09 April 2013

Drone Disclosure

Reading Congressman Markey's 'Drone Aircraft Privacy and Transparency Bill' [PDF], ie a proposed statute
To amend the FAA Modernization and Reform Act of 2012 to provide guidance and limitations regarding the integration of unmanned aircraft systems into United States airspace, and for other purposes. 
The statute would not apply to "model aircraft".

The Bill notes that
Unmanned aircraft systems [government, commercial, and recreational unmanned aircraft systems] have traditionally been used almost exclusively overseas by military and security organizations; however, State and local governments, businesses, and private individuals are increasingly using unmanned aircraft systems in the United States, including deployments for law enforcement operations.
As the technology advances and the cost decreases—unmanned aircraft systems are already orders of magnitude less expensive to purchase and operate than piloted aircraft—the market for Federal, State, and local government and commercial unmanned aircraft systems is rapidly growing.
It has been estimated there could be as many as 30,000 unmanned aircraft systems in the sky in the United States by 2020.
There will no doubt be many beneficial applications of this technology, for as Secretary of Transportation Ray LaHood said in a statement on March 7, 2012, ‘‘Unmanned aircraft can help us meet a number of challenges, from spotting wildfires to assessing natural disasters.’’.
However, there also is the potential for unmanned aircraft system technology to enable invasive and pervasive surveillance without adequate privacy protections, and currently, no explicit privacy protections or public transparency measures with respect to such system technology are built into the law. 
Federal standards for informing the public and protecting individual privacy with respect to unmanned aircraft systems are needed.
Indeed.

The legislation would accordingly  require the Secretary of Transportation, in consultation with the Secretary of Commerce, the Federal Trade Commission and the Chief Privacy Officer of the Department of Homeland Security, to undertake a study that identifies "any potential threats to privacy protections posed by the integration of un-manned aircraft systems into the national airspace system, including any potential violations of the privacy principles". It characterises ‘privacy protections’ as protections that relate to the use, collection, and disclo- sure of information and data about individuals and groups of individuals, with ‘privacy principles’ meaning the principles in the Organization for Economic Co-operation & Development guidelines ‘Annex to the Recommendation of the Council of 23rd September 1980: Guidelines Governing The Protection Of Privacy And Transborder Flows Of Personal Data’ (1980).

The legislation would  prohibit the Secretary of Transportation from approving, issuing, or awarding "any certificate, license, or other grant of authority to operate an unmanned aircraft system in the national airspace system" unless the application for such authorisation includes a "data collection statement"  that provides reasonable assurance that the applicant will operate the drone in accordance with the privacy principles.

The data collection statement is to include information identifying
1) the individuals or entities that will have the power to use the unmanned aircraft system; 
2) the specific locations in which the un-manned aircraft system will operate; 
3) the maximum period for which the un- manned aircraft system will operate in each flight; 
4) whether the unmanned aircraft system will collect information or data about individuals or groups of individuals, and if so—
A) the circumstances under which such system will be used; and
B) the specific kinds of information or data such system will collect about individuals or groups of individuals and how such information or data, as well as conclusions drawn from such information or data, will be used, disclosed, and otherwise handled, including— 
(i) how the collection or retention of such information or data that is unrelated to the specified use will be minimized; 
(ii) whether such information or data might be sold, leased, or otherwise provided to third parties, and if so, under what circumstances it might be so sold or leased; 
(iii) the period for which such information or data will be retained; and 
(iv) when and how such information or data, including information or data no longer relevant to the specified use, will be destroyed
 5) the possible impact the operation of the unmanned aircraft system may have upon the privacy of individuals; 
6) the specific steps that will be taken to mitigate any possible impact identified under paragraph (5), including steps to protect against unauthorized disclosure of any information or data described in paragraph (4), such as the use of encryption methods and other security features that will be used; 
7) a telephone number or electronic mail address that an individual with complaints about the operation of the unmanned aircraft system may use to report such complaints and to request confirmation that personally identifiable data relating to such individual has been collected; 
8) in the case that personally identifiable data relating to such individual has been collected, a reasonable process for such individual to request to obtain such data in a timely and an intelligible manner;  
9) in the case that a request described in paragraph (8) is denied, a process by which such individual may obtain the reasons for the denial and challenge the denial; and 
10) in the case that personally identifiable data relating to such individual has been collected, a process by which such individual may challenge the accuracy of such data and, if the challenge is successful, have such data erased or amended.
A data minimization statement regarding a drone operated by a law enforcement agency, contractor, or subcontractor will detail applicable policies (backed by audit and oversight procedures) adopted by those entities that
  • minimize the collection by the un-manned aircraft system of information and data  unrelated to the investigation of a crime under a warrant;
  • require the destruction of such information and data, as well as of information and data collected by the unmanned aircraft system that is no longer relevant to the investigation of a crime under a warrant or to an ongoing criminal proceeding; and
  • establish procedures for the method of such destruction.
Sensibly, the Bill provides that the FAA shall make available on [its] site in a searchable format
1) the approved certificate, license, or other grant of authority for each unmanned aircraft system awarded a certificate, license, or other grant of authority to operate in the national airspace system, including any such certificate, license, or other grant of authority awarded prior to the date of enactment of this section; 
2) information detailing where, when, and for what period each unmanned aircraft system will be operated;  
3) information detailing any data security breach that occurs with regard to information collected by an unmanned aircraft system; and 
4) in the case of a certificate, license, or other grant of authority awarded on or after the date of enactment of this section to operate an unmanned aircraft system in the national airspace system, the data collection statement … and, if applicable, the data minimization statement.