ACLU Submits Comments to the FAA Urging Increased Privacy Protection at Drone Test Sites

The ACLU today submitted comments to the FAA on the agency’s incorporation of privacy into its drone “test zones” program. (You can read our comments here.) Through the FAA Modernization and Reform Act of 2012, Congress has required the FAA to develop a plan for incorporating drones into the national airspace, including the establishment of six test sites where such integration can be tested. The FAA has faced delays on the establishment of the test sites, which the FAA has attributed to privacy issues that have, until now, gone unaddressed. So on February 14, 2013, the FAA published proposed privacy requirements for test site operators. The ACLU’s comments on those proposed requirements commend the FAA’s effort to focus on privacy impacts, while also advocating for more meaningful protections.

We’ve recommended four primary changes to the FAA’s proposed rules:

1. The FAA should require strict adherence to the FIPPS. The FAA has proposed that the privacy policies governing the use of drones at these test sites “should be informed by the Fair Information Practice Principles” (FIPPs). That’s great news—the FIPPs are a smart and time-tested framework for addressing privacy risks. But the language here is too soft—to be “informed” by something simply means to be based on a general understanding of that thing. This gives site operators the discretion to pick and choose which privacies they want to protect and which they feel are not “informed” by the FIPPS. We believe it is critical that the FAA strengthen the language employed in the rule to ensure the principles are followed rather than merely considered.
2. Develop a required minimum privacy policy based on the FIPPs for adoption at the test sites. The proposed privacy policy is definitely a step in the right direction, but the ACLU wants to make sure that it lands on firm ground. By establishing a baseline privacy policy to which all test site operators must adhere, the FAA can safeguard the privacy rights of everyone who happens to live in or near one of the selected test sites. In our comments, we suggest that the FAA develop an actual, concrete policy based directly on the eight FIPPs. This policy would act as a floor and would govern each of the test sites, ensuring that minimum privacy protections are put in place while giving site operators the latitude to establish additional protections as needed.
3. Ensure that appropriate oversight is in place to monitor compliance with the final rule, including independent audits and community involvement. A major gap in the proposed rule is that it doesn’t provide for any actual enforcement of privacy commitments other than self-regulation. This is certainly not ideal. The ACLU asks that the FAA audit the test sites to ensure compliance with the baseline privacy policy. In addition, we ask the FAA to let people in the test zones help. By allowing for citizen involvement, concerned members of the public can participate in oversight. This requires the sites to publish the privacy policies and to create a right of access to their records to the public.
4. Incorporate privacy expertise as a criterion. Finally, the FAA should choose the sites based, at least in part, on whether the test site operator has any experience with privacy issues. If they have a record of violating privacy, that should count against them. And if they have a stated interest in researching privacy impacts and the ethical implication of surveillance, that should count in their favor. In addition to examining their privacy record, the FAA should also pick at least one test site near a densely populated urban area. Rural privacy and urban privacy are different issues, and both need to be tested.

We think it’s very promising that the FAA is thinking about privacy and using the FIPPs. But in order for this effort to be effective, they need to make sure compliance with the FIPPs is required and that test site operators are held accountable for their actions. We hope the FAA integrates our feedback into their final rule, and we’ll keep you informed as the rulemaking continues.