Stakeholder Perspectives: UAS And Privacy

The National Telecommunications and Information Administration is leading a multi participant process to address the main questions and plausible answers to privacy issues for the UAS industry.
By Luke Geiver | November 30, 2015

The issue of privacy for the unmanned aircraft systems industry has never been more public. Following the now-famous drone on the White House lawn event that pushed the UAS and privacy issue into the brightest of spotlights, the Obama administration took action. The administration created a multi-stakeholder process designed to explore and entertain the plausible answers to the many concerns voiced by both industry skeptics and supporters on the topic of privacy. To lead the process, the National Telecommunications and Information Administration was tasked to act as main moderator and help stakeholders past petty arguments on process or general constitutional rights toward a definition of privacy relative to what is and is not acceptable when UAS operate in the national airspace.

When the Obama administration issued its Presidential Memorandum calling on NTIA to commence its UAS efforts, Juliana Gruenwald, press secretary for NTIA, said the goal was to come up with best practices related to privacy, transparency and accountability in commercial and private use of UAS. “The reason they looked to us to do that is we have a track record for driving these stakeholder-driven processes,” she says.

Previously, the NTIA led the effort for a privacy-related multistakeholder process focused on mobile apps. It is also working on a facial recogition privacy process. The multistakeholder process has also been useed by other groups for an industry that some believe the UAS world could someday rival: the Internet.

“We have been big champions of this tool of multistakeholder processes,” Gruenwald says. “The idea is that you have the stakeholders come up with the process and drive the solution.”

NTIA has championed the multistakeholder approach both internationally when it comes to Internet governance and domestically to enhance privacy and cybersecurity. In these multistakeholder processes, stakeholders develop and vet technical proposals before finalizing a course of action. The NTIA acts as a neutral convener by posing questions, gathering perspective and pushing the right buttons during the process to garner resolution towards a more realized end goal. When stakeholders disagree, NTIA’s role is to help the parties involved reach clarity on what their positions are and whether there are options for compromise toward consensus, the NTIA says.

Following the Presidential Memorandum issued in February, NTIA set up a call for public comment in March. While the NTIA process to date has completed three stakeholder meetings broadcast live from Washington, D.C., along with an evolving draft of best practices, the work on addressing the issue of privacy has, essentially, gone under the radar. But, the multistakeholder process could someday be viewed as the foothold for all future UAS-privacy discussions. Unlike other efforts of the NTIA related to facial recognition or mobile app privacy, this UAS work will not yield a code of conduct. Instead, stakeholders have been brought together to develop voluntary best practices that UAS industry members could adopt. Based on the range of participating stakeholders (and the range of participant perspectives) the issue of privacy is a long way from becoming clear. Several trends have emerged through the process, however. And, when the process is concluded, it is clear the topic of privacy, transparency and accountability will have been well-vetted.

Stakeholders’ View
When NTIA issued a call for comments and an invitation for stakeholders to participate in its efforts, more than 50 entities responded. “It’s been an interesting group compared to some of our past processes,” Gruenwald says. One of the past privacy efforts NTIA led was for cell phone app privacy issues. That group created a code of conduct that, if adopted by companies, opened up each firm to federal trade commission enforcement. The UAS effort will not yield such serious consequences. “For some of these people, it is a different process. The government isn’t driving the process, they are.”

The list of stakeholders involved in the process today, or have issued commentary to the NTIA in the past, is wide-ranging, from Amazon to major law firms to Tim McGowan, a comment provider who only offered a short statement and a home mailing address. McGowan’s comments, however short or stark when compared to the multi paged, professionally penned statements by others, seemed to highlight one of the main issues many of the stakeholders in the process pointed out early on in the process.

In providing his comments, McGowan wrote, “Just so long as I can shoot them [sUAVs] when they take pictures or photos of me, my family or my property I have no problem with them. I would also like to get paid when they travel across my property,” he said.

Brendan Schulman, writing from the perspective of a long-time UAS industry player and actual sUAV pilot (and not the legal counsel for DJI he is now), helped bring the comments and views of McGowan into a greater context. Should the UAS industry receive special privacy regulation or do current laws suffice? Does McGowan’s commentary mean UAS should require special attention?

“Physical intrusions that capture photography in inappropriate locations or to advance prurient interests are already largely addressed by state laws concerning stalking, unlawful surveillance, trespassing, peeping and similar civil and criminal provisions,” Schulman said.

James Grimsley, president of Design Intelligence LLC and the Oklahoma UAS chapter of the Association of Unmanned Vehicles Systems International, echoed Schulman’s stance on UAS-specific privacy rules. “Although a few of the privacy concerns are unique to UAS, most others are not. Often,” he said, “broadly applicable laws or rules already cover the perceived harm in question”

For Schulman and Grimsley, addressing the privacy concerns of many relative to UAS requires a look at what may make UAS technology unique and in need of new or specific rules. “I strongly believe it is important to focus the policymaking process on privacy harms the multi stakeholder participants determine are realistically unique to UAS technology and avoid imaginary harms that have no rational basis in reality, or that are already addressed by existing laws,” Grimsely said.

“An invasion of privacy achieved by use of a tripod and zoom lens is just as offensive as one achieved by use of a drone, and likely already prohibited,” Schulman said. “Thus, the focus should be on what differences, if any, render UAS technology subject to differing standards or use restrictions,” he said.

The differing standards should be based on the following: operational location of the UAS in places where manned aircraft cannot fly or do not typically fly; operational location of the UAS at altitudes below “navigable airspace” in places that raise actual privacy concerns; operations that involve persistent surveillance as opposed to the more transient nature of manned aircraft operations and data security issues when the captured data involves personally identifiable information of non-consenting persons.

Jill Bronfman, program director of the privacy and technology project at the University of California Hasting’s college of law, believes we need to redefine the legal privacy parameters and physical space perimeters to include aerial space. “To leave this space unregulated is to invite commerce in without safeguards for individual privacy,” she said.

A congressional hearing earlier this year debated the topic of reasonable aerial space privacy perimeters. Hearing members asked if privacy expectations were considered to span several feet above a property or if a drone hovering only inches above ground within the boundaries of a private property was still legal.

While few stakeholders have voiced concern over aerial privacy perimeter standards, many pointed to the data captured through UAV operations as a crucial topic in addressing the privacy issue. AUVSI spoke to data directly, saying, that, “…the real issue at hand is the collection, retention and sharing of data. There is no difference between an image taken from a two-pound sUAS, a manned helicopter or a large UAS flying in class A airspace. It’s the activity of collecting data that should be regulated as opposed to the platform doing the collecting,” they said.

Jerry Mohr, president of the Iowa Corn Growers Association voiced concerns about data collection in the agriculture sector. “We recognize that state and local governments may also find value in using UAS for designated governmental purposes,” he said. “However, any data incidentally collected by any government agency regarding private property must not be used for regulatory purposes against farmers and must not be able to be obtained by outside parties under a Freedom of Information request.”

To address the data issue, many stakeholders suggest a notice of operations model should be deployed. Bronfman said disclosure of information models should be utilized. Online service maps, posted notices, markings, warranties and warnings and even do-not-call lists should be created for individuals or entities in the flight path of UAV operations. Margot Kaminski, a UAS expert, believes a notice of use, notice of data collection and a notice of what data is collected when and how, should also be a standard practice for commercial UAS operators.

Although data collection and usage was a popular talking point commented on by the stakeholders, thus far, only one entity called out the stakeholder process itself like the New Jersey Institute of Technology Unmanned Aircraft Systems Working Group did. “Due to the significance of this new industry, many UAS-interested parties may be unable to provide well-informed comments because of the processes to establish governance and policy adhere to static and non-innovative administration,” the group said. The evolving nature of the technology behind the UAS industry makes creating policies through traditional means impractical, the group believes.

Because of the wide range of perspective and emphasis on various topics, only one stakeholder seemed to offer a relevant assumption suitable for all stakeholders. “It is important to be accepting of the fact that a single set of perspectives will not be appropriate for all jurisdictions,” said Matthew Bieschke, president of UAS America Fund LLC.

Best Practice
While the end-goal for the group is to create the best practices document, there is no timetable for its completion. Only the stakeholders will be able to define the outcome. To date, stakeholders have developed three draft proposals and are working to merge them into one document. Stakeholders will determine when they have reached consensus on a best practices document, NTIA has said.

The draft, at press time, is now in its second version. The 13-page draft includes seven principles that should be enacted. Although there is not timetable for the draft to be a completed document, it is clear that perspectives on UAS privacy are many and after this process led by the NTIA, the voices of many could be corralled into the larger belief of a single group. NTIA says it is convening an open, transparent process that aims to provide a framework to help stakeholders reach consensus.

Author: Luke Geiver
Editor, UAS Magazine
[email protected]


7 Best Practice Principals
Information from the best practices working draft as of October 2015.

1. Transparency: Exercising reasonable efforts to provide transparency for the collection and use of data. UAS operators should make a reasonable effort to identify UAS, provide prior notice that sensitive data may be collected and create data collection policy when incidental collection may occur. (Transparency principle not applicable to operators that use third-party data collectors or when land, property owners consent to data collection)

2. Purpose Specification: Specifying how collected data will be used no later than at the time of collection. UAS operators should make effort to specify purpose of UAS sensitive data collection at time of collection, avoid operation when data collection subject has reasonable expectation of privacy, and avoid persistent collection of sensitive data.

3. Data Minimization: Limiting collection and retention of sensitive data to that which needed to achieve specified purposes. UAS operators should make reasonable effort to prevent UAS from entering private property or airspace without prior consent, explain data retention period for sensitive data.

4. Use Limitation: Not using or sharing sensitive data for certain purposes. Commercial UAS operators commit to making reasonable and responsible use of sensitive data; share sensitive data as reasonable for those uses; sensitive data collected without consent may not be used for employment eligibility, promotion, retention, credit eligibility or health care treatment; avoid using data for marketing, generally avoid sharing data with law enforcement.

5. Individual Participation: Facilitating informed and reasonable choices to data subjects regarding the collection, use and retention of sensitive data. UAS operators should offer data subjects reasonable means to review sensitive data and make sure data remains accurate.

6. Security: Exercising reasonable efforts to secure collected and retained data. Commercial operators should employ reasonable administrative, physical and technical safeguards to protect sensitive data.

7. Accountability: Establishing internal accountability controls to ensure compliance with privacy policies and laws. Establish process for receiving privacy, security or safety concerns, identify individuals to oversee compliance with laws.