Seminar Addressing Drones #00021

Submission Number:
Timothy Yim
Startup Policy Lab
Initiative Name:
Seminar Addressing Drones
On October 13, 2016, the Federal Trade Commission (FTC) held the second of its Fall Technology Series on Drones and the privacy concerns that drones raise. Startup Policy Lab participated on the second panel of the day, "How Should Privacy Concerns Raised By Drones Be Addressed?," presenting our work developing drone privacy and data security policies for local government-including policies on the management of data collected during drone operations, i.e., collection, use, sharing, and retention. Startup Policy Lab submits this public comment to the FTC to provide a resource on the practical operational issues encountered applying traditional privacy frameworks to emerging drone technology. These lessons-on privacy risk management, flight operation methodology, post-processing practices, and privacy-by-design-that were gleaned from our work with local government apply also to the adoption of drone technology by commercial enterprise. Our goal then is not only to inform policy on emerging technologies, but to enable innovation in a responsible fashion. Privacy Risks Certainly and without a doubt, drone technology raises a host of privacy concerns. As a starting point, the intentional or unintentional collection of facial data could serve as a biometric trove for facial recognition software, leading to sensitive location tracking over time. The same principle applies also to the collection of unique mobile device IDs that drones can amass during flight. Fundamentally, the potential privacy concern here is a privacy-in-public-spaces question. As drone technology further develops into an infrastructure technology, drone flight frequency, flight duration, and associated data collection will rise. Whether that data will eventually be utilized in government and corporate efforts to track the public depends on the privacy policies and best practices that society develops today. Additionally, as drone technology becomes increasingly economical as an infrastructure technology, drones will also increasingly be adopted by entities without the necessary privacy law, policy, and compliance expertise to implement responsible privacy and data security in their operational drone programs. Operational Obstacles Three major trends emerged from our work with local governments to create responsible privacy drone programs. - Risk Management & Balancing Infrastructure: Local government as well as small and medium-sized businesses (SMBs) often lack the subject matter expertise to create a risk management program that identifies, balances, and remediates privacy risks. Potential reasons include local government's familiarity with strict compliance regimes, and as with many SMBs, financial limitations. In particular, approaching drone privacy in a privacy-by-design fashion can result in positive-sum risk management solutions, e.g., processing post-flight data to eliminate unintentional PII retention. However, these privacy-by-design solutions require a substantial familiarity in privacy law, policy, and compliance that is often in short supply. One consequence of the scarcity of risk infrastructure and/or subject matter expertise is aggregate policies, which are umbrella policies that govern an overly broad range of drone flights and data usage. These aggregate policies are inherently risky because the policies incentivize operational risk to move towards the maximum allowable ceiling guidelines, even when there isn't a corresponding benefit in the fundamental risk-benefit analysis. Instead, each proposed drone flight and collected data use should be tailored to the identified purposes of that drone flight. This approach embodies the privacy-by-design principle that is fast becoming the standard of care and operations across government and industry. - Standardized Onboarding & Data-Driven Policy: Often the types and depth of information provided for decision-makers to approve drone flight programs are nonstandard and lack sufficie