The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


2 Comments

Before Liftoff, Drones Must Maneuver Through Privacy Laws

Unmanned aerial vehicles, better known as drones, are expected to revolutionize the way companies deliver packages to their customers.  Some also imagine these small aircrafts delivering pizzas to a customer’s home or nachos to a fan at a ballgame.  Researchers are even investigating the possibility of using drones to assist farmers with monitoring their crops.  Before drone technology takes flight, however, it will have to maneuver through privacy laws.

The Federal Aviation Administration (FAA) is the agency charged with developing rules, including privacy rules, for private individuals and companies to operate drones in national airspace.  While the precise breadth of FAA rules is not entirely clear, a framework is beginning to develop.  When the FAA recently announced test sites for drones, it also noted that test site operators must: (1) comply with existing federal and state privacy laws, (2) have publicly available privacy policies and a written plan for data use and retention, and (3) conduct a review of privacy practices that allows for public comment.  When soliciting the public for comment on these test site-privacy rules, the FAA received a wide spectrum of feedback.  This feedback ranged from suggestions that the agency must articulate precise elements of what constitutes a privacy violation, to the federal agency was not equipped (and therefore should not attempt) to regulate privacy at all.  It appears that the FAA settled on a middle ground of requiring drones to comply with existing privacy law, which is largely regulated by individual states.

Accordingly, state privacy laws are likely to be the critical privacy hurdle to commercial drone use.  It appears that only four states have thus far expressly addressed the use of private drones (as distinguished from drones used by public agencies, such as law enforcement).  Idaho and Texas generally prohibit civilians from using a drone to take photographs of private property.  They also restrict photography of any individual – even in public view – by such a drone.  And Oregon prevents drones from flying less than 400 feet above a property of a person who makes such a request.  The fourth state, Illinois, restricts use of drones that interfere with hunting and fishing activities.

As for the other states, they may be simply getting up to speed on the technology.  On the other hand, many of these states have considered or enacted laws restricting use of drones by the police.  Because these laws are silent on the use of private drones, one could argue that these states intentionally chose not to regulate private drones (and accordingly, existing laws regarding use of aircrafts or other public cameras, govern use of private drones).

Even though a state has passed a drone-related privacy law, it may very well be challenged on constitutional or other grounds.  For instance – to the extent they prohibit photography of public areas or objects and people in plain view – the Idaho and Texas laws may raise First Amendment questions.  As described in Hurley v. Irish-American, photographers generally receive First Amendment protection when taking public photos if he or she “possessed a message to be communicated” and “an audience to receive that message, regardless of the medium in which the message is to be expressed.”  Under this test, in Porat v. Lincoln Towers Community Association, a photo hobbyist taking pictures for aesthetic and recreational purposes was denied First Amendment protection.  In contrast, in Pomykacz v. Borough of West Wildwood, a “citizen activist” – whose pictures were taken out of concern about an affair between a town’s mayor and a police officer – was found to have First Amendment protection.  To be sure, however, the Supreme Court has acknowledged that “even in a public forum the government may impose reasonable restrictions on the time, place, or manner of protected speech, provided the restriction are justified without reference to the content of the regulated speech, that they are narrowly tailored to serve a significant governmental interest, and that they leave open ample alternative channels for communication of the information.”  For example, under this premise, some courts have upheld restrictions on public access to crime and accident scenes.  All told, we may see drone users assert First Amendment protection for photographs taken of public areas.

Another future legal challenge may involve the question of who owns the airspace above private property.  In United States v. Causby, the Supreme Court appeared to reject the idea of private ownership of airspace.  More specifically, it held that government aircrafts flying over private land do not amount to a government “taking”, or seizure of private property, unless the aircrafts are so low and frequent that they constitute an immediate interference with enjoyment of the land.  In other words, under Causby, the landowner owns the airspace necessary to use and enjoy the land.  But the Court declined to draw a specific line.  At the moment, it is unclear whether Oregon’s law – restricting drones within 400 feet of a home – is consistent with principle.

Lastly, we may see a legal challenge asserting that certain state privacy laws (such as the Idaho or Texas law or others that disallow drone use altogether) are preempted, or trumped.  Congress’s intent to impliedly preempt state law may be inferred (1) from a pervasive scheme of federal regulation that Congress left no room for the states to supplement, or (2) where Congress’s actions touch a field in which the federal interest is so dominant that the federal system will be assumed to preclude enforcement of state laws on that subject.  Applied here, one could argue that Congress has entrusted the FAA with sole authority for creating a scheme for regulating the the narrow field of national airspace, and drones in particular.  Additionally, the argument goes, the federal government has a dominant interest in regulating national airspace as demonstrated by the creation of the FAA and numerous other aircraft regulations.  Under the preemption line of reasoning, state privacy laws may be better focused on regulating data gathered by the drone rather than the space where the drone may fly or actions the drone may take while in the space (e.g. taking pictures).

All told, before official drone liftoff, companies employing drones will have to wait for final FAA rules on privacy.  Whether these final rules track the test site rules discussed above is not for certain.  Likely, the final rules will depend on the public comments received by the drone test sites.  Assuming the final rules track the test site rules, companies using commercial drones should focus on compliance with the various state privacy laws.  But, as noted above, we may see a constitutional challenge to these laws along the way.  Stay tuned.

Advertisements


Leave a comment

Privacy – Transparency and the Push to Convert the U.S. Government to the “Cloud”

Have you thought about how many government agencies are transitioning to cloud computing, and what that means for privacy concerns?  The White House released a “25 Point Implementation Plan to Reform Federal Information Technology Management” in December 2010 that advocates a shift to a “cloud first” policy for all agencies. This is after the GAO observed in June 2010 that although “OMB launched a cloud computing initiative in 2009” it “does not yet have an overarching strategy or implementation plan.” The OMB IT Dashboard suggests that numerous federal agencies (perhaps over 100) are pushing to build in cloud computing functions, including. the General Services Administration and the  Department of Health and Human Services.
 
In contrast to the hype surrounding the cloud, NIST’s recently published draft Guidelines on Security and Privacy for government use that provides detailed commentary on key cloud computing concerns, including: cloud system complexity; the shared multi-function environment; and internet-exposure that increases vulnerability to internet attacks such as botnets. Notably, the NIST reported that although the city of Los Angeles made news in 2009 (see, e.g. articles here, here, and here and mention in this report) when it announced it was shifting its email servers to Google’s cloud, the system has not lived up to the hype. As of early 2011 the city was running both its legacy and the cloud systems – hardly a model of cost-efficiency. The police functions had not been successfully outsourced because of security concerns and the report stated that Los Angeles will have to shut down the operation in June 2011 if the situation isn’t resolved. Could Los Angeles be the canary in the coal mine to show that that “cloud first” may not result in dramatic cost savings?
 
Perhaps most troubling is the loss of control over data: According to the draft NIST report “a characteristic of many cloud computing services is that detailed information about location of the data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.” Translation: outsourcing data to the clouds means that often organizations (including the US government) won’t know and/or have any control over where that data is stored or transferred, despite state and federal laws prohibiting transfer of data overseas. Enabling third party service providers to dictate where data flows may not be worth whatever cost-savings may be generated by the new “cloud first” policies.


Leave a comment

Employee Use of Peer-to-Peer Software Presents Data Security Concerns

The data security risks involved in the installation of peer-to-peer file-sharing software on corporate computers were demonstrated by a recent security breach incident at a major pharmaceutical company that was traced to the use of unauthorized P2P software on a company laptop. The data security breach occurred when an employee’s spouse installed the software on a laptop provided by the company for the employee’s use at home. According to the company’s letter notification to its affected employees, the names, social security numbers, and, in some cases, addresses and bonus information of some 17,000 present and former employees could have been accessed and copied by third parties via the P2P software. Now the company is being sued by its employees in a putative class action.

At about the same time, Rep. Henry Waxman held hearings in Washington on July 24, and concluded that the use of such software in government and corporate environments is a "national security threat." Tests conducted by his staff using popular P2P applications revealed that a multitude of varieties of sensitive corporate information is inadvertently made available on P2P file-sharing networks.

The security breach incident, and the results of Rep. Waxman’s tests, underscore the importance of having, and enforcing, data security policies in the corporate environment. A properly drafted security policy should include the following:

  • Provisions prohibiting the installation of unauthorized software on all company computers, specifically including laptops and other computers provided by the company for use in the home environment.
  • Provisions prohibiting the use of company-provided computer equipment by anyone other than the company employee.