The Rules of the Sky

The FAA is making progress on drone regulations, but privacy protections still aren’t adequate.

Drone vs Cow.
New FAA drone rules are less strict than expected and include room for at least one significant loophole for microdrones under 4.4 pounds.

Photo courtesy Mauricio Lima/Flickr

The Federal Aviation Administration finally announced its proposed rules for small commercial drones (those fewer than 55 pounds) on Feb. 15. The proposed rules are considerably less stringent than expected. With the practical hurdles for commercial drone flight plummeting, it is time to turn our sights in earnest toward the privacy problem.

On Valentine’s Day 2012, the president signed the FAA Modernization and Reform Act, which, among other things, tasked the FAA with integrating small drones into the national airspace system. The FAA was supposed to have a final rule in place by August 2014 but was repeatedly described as lagging far behind. In November, several news outlets reported that the FAA had finally devised a set of rules for small drones. Those rules were sent to the White House for review. But the proposed rules were rumored to be strict, failing to distinguish between different sizes of drones under 55 pounds, and requiring operators to “have a license, and limit flights to daylight hours, below 400 feet and within sight of the person at the controls,” according to the Wall Street Journal.

The actual rules that came out this year—an almost perfect three years after the FAA was tasked with addressing drones—are less stringent than expected and include room for at least one significant loophole for microdrones under 4.4 pounds. Yes, a drone will need to be flown within an operator’s eyesight and can’t climb above 500 feet. They cannot be flown over people. But the FAA has clarified that the license required for commercial small drone operations would not be a commercial pilot license, but a special “UAS operator certificate,” which will be far easier to obtain. (It will also be relatively affordable—the cost is anticipated to be less than $300.) Small drones would not need to meet strict airworthiness standards, as feared. Moreover, the FAA has called for comments on the possibility of a “micro” UAS rule, for drones under 4.4 pounds, probably based on an industry proposal that such drones be treated with an even lighter regulatory hand. (Bad news for Amazon, though: Drones still can’t drop objects.)

All of this is probably good news for drone innovation, although it could still take years before the rules will be finalized. (Anybody who wants to participate in rule formation by commenting should keep an eye on when the rules are formally published, which will start the clock ticking on the comment process.) In the meantime, most commercial drone use will remain banned. Until the rules are finalized, the FAA will continue to permit commercial drone flight only through its current relatively ad hoc process.

But what about privacy? Drones—including small drones, and especially those driven by commercial motives to voraciously gather all kinds of information—can pose significant privacy threats. They see from new vantage points, they are far lower-cost than older aerial technologies, and they can move over boundaries that otherwise protect activity from sight. These are only a few reasons why drones have been predicted to be a “privacy catalyst”—the drivers of robust discussions about the enactment of new privacy regulations.

The FAA has very little to say about privacy, which might not be surprising. It is primarily an agency concerned with aircraft safety. When the Electronic Privacy Information Center, a public interest group focused on privacy policy, petitioned the FAA in 2012 to address the threat from drones to privacy and civil liberties, the FAA responded that it “prioritizes its rulemaking projects based on issues that are crucial to the safety of the aviation community and the traveling public.” Similarly, in the required privacy impact assessment that accompanied the FAA’s draft drone rules, the FAA acknowledge privacy concerns over drone operations but pointed elsewhere for legal solutions.

The FAA pointed to two possible solutions for drone privacy violations: a consensus process just announced by the president that will be led by the National Telecommunications and Information Administration, and “state and other legal protections that protect privacy.” On the same day the FAA announced its small drone rules, Obama issued a presidential memorandum on “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems.”

The president’s memorandum is tantamount to marching orders to federal agencies on privacy, and those orders are significant. They address purposive data collection (it may be collected by an agency only when it is “relevant to an authorized purpose”); data retention (how long data is kept: generally, 180 days); and civil rights and civil liberties protections (agencies must not violate the First Amendment or discriminate against people based on ethnicity, race, gender, or national origin). The memorandum also requires systems of oversight, transparency about drone use, and reports to the president about implementation of these orders. There are places where the orders could be stronger, and Congress may decide that the executive branch shouldn’t go it alone, but they are a big improvement from the current status quo of no regulation.

The second half of the memorandum matters for both commercial and private drone use. With additional shout-outs to the importance of economic growth, the memorandum establishes “a multi-stakeholder engagement process to develop and communicate best practices for privacy, accountability, and transparency issues regarding commercial and private UAS use.” The president ordered the Department of Commerce, through the NTIA, to initiate this “multi-stakeholder engagement process” on commercial and private drone use by May 15.

But this process is inadequate. First, best practices are voluntary. Best practices are enforceable by the Federal Trade Commission once they’re adopted by a company. But the scope of the FTC’s enforcement power outside of voluntarily adopted privacy policies is currently being legally challenged. A related problem is that in a new industry—especially a new industry filled with small actors and especially where the users to be courted are not the people whose privacy is at stake—getting people to adopt best practices will be challenging. Third, a multi-stakeholder process can have many benefits, but it inherently implies compromise. There is a risk that industry involvement will dominate a multi-stakeholder process at the expense of individuals harmed by drone privacy violations. And finally, the president’s framing of the problem—as balancing economic growth against privacy violations—is not conducive to a pro-privacy outcome.

So what is left for possible privacy regulation of commercial and private drone use? The FAA’s requirement that drones not be flown directly over people may help for now, but privacy violations can occur even when drones are not directly overhead. Aerial photography can and is performed at oblique angles, so although a person’s safety might be protected by an overhead flight rule, her privacy won’t be. We could hope that Congress steps in, but Congress is unlikely to do much of anything right now. We may then, as the FAA suggested, end up relying on state privacy regulations. A number of state privacy laws might apply to drone privacy harms, and a few states—Texas, Wisconsin, Oregon, some others—have enacted drone privacy laws.

Each approach has its pros and cons. The Texas law probably violates the First Amendment, because it prohibits even newsgathering uses of drones, isn’t tailored to any expectations of privacy (unless this gets read into the law by a court), and contains significant carve-outs for a number of lobbying interests. The Oregon law takes a trespass approach, which is probably fine under the First Amendment but has significant limitations because privacy violations can occur, using sense-enhancement technology, even when a drone is not technically trespassing into private airspace. The Wisconsin law is likely to be the most successful against a First Amendment challenge while also promoting privacy, hinging on whether the subject of surveillance has a reasonable expectation of privacy. These state laws almost definitely will encounter First Amendment challenges, but if the FAA is to be taken at face value, they may be our last best defense against drone privacy violations. It might soon be time to move to Wisconsin.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.