything else. The Joint Planning and Development Office’s Comprehensive Plan is pretty explicit on this strategy (at page 7): “As use of [unmanned aerial systems] by civil agencies and private industry grows, preserving the privacy, civil rights, and civil liberties of individuals becomes increasingly important. … The lessons learned and best practices established at the test sites may be applied more generally to protect privacy in UAS operations throughout [national airspace].”

Now, there are other issues with the FAA’s roadmap. I was surprised by the paucity of references to adequate security. At one point (page 29), the FAA refers to the prospect of “spoofing” (i.e., tricking) drone navigation systems and, in passing, the need for “vulnerability analysis” in the context of “control and communication” research. But actually, incentivizing adequate security in the 7,500 or so commercial drones the FAA chief Michael Huerta envisions by 2018 is an enormous deal, one intimately linked to both privacy and safety. Moreover, there was next to no discussion of how individual drone operators were going to be held accountable (with drone license plates, for instance) for incidents involving drones.

But over all, I hope you see why I am encouraged by the direction the FAA and greater Administration has taken with respect to privacy and civil liberties in the context of drones. It’s a two step; and we’re only on step one. Now if only the government would stop indiscriminately monitoring our communications. A kid can dream.

The preceding is re-published on TAP with permission by its author, Ryan Calo, law professor at the University of Washington and faculty director of the Tech Policy Lab. “The FAA's Drone Privacy Plan: Actually Pretty Sensible” was originally published by Forbes on November 9, 2013.



About the Author

Recent TAP Bloggers