In previous postings, I have lamented the misplaced actions and inaccurate commentary concerning privacy matters that amount to, in essence, fear mongering. In other words, when a new technology or maybe a business practice arises that people do not understand or maybe just don't quite like, they cry wolf citing invasion of privacy as a reason to forestall the use of such technology. Or, possibly worse, these actions throw up obstacles to an open dialogue on the merits of the technology or novel business practice. To be sure, this is nothing new and hardly unique to privacy matters. However, it can be counterproductive to say the least, and distracts attention being given to true privacy issues that require careful thought, vigilance and advocacy.
This past week, I had the pleasure to again moderate a panel discussion on privacy and compliance at the Unmanned Aerial Systems Conference here in Dayton, Ohio. It is a three day event with an amazing diversity of unmanned aerial vehicles ("UAVs") and related technologies on display. To be sure, you will find the military and the defense industry represented well, but what really strikes you is the amount of activity in the non-military sectors. Indeed, UAVs are being used for everything from filming movies, to monitoring traffic patterns, to filming practices by sports teams, and even monitoring agricultural issues. You need not got to a specialized conference like this one to find out about the UAV impact, as we all have heard about Amazon's proposed use of UAVs to deliver products to your doorstep. As with any emerging technology, there are lots possibilities and lots of unknown risks to be managed. Indeed, the Federal Aviation Administration has yet to issue rules on the use for commercial or private UAVs based on concerns for risks such as airworthiness, safety, and yes, privacy. The agency's rules are expected next fall.
My experience at the conference reminded me about the tightrope walking effort that comes from trying to be cognizant of valid privacy concerns stemming from the seemingly endless assault by new technology and being a roadblock to progress (and new business) with these amazing technologies. I think UAVs are yet another example of this perfect storm where privacy concerns can get in the way of a proper discussion on the benefits and risks of any technology. I also UAVs provide another great example of the impact of the "law of perception" as equal to, if not greater than, the actual law itself. With that in mind, let's review what the realities of law are when it comes to UAVs and privacy. For the purposes of at least the next several points, we will assume the UAVs in question have the capabilities to film and record audio in addition to flight.
Like it or not, as far as it goes with the government and surveillance of individuals, the law is pretty well established when it comes to open or public spaces. Individuals have little to no expectation of privacy in public places or even areas of their own property which are clearly visible to others off their property. Under the Fourth Amendment, which protects individuals against undue search and seizure by government actors (e.g., police, FBI), the case law generally holds that individuals have no reasonable expectation of privacy in such cases. In short, if someone can view you and your actions or hear your words in such places, you cannot claim a reasonable expectation of privacy over those actions or those words. Case law has held that someone does not have an expectation of privacy in the air space over their house or even in the "open fields" of their property.
Likewise, the relevant privacy torts of intrusion upon seclusion or disclosure of private facts require the establishment of a highly offensive intrusion into an expectation of privacy that the average person would expect to have. We all would expect privacy in our home, or in our bedroom. It is hardly the same to say we all would expect privacy in public places. One cannot claim that someone intruded upon their seclusion by taking his picture when he was standing in his front yard visible from a public street. Likewise, if someone were overheard screaming at her boyfriend on the porch of a house by another on the street or in a yard next door, she could not reasonably have an expectation of privacy over the contents of that discussion. Likewise, if someone saw or viewed these things and then turned and disclosed them to another person, such a disclosure would not constitute a disclosure of private facts as those facts ceased to be private when shared by virtue of being in a front yard with a public exposure or being at the top of one's lungs on the front porch.
Consider now that the viewing of one's front yard was captured by a UAV or the number of cattle a rancher has on his property was acquired by a UAV hovering over his pastures? Does this constitute an intrusion upon seclusion or a disclosure of private facts? Generally speaking, the legal answer is no. Whether the information was collected by a person, or by the computers or camera on board a UAV, the information is not private information once disclosed primarily because no one could reasonably claim what occurs in their front yard is strictly private nor are the cattle wondering around someone's open air pasture to truly private.
Now, you are probably thinking, "Come on Scot, it is not that simple when it comes to UAVs, as they can do amazing things (you just said as much at the beginning of this article)." I would agree. In any of the examples above, if you introduced infrared cameras which can access information through walls or other sensing technologies, the standard for an expectation for privacy may change (and should). Or, if you considered how quiet UAVs can be, their ability to pick up audio from considerable distances, or the ability to quickly link data collected to data stored on other databases, the expectation may also change. At a minimum, the "highly offensive" standard for an intrusion into a reasonable expectation of privacy might be met.
Remember, I was speaking to where the law has stood until now. The reality is that technology is changing, albeit slowly, what a reasonable expectation of privacy is in the courts of our country. We saw evidence of this fact this summer with the Supreme Court of the United States ruling that individuals do have an expectation of privacy over the contents of their cell phone, even when they are under arrest. Citing the reality that cell phones can store gigabytes of data, representing years of activity and that data can be linked to many other data sources, the Court said police cannot justify the searching of such a phone to ensure that evidence is not destroyed or for purposes of protecting an officer's safety. Furthermore, the Court noted that everyone has a cell phone, many keeping that phone close to their person throughout the day. A year before that, the Court ruled that the use of a GPS tracking device on a suspect's car to track his location throughout the day was an illegal search and thus an invasion of the suspect's privacy - and that was with him driving all over town - in public! My point is the expanded reach provided by technology has changed the discussion when it comes to an expectation of privacy and protecting that expectation under the law. This all said, the bottom line is that using UAVs and any associated technologies to film or record events transpiring in public is perfectly legal. Use of a UAV can arguably have no more of an impact on privacy than your nosey neighbor.
The benefit of case law, however, is that each decision considers a specific set of facts, within a specific context and (usually) has experts or people with practical knowledge of those relevant facts and context involved arriving at any holding. However, this is not always the understanding in the public discourse. And, in many cases, this is not the "angle" taken in news coverage. This is where the "law of perception" comes into play. Simply put, the actual law may support everything your business or your product does. However, there may be something about either that just does not pass the "smell test" of the average consumer or the 20-second sound bite. The UAV is a perfect example of how the law of perception can impact, if not impede, progress with a technology or advancement of a constructive dialogue about any privacy implications. Whether people confuse UAVs with the weaponized drones over Pakistan, or worse, used on houses in the U.S. or think UAVs are only used by the NSA to surveil citizens, misinformation has had a very real impact on the progress made with new products and services in this industry. In my opinion, because of what I have just discussed, it is the law of perception right now that poses a greater challenge to UAV use on the basis of privacy or maybe safety, than actual law.
People are nervous because they do not understand the purpose(s) of UAVs in the United State or the intended purpose of any proposed implementation. I do not necessarily blame them. It is a critical point and one that is not unique to UAVs when it comes to privacy or information use, in general. Companies must work to be proactive in communicating their products and services' information privacy and security capabilities. Whether it is contracting with customers, managing employees, subcontracting services or dealing with the media, the companies that account for privacy and security up front will proactively cut off roadblocks to moving forward with their products and services and they will be in a better position to respond and manage the fall-out should there be a privacy or security issue down the road.
With this in mind, here are some (non exhaustive) best practices for accounting for privacy and security in business.
- Know the rules. Take time to understand what laws impact the use of personally identifiable information, and how your product or service can comply.
- Know your product. Know what information it collects, stores, transfers and deletes. The best way to do this is to regularly complete Privacy Impact Assessments ("PIAs") for new products or changes to existing products.
- Establish your own rules. With knowledge of the law, your product's capabilities and the purpose for which you are in business, establish your own rules or limits for what your products, services and company will and won't do with personally identifiable information. In general, the law is a floor for compliance. There is nothing stopping you from being more restrictive, especially when trying to improve privacy and security practices.
- Build privacy in. Using your PIA as a road map, build configurable privacy and security functionality into your products. Such functionality can include controls on what information fields are allowed to be collected, how much data is stored and for how long, the use of encryption or de-identification, and how, if at all, your product will share information with third parties.
- Be transparent. In all aspects of your business plan, be transparent when it comes to information privacy and security. Make sure your employees understand your policy by providing the policies and training your employees and contractors regularly. Make sure your business partners, vendors and subcontractors understand your privacy and security policies by including clear provisions in your agreements. Most of all make sure your customers clearly understand what you do and don't do with personally identifiable information.
While there are no guarantees in business, to include the law staying the same or the general public being educated on the facts, there are things you can do to be proactive in managing actual compliance and with dealing with the "law of perception." Privacy will always be used as a sales prevention tool and as a rallying cry of wolf to cloud real issues. The best thing you can do is have a plan and a message for your business, and stick to both.
