An industry-dominated “multistakeholder process” convened by the Commerce Department recently produced a set of voluntary privacy “best practices” for commercial drones that are so riddled with exceptions and vague language that companies could engage in all sorts of practices that would violate the public's privacy expectations, while still claiming to comply with these guidelines.
The idea of the process was to produce a set of voluntary best practices to ensure that commercial drone use protects privacy rights. It was convened at the direction of President Obama in an executive order on drone privacy that he issued in February 2015.
Last month, before the document was finalized, we, along with the Electronic Frontier Foundation and Access Now, urged the corporate participants to make a clear commitment to actual best practices, rather than a weak document designed primarily to ensure maximum flexibility in what companies can do with drones. We proposed a set of changes to the document’s language that would have strengthened it enough to allow us to endorse it. Unfortunately, these changes were rejected.
Why won’t Amazon and other industry players in the drone space make a clean commitment to good privacy practices when it comes to drones? To take just one example, I think one thing most Americans would definitely not want to see companies doing with their drones is engaging in persistent and continuous surveillance of people without their consent. Yet this industry-led draft says the best practice is to avoid doing that “in the absence of a compelling need to do otherwise.” A compelling need? What is that? Is Amazon planning to engage in such surveillance with its delivery drones? If not, why wouldn’t it agree to a more straightforward statement? There were a lot of industry players, so I don’t mean to pick on Amazon. Except actually I do, because apparently that company led the meeting negotiations for industry on what turned into the final product.
Perhaps one could dream up scenarios where a company engages in persistent, continuous surveillance of people without their consent, in a way that nobody would find objectionable. I’m not sure what that scenario would look like, but that certainly wouldn’t be a best practice, and the inclusion of such language is far more likely to be abused than to cover such a remote eventuality.
Other areas where we thought the documents language was too weak were around issues such as consent, the collection of data where people have a reasonable expectation of privacy, the sharing of data with third parties, and data retention. We spell out these and other problems in our letter. As it now stands, the document shows more promise as a corporate consciousness-raising document than an assurance that any complying company isn’t doing anything objectionable.
Any company that is operating drones should certainly comply with the practices laid out in this document. But doing so represents the very bare minimum of what companies should do on privacy, not best practices. The NTIA should reject this document, and discussions in the multi-stakeholder process should continue until adequate privacy protections can be included.