They are now seemingly ubiquitous: drones for professional photographers, for prescription delivery, for assessing the impact of natural disasters or monitoring our borders, and for some government agencies, providing situational awareness to keep the public, the police, and soldiers out of harm’s way.

Playing catch-up, society is now grappling with where and when surveillance-capable unmanned aircraft should appropriately be deployed. Just this week, the Federal Aviation Administration released every drone operator they’ve fined so far, and there is legislation pending in the United States that would establish guidelines for drone use and identification, and address the patchwork of local and state laws that have already popped up in various parts of the country.

And that bill, the FAA Reauthorization Act, does have privacy provisions within it. Specifically, all drone operators would have to post a privacy policy detailing how their drones collect and disseminate information. Of course, privacy advocates have complained that it’s difficult to know where to find said privacy policy when a drone is hovering a hundred feet above your head.

However, those looking for guidance on how to integrate privacy into a plan for drone deployment don’t have to wait for legislation to be passed. Already, the U.S. Department of Homeland Security has published “Best Practices for Protecting Privacy, Civil Rights, and Civil Liberties in Unmanned Aircraft Systems Programs,” a relatively concise 11-page document that generally applies the FIPPs to the use of unmanned aircraft systems technology (drones are often referred to as UAS, or UAVs, for unmanned aerial vehicles).

For example, be transparent about the purpose of the drone use. Conduct a privacy impact assessment. Limit collection, use, and dissemination of data.

You get the idea. This is basic privacy blocking and tackling. And yet, as DHS Chief Privacy Officer Karen Neuman noted in an interview with The Privacy Advisor, “in looking around, it became pretty clear that there wasn’t much guidance on the topic.”

But there was a need for it. For example, although President Obama’s February 2015 memorandum “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems” requires “state, local, tribal, and territorial government recipients of federal grant funding for the purchase or use of UAS for their own operations to have in place policies and procedures to safeguard individuals' privacy, civil rights, and civil liberties,” the memorandum does not specify what should be included in those policies.

Grant recipients, being the sorts of people who are used to following rules, were asking where to look for guidance on how to deploy these things.

Often seen as the gold standard on privacy issues within the law enforcement community, the DHS Privacy Office found itself with nothing to point to other than a 2013 PIA specific to Customs and Border Protection’s use of sensor technologies on aircraft.

Hence the DHS Privacy, Civil Rights & Civil Liberties Unmanned Aircraft Systems Working Group, originally convened in 2012 and now headed up by Neuman, Officer for Civil Rights and Civil Liberties Megan Mack, and Deputy Commissioner of Customs and Border Protection Edward Young. “Before we put words on paper, there’s a lot of engagement that takes place through the working group,” Neuman said. The group engaged with various federal agencies to look at use cases and budget constraints, talked with state and local law enforcement and first responder groups, and just generally listened to both arguments for why the technology is vital to the public interest and what the concerns were about privacy and civil rights violations that might unintentionally or unwittingly occur.

The aviation community was consulted. The general public weighed in. Everything written on the subject by the ACLU, EPIC, and the like, was “devoured.” Those with operational duties within Homeland Security were grilled on what actually happens in the field.

“Just like it is advisable to bake privacy into a system at the outset to avoid having to retrofit later,” said Neuman, “you also don’t want to go back and revisit significant questions in a process like this because you failed to engage with stakeholders or other experts.”

One of the most important parts of the task was simply documenting what had already been done. “It was necessary to examine the department’s use of the technology and be transparent about that,” Neuman said. “The value of transparency as a privacy protection cannot be overstated.”

With that done, it was time to get writing. “Generally, technology evolves by the millisecond, so it is unwise to try to craft laws or regulations that purport to anticipate what the technology is going to be,” Neuman said. “So what the privacy office did in this case, as it has in other cases, is generally apply the FIPPs framework to help assess what the privacy risks might be and try to mitigate them, and do so fairly effectively in a way that’s technology neutral. Others have gotten into a lot of trouble trying to link a particular privacy framework to a particular technology." 

In fact, most of the UAS best practices could apply to other technologies as well without too much editing. Yes, unmanned aircraft was front and center, but the FIPPs are a useful framework with which to simply put forward general privacy principles to a community that might be considering some of these issues for the first time, thanks to their interest in drones. 

Of course, the best practices are not proscriptive. They don’t carry regulatory weight.

“We can’t tell people what to do,” Neuman allowed. “We can’t enforce implementation of the best practices, but they’re written in a way that’s very clear, and many of the considerations and recommendations are common sense.” 

Each person who considers implementing these best practices will have to do so while keeping in mind their own budget, training, staffing and other considerations.

“Government agencies operating UAS want to do it right,” Neuman said. “They want to abide by the laws and do the job they’re expected to do.” With privacy, sometimes it’s not a question of wanting to provide protections, but knowing exactly what the issues are and where they can find possible solutions. These best practices offer a handy way to bring up the topic and do some quick education. “Even though these best practices are intended for DHS and our local, state, and federal government partners and grantees,” as the report’s authors note in their introduction, “the private sector may also find these recommendations valuable and instructive in creating their unmanned aircraft system programs.”

As the industry awaits new law in this area, it’s fair to wonder whether regulators might take note as well.

Photo credit: IMG_2149 via photopin (license)