Deep Dive: The White House’s New Memo on Drones and Privacy
A memo issued by President Obama last month that addresses privacy and civil liberties concerns with using drones in domestic airspace takes steps in the right direction, but leaves many questions unanswered.
"Deep Dive: The White House's New Memo on Drones and Privacy" by Rachel Levinson-Waldman, originally published on Just Security, on March 16, 2015.
Last month, President Obama released a presidential memorandum on the domestic use of drones by federal agencies. The memorandum addresses the implications for privacy, civil rights, and civil liberties of having unmanned aircraft — the industry-preferred term for drones — in domestic airspace. The memorandum takes some steps in the right direction, but leaves many questions unanswered.
Perhaps most critically, it fails to address two major issues: First, will law enforcement agencies be held to a higher standard than other governmental agencies such as the Bureau of Land Management (and if not, as seems to be the case, why not)? And second, what restrictions govern when federal agencies buy drone-collected information from third parties?
Before digging into an analysis, what do we mean by “drones?” A drone can be nearly any size, from as small as an insect to as large as a 757 passenger jet. It can be outfitted with technologies including high-powered cameras, thermal imaging devices, license plate readers, laser radar, and acoustical eavesdropping, see-through imaging, scent detection, and signals interception devices. On the operational side, the Federal Aviation Administration recently issued draft rules for the operation of drones under 55 pounds and signaled that it might consider more liberal rules for “micro” drones weighing less than 4.4 pounds. (The drones covered in the memorandum are used differently from the weaponized drones that are used in Yemen and elsewhere for “targeted killing.” Those pose their own serious concerns, including the collateral killing of civilians and the radicalization of targeted populations.)
With our terms thus defined, here are some of the memorandum’s highlights, lowlights, and points in between:
First, the memorandum recognizes that any information collected by drones must be “gathered, used, retained, and disseminated” in accordance with the Constitution and federal law and regulations. This is good, although it is hard to imagine a presidential memorandum not at least paying lip service to the Constitution and federal law. The devil is, as usual, in the details.
For example, the memorandum observes that federal agencies must comply with the Privacy Act, which it describes as “restrict[ing] the collection and dissemination of individuals’ information that is maintained in systems of records.” This is accurate as far as it goes, but in the context of drones collecting data, it’s incomplete.
For a database to be a “system of records” under the Act, the information must be retrievable through some unique, personal identifier: a name, a Social Security number, a phone number, an email address, or something similar. It seems unlikely that drone footage will be retrievable with one of these types of personal identifiers, except perhaps in the case of the pursuit of an identified individual (e.g., a block of footage tagged with the title “drone chase of suspected fleeing felon John Smith”). While footage may be less likely to be misused if it is not searchable by name, it is also less likely to be subject to the Privacy Act.
Of course, as we explore below, other types of data that drones will pick up, such as faces and walking styles, are likely to become searchable in the future. It is an open question whether those characteristics will count as personal identifiers (and even the definition of “retrievable” is a subject of much dispute — indeed, it is not clear whether even the ability to search for a specific license plate number qualifies). Coverage by the Privacy Act is thus likely to be an evolving, and contested, matter.
Second, the memorandum sets out a framework for agencies’ privacy policies and procedures, stipulating that they must incorporate certain restrictions on collection and use, retention, and dissemination.
These provisions have two glaring omissions. As an initial matter, they do not address the government’s use of drone data collected by a third party. Government entities increasingly rely on private databases to obtain sensitive personal information, and these private databases are not governed by the Privacy Act or other privacy laws. Although the language of the memorandum is not crystal clear, it appears designed to address the treatment of information collected directly by an agency, not obtained from a private company. Given the lucrative data market, it is nearly inevitable that private companies will launch drones to capture individual interactions, crowd shots, license plate numbers, traffic information, and more — and this information will be packaged to be attractive to law enforcement and other governmental agencies. The memorandum’s failure to address this eventuality, and to set guidelines for access to and use of this information, is a major deficiency.
With respect to their own drone deployment, agencies can gather or use information if it is “consistent with and relevant to an authorized purpose.” That sounds like a limiting principle — but what is an “authorized purpose?” The memorandum includes a section on definitions, but this phrase doesn’t appear, making it seem as though the administration is kicking the can a little further down the road with respect to when drones can actually be used. If construed broadly, this phrase might do little more than duplicate the requirement that agencies act within the law.
This brings us to the second major omission: the collection and use provisions, which are problematic on their own, do not distinguish between law enforcement agencies and other federal entities — even though the purposes for drone use by different kinds of agencies can diverge widely. Thus, if one of the authorized purposes of the Environmental Protection Agency is to track the effect of climate change on waterways, sending a drone overhead during a flash flood to gauge the increase in water levels and erosion may well be consistent with that purpose and in the public interest. Similarly, the Bureau of Land Management may be able to use drones to count the number of wild horses grazing on a particular tract of land — indeed, it may be less expensive, more efficient, and less alarming to the horses.
That is far different, however, from using a drone to carry out an “authorized purpose” of a law enforcement or intelligence agency. Law enforcement agencies are meant to serve and protect, but they also exercise the coercive power of the government in investigating crimes, arresting suspects, and prosecuting and imprisoning offenders. It is axiomatic that these purposes alone do not empower police to act without constraint, including by engaging freely in surveillance activities. Instead, procedural hurdles ensure that police power is balanced against the intrusion on individuals and society.
Thus, government agents may enter a home to search for evidence of a crime, but only with a warrant that shows probable cause that a crime has been committed and particularly describes the things to be seized. Police may attach a wiretap to listen in on a phone call, but only with a “super-warrant” that meets an even higher standard. Police may stop cars to check for evidence of impaired drivers, but only under certain tightly controlled circumstances that limit the discretion of the police officers involved.
Similarly, a law enforcement agency generally should be required to obtain a warrant before using a drone (as one bill introduced in the Senate last week would compel). Granted, the Supreme Court historically permitted surveillance in public places without a warrant on the grounds that people largely can’t expect privacy in public. Recently, however, the Court has signaled that tracking people in public and scooping up reservoirs of digital information without a warrant may be a step too far for the Fourth Amendment. (Even if a warrant is necessary, law enforcement will still be able to act without one under well-established exceptions to the warrant requirement, such as in an emergency or in a small set of “special needs” circumstances.)
Moreover, “domestic airspace” is a capacious category. Even if a law enforcement agency can dispatch a drone to loiter over a public road without running afoul of constitutional limitations — an increasingly dubious proposition — the same might not be true for a drone hovering over, say, an individual’s backyard or next to their window. While a single presidential memorandum can’t address everything, the failure to acknowledge that the use of drones by law enforcement poses special privacy risks is a major omission.
This is to say nothing of the intelligence agencies, which are likely to want to get in on the action with drones as well. While international-facing agencies such as the NSA and CIA are not reported to be flying drones over American airspace, one (or more) of the other 17 member agencies of the US Intelligence Community will surely find a reason to launch a drone, particularly once the ground is softened by other federal agencies. Indeed, many of the IC’s member agencies — the FBI, the Department of Homeland Security (DHS), and the Drug Enforcement Administration (DEA), among others — unite law enforcement and intelligence goals, and often work in tight coordination with each other. The FBI collaborates closely with the NSA. The DEA is reportedly “laundering evidence” from the NSA and other agencies. And the CIA assisted the Justice Department in developing its domestic airborne spying technology. Because intelligence activities are usually conducted in secret, agencies carrying out such functions have often been able to evade oversight, making strict rules and accountability even more critical.
The memorandum does set limitations on the retention and sharing of information collected by drones, though the exceptions may prove to swallow the rule. To wit, data that contains personally identifiable information must be destroyed after 180 days — unless it is “necessary to an authorized mission” of the agency, is maintained in a database covered by the Privacy Act, or is required to be kept for longer “by any other applicable law or regulation.” Similarly, data that is not within a Privacy Act-covered database may not be disseminated outside the agency — unless sharing is legally required or “fulfills an authorized purpose and complies with agency requirements.” Again, the restrictions on retention and sharing are laudable, but requiring an “authorized purpose” may prove to be an ineffectual limitation.
In addition, the reference to personally identifiable information raises more questions than it answers. Any drone that captures an image of a person is in possession of personally identifiable information — or information that may become personally identifiable in the future. Facial recognition technology is advancing rapidly and biometric identification mechanisms that were once assumed to require close proximity to a subject, such as fingerprint capture, can now work at an increasingly further remove (and even be recreated from photographs). Scientists are even developing ways to identify people by their gait. And information such as license plate numbers is viewable and easily correlated with an individual driver or owner. In short, unless a drone is capturing not a single piece of individual-related data, it is likely to record footage that contains some personally identifiable information.
With respect to information retention and sharing, the fact that the data must be necessary to an authorized purpose, not just relevant, should help cabin some agency overreach. Nevertheless, the provisions also highlight the weak link in information sharing restrictions, which is that some agencies have multiple missions and there are few limitations on intra-agency sharing. For instance, DHS houses multiple branches with different focuses and both civil and criminal enforcement authorities. Because it is one organization, however, there are fewer restrictions on sharing among the elements. Moreover, the provisions do not impose any additional limitations on the recipients of the information. The sharing and retention guidelines thus beg the question again: what constitutes an authorized purpose or mission, and how easily will data be shared within large agencies?
Civil Rights and Civil Liberties Protections
Third, agencies must put into place fairly robust protections for civil rights and civil liberties. The memorandum requires agencies to “prohibit the collection, use, retention, or dissemination of data in any manner that would violate the First Amendment or in any manner that would discriminate against persons based upon their ethnicity, race, gender, national origin, religion, sexual orientation, or gender identity.” (Emphasis added.) This language is different from the usual restrictions on the FBI, which can generally collect intelligence or initiate an investigation on the basis of First Amendment-protected activity as long as that is not the sole reason for doing so. It remains to be seen whether the new language will be interpreted as being more restrictive, or if it is the same standard repackaged in new language. Under the memorandum, agencies also have to establish procedures to handle any complaints that an individual’s privacy, civil rights, or civil liberties were violated.
In addition, agencies that use drones must reexamine their policies and procedures — on privacy as well as civil rights and civil liberties — at least every three years. It remains to be seen whether this is frequent enough, but it shows recognition that technology is changing so quickly that some policies may be out of date almost as soon as they’re approved.
Accountability and Transparency
Fourth, the memorandum requires that agencies implement certain accountability and transparency measures. The accountability provisions require that agencies have in place oversight procedures, rules of conduct and training, oversight of individuals with access to personally identifiable information, and mechanisms to ensure that governmental recipients of grant funding have their own privacy, civil rights, and civil liberties policies and procedures in place.
On the transparency front, agencies using drones are required to provide notice of where their drones are authorized to operate (which presumably could mean an area as broad as the entire southern border of the United States); “keep the public informed” about their drone program along with any “changes that would significantly affect privacy, civil rights, or civil liberties;” and publish an annual summary of their activities. In addition, agencies are expected to publish information within a year about how to access their policies and procedures. It is critical that agencies publish this information in an accessible, effective interface — for instance, on a user-friendly website — rather than in an obscure manner that meets the letter of the regulations but is easily overlooked, such as in the Federal Register.
These transparency and accountability measures are a good start, but only a start. While the requirement that agencies establish policies and procedures is laudable, there must be strong oversight to ensure that the policies have teeth and that noncompliance is met with consequences. Fusion centers, for instance, are required to have policies in place, but the quality of those policies varies widely, DHS exercises little oversight, and the fusion centers are left to operate in a state of “organized chaos.” The lesson from fusion centers suggests that we need to add teeth to any mandate that agencies put policies in place.
Similarly, the agreements regarding sharing of drone data — which could presumably be between different federal agencies; between federal and local, state, or tribal agencies; or between federal agencies and private third parties — should be required to be made public to the extent possible. Memoranda of understanding tend to hide details that are necessary to a full understanding of government initiatives, and it is critical that they be publicly available. Similarly, making the amount and type of expenditures on drones accessible would help the public understand how much money is spent for what kind of benefit. (DHS’s Inspector General recently issued a blistering report about the drone program run by the Customs and Border Protection service, concluding that it does not achieve its intended results or reflect the true costs of operation.)
Finally, the memorandum directs the National Telecommunications and Information Administration (NTIA) to convene a “multi-stakeholder engagement process” in order to “develop and communicate best practices for privacy, accountability, and transparency issues” in domestic drone use. The NTIA stakeholder process has been criticized for producing watered-down standards that are solely voluntary, though some advocates have noted that the negotiated process can produce a rough consensus. (In addition, the process is specifically focused on commercial and private drones, not those operated by law enforcement or intelligence, so the concerns raised above will not be addressed through the NTIA process.) The NTIA recently published a formal request for comment, as well as an announcement of an upcoming public meeting, so it remains to be seen how that process will play out.
The administration can be commended for recognizing that the introduction of drones into the domestic airspace brings with it concerns related to privacy, civil rights, and civil liberties. And during a time of near-total gridlock in Congress, a presidential memorandum may be the most practical way to lay out guiding principles and practices for agencies. Unfortunately, this memorandum has too many conspicuous holes. It must be the start, not the end, of the discussion.