Commercial unmanned aerial systems are set to start flying over US airspace in 2015. In November, the Federal Aviation Administration released its final privacy rules for the six drone “test sites” that the agency will use to evaluate how drones will be integrated into domestic air traffic. These new privacy requirements were issued just days after Sen. Ed Markey (D-MA) introduced a new bill, the Drone Aircraft Privacy and Transparency Act, intended to codify essential privacy and transparency requirements within the FAA's regulatory framework for domestic drones and drone test sites.
In 2012 Obama signed the Federal Aviation Administration Modernization and Reform Act, which mandated that the FAA implement “test sites” to fly domestic drones before opening the door to nationwide regulations and licensing for commercial drone flying. Two dozen states have applied to be FAA drone test sites. While the FAA's rules do establish minimal transparency guidelines for the new drone test sites, the new rules apply only to the test sites and do not apply to the drones that are already authorized to fly.
The new transparency rules require each test site operator to create, post, and enforce its own privacy policy, as well as set up “a mechanism to receive and consider comments from the public.” The FAA rules further state that test sites must require all drone operators to establish “a written plan for the operator's use and retention of data collected by the UAS.” Although the FAA’s rules require the test site privacy policies to be made available to the public, there seems to be no similar requirement for the UAS operators’ “written plans.” There also appears to be no FAA oversight for these transparency rules — the rules basically call for the test sites to police themselves.
While we appreciate the steps the FAA has taken so far, the agency could and should go further to require similar transparency from all drone operators. The FAA has already authorized almost 1,500 permits for domestic drones since 2007, but, despite our two Freedom of Information Act lawsuits for drone data, we still don’t know much about where these drones are flying and what data they are collecting.
EFF submitted comments in the FAA's rule-making process about what a good privacy policy for the drone test sites would look like, and only a few of our proposals were adopted into the new rules. The FAA did not, as EFF recommended, develop and provide a model privacy policy for all test site operators, something that would have been relatively easy to produce considering the federal reach of the agency. The FAA also could have gone further to ensure that data collected at drone test sites does not exceed Constitutional and other legal limitations. Nine states have passed laws that restrict the use of drones by either law enforcement or private citizens. Some of these states have also applied to be drone test sites, which would then test those existing state policies.
It is especially important for the FAA to define basic data collection procedures for domestic drones because the technology enables a kind of surveillance not achievable by manned aerial or ground-based law enforcement or commercial entities. Some drones are capable of staying in the air for 16-24 hours at a time, much longer than a manned aircraft ever could. Drones can fly altitudes above 20,000 feet with super high resolution cameras and can monitor and track many people at once or intercept phone calls and text messages. Drones also cost far less to purchase, operate and maintain than helicopters and planes.
A number of drone bills have been introduced in Congress over the last two years, but Markey's proposed legislation is demanding of both the FAA and drone operators when it comes to protecting the constitutional rights of Americans. The Drone Aircraft Privacy and Transparency Act calls for the FAA to institute and enforce guidelines for all licensed domestic drone flights—not just test sites—that include clear data minimization procedures, as well as transparency rules that require drone test site operators to disclose their data collection practices and how drone operators use, retain, and share all collected data.
Markey's bill requires the FAA to create a publicly searchable database of all awarded drone operator licenses, the logistical details of their operation, and each drone operator's data collection and minimization statement. Creating a database like this is within the FAA’s purview. The agency already runs other databases about aircrafts in national airspace, listing who is in the air, accident reports, and safety information.
Law enforcement agencies across the country are already flying drones without set national privacy guidelines in place. But at this point our most successful tactic for learning more about drones has been to sue for access to information. The American public shouldn't have to submit a FOIA request just to know if drones are overhead. Markey’s bill is a strong start to what needs to be an ongoing conversation about the future of American privacy standards in light of the coming age of domestic drones. We need more lawmakers to speak up for greater transparency and accountability of both government and commercial operation of drones in our national airspace.
Until there are laws in place that mandate transparency, we encourage you to submit requests to your local law enforcement agency and city council to learn more about drone flights in your area. We've partnered with MuckRock, an open government organization dedicated to helping people send requests for public records, to campaign for greater transparency about drones that are already flying in the United States. If you're wondering what your own police agency may be doing with drones, go here and fill out this simple form so MuckRock can send in a public records request for you.