Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
For first presentation to the UAV Triple Zero Summit: Mobilising & Regulating Unmanned Aerial Vehicles in Emergency Response, 23 - 24 July 2014, Melbourne
Version of 21 July 2014
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2014
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/SOS/Drones-PCLI.html
The accompanying slide-set is at http://www.rogerclarke.com/SOS/Drones-PCLI.pdf
Privacy is the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisation. Privacy has multiple dimensions. Drones have potentially serious negative implications for both the privacy of the physical person, and the privacy of personal behaviour. Uses of drones for emergency response have a less threatening profile than surveillance applications more generally, but a number of concerns exist even in this area.
The current regulatory frameworks for both public safety and drone surveillance fall seriously short of what the Australian public needs and expects. Unless appropriate policy responses are forthcoming, public opinion will harm the prospects of drone applications and drone producers. An outline is provided of appropriate regulatory arrangements, and of the actions that need to be taken by individual organisations.
Drones have considerable promise in a range of applications (Clarke 2014b). Privacy concerns about them are very real, however, and are capable of being fanned by media coverage, and becoming a serious impediment to adoption. This presentation provides a scan of the field, based on research undertaken in consultancy and research capacities, together with relevant policy statements of the Australian Privacy Foundation (APF).
The APF is the primary association dedicated to protecting Australians' privacy rights. The Foundation aims to focus public attention on emerging issues that pose a threat to the freedom and privacy of Australians. It is also active in international fora, such as the Council of Europe and APEC, and is a participant in Privacy International, the world-wide privacy protection network. Where possible, it cooperates with and supports official agencies, but it is entirely independent of - and unfortunately often has to be critical of - the performance of Privacy Commissioners.
The Privacy Foundation is a voluntary organisation of professionals, including lawyers and technologists. It establishes evidence-based policies, and provides submissions that:
APF works in concert with with a wide variety of consumer rights organisations, and with civil liberties organisations, in particular NSW CCL, Liberty Victoria, QCCL, CLA and EFA.
Many people assume that privacy is primarily about personal data. That is, however, only one of five dimensions of privacy. These dimensions are discussed in detail at Clarke (1997, 2006), but in outline comprise:
Human rights and civil liberties as a whole are of course a much broader field than privacy. This presentation limits its scope to those aspects of civil liberties that are within the five dimensions of privacy outlined above.
This presentation follows Clarke (2014b) in treating the defining elements of a drone / UAV / UAS / RPA / RPAS as being:
This presentation firstly outlines the impacts of drones on privacy values, some real, some at this stage potential. It then notes that current protections for public safety and privacy are seriously deficient, and outlines the APF's policy position on actions needed by parliaments, regulators, industry associations and corporations.
Inadequate controls will result in negative public perceptions of drones, and public and media activity may well extend beyond sullen dislike to strenuous opposition. It is therefore in the interests of all parties for early action to be taken to ensure that the negative impacts do not come about, or at least are suitably risk-managed. The presentation accordingly outlines the way in which proponents of drone implementation can insure against privacy concerns blocking progress.
In APF (2014b), the following impacts of surveillance on behavioural privacy were identified:
In addition, the following impacts of surveillance on the physical privacy of individuals were identified:
Virtually all of the generic concerns about surveillance apply to drones. This is expressly addressed in s.3.1 of Clarke #SC(2014c). In addition, surveillance concerns are greatly heightened by drones. This is expressly addressed in s.3.2 of Clarke (2014c). Public fears are considerable, and are capable of being quickly fanned by the media as examples of abuses arise.
In relation to emergency response applications of drones, it is clear that there are positive impacts on personal safety, and hence on privacy of the physical person. In addition, negative privacy impacts are largely incidental, negative behavioural privacy impacts will often be outweighed by the importance of public safety, and negative privacy impacts are manageable.
On the other hand, negative privacy impacts of emergency response applications of drones are only manageable if all of the following criteria are satisfied:
The use of drones for surveillance purposes by all organisations must be subject to an effective regulatory regime. This applies to emergency services applications as it does to every other category of use. Otherwise, abuses will very likely occur, and, even if they did not, there would be considerable public disquiet about the scope for organisations to abuse their powers.
In Clarke & Bennett Moses (2014), a comprehensive review was undertaken of the regulatory framework governing aviation safety. As stated in evidence to the House of Representatives Committee in February 2014 (APF 2014a), public safety aspects lag seriously, and the Civil Aviation Safety Authority (CASA) has to date still not awakened from its slumbers.
In addition, Clarke (2014c) examined Australian laws relating to drone surveillance. The Privacy Act is all but irrelevant to behavioural privacy protection. All of the available torts such as trespass and nuisance - even the modern ones such as harassment and stalking, are effectively irrelevant to all of the situations that arise with drone surveillance. Commonwealth laws relating to visual surveillance are for the purpose of authorising Commonwealth agencies, not protecting privacy. and those State and Territory jurisdictions that have laws regulating visual surveillance, the scope is exceedingly narrow and the laws have been shown to be ineffectual.
In short, the regulatory framework for visual surveillance in Australia is a shambles, with scattered provisions relating to some aspects, and nothing at all relating to others.
This is evident to the federal Parliament (APH 2014). Whether that will be sufficient to cause legislative action remains unclear, and whether the resulting Bills will be subject to appropriate consultation, whether lobbying behind closed doors will undermine the Bills' quality , and whether this or any Government will actually pilot the Bills through the House and Senate, are all up in the air.
Given the importance of appropriate protections, and the absence of anything like an appropriate body of laws and practices, the Australian Privacy Foundation's Policy Statement on Drones (APF 2014b) calls for all of the following:
Parliament and regulators have a job to do. But, even while they're prevaricating, and even if they fail to protect privacy and the drone industry, there are things that corporations, government agencies and industry associations can do.
Privacy has long been of strategic significance in many sectors of business and government (Clarke 1996, 2006b). A Privacy Strategy involves a proactive stance, an express strategy, an articulated plan, resourcing, monitoring against the plan. A number of well-established business processes can be applied to ensuring that an organisation's privacy strategy is appropriate to the needs of the organisation and the people its actions affect.
Critical among those business processes is a Privacy Impact Assessment (PIA). The APF's Policy Statement on PIAs (APF 2013) identifies eight attributes of an effective PIA process: purpose, responsibility, timing, scope, stakeholder engagement, orientation, process design and outcomes.
The guidelines of the Victorian Privacy Commissioner are very workable (OVPC 2009), and (with a few qualifications) the recently-revised guide by the Australian Privacy Privacy Commissioner is also quite reasonable and usable (OAIC 2014). A small number of specialist consultants exist in Australia who have experience in assisting organisations to conduct PIAs and get out ahead of privacy problems.
Applications of drones in emergency contexts are of very apparent value. Moreover, they tend to have only limited scope for privacy-invasiveness, and a strong argument exists for taking measured risks with behavioural and data privacy when human life and human safety are at risk.
However, there's an apparent, and entirely rational, tendency for drone applications in emergency contexts to be at the forefront of marketing communications by both suppliers and law enforcement agencies. The hope would appear to be that drones / UAVs / RPAS / very small aircraft by any other name will come to be accepted by the public; and that, subsequently, other, more threatening applications can have an easier ride. Many people are accordingly both:
The industry can do something constructuve about that. It can apply technology assessment techniques to public safety issues. It can apply privacy impact assessment methods to behavioural and data privacy concerns. It can engage with the public, with its representatives, and with civil society.
Some limited engagement is apparent, in the form of discussions between the suppliers' lobby group, the Australian Association for Unmanned Systems (AAUS), and Liberty Victoria. On the other hand, those discussions were undertaken in secret, and requests by APF for involvement, and even for a copy of the resulting document, have not at this stage borne fruit. Contact was made with APF by the operators' lobby group, the Australian Certified UAV Operators (ACUO), but nothing has come of it to date. No law enforcement agency has been in contact with APF on the subject of drones. No supplier has sought to engage with the organisation.
To date, supplier and user organisations have abjectly failed to protect their own interests, either through constructive activities by their industry associations or through their own actions. APF finds this behaviour remarkable, and recommends that proponents of drone applications of all kinds, including to emergency response, get their act together.
APF (2013) 'Policy Statement on Privacy Impact Assessments' Australian Privacy Foundation, March 2013, at http://www.privacy.org.au/Papers/PS-PIA.html
APF (2014a) 'Roundtable on drones and privacy' Hansard of the House of Representatives Standing Committee on Social Policy and Legal Affairs' 28 February 2014, pp. 38-46, at http://www.privacy.org.au/Papers/SenCtee-Drones-140228.pdf
APF (2014b) 'Policy on Drones' Australian Privacy Foundation, March 2014, at http://www.privacy.org.au/Papers/PS-Drones.html
APH (2014) 'Inquiry into drones and the regulation of air safety and privacy' House of Representatives Standing Committee on Social Policy and Legal Affairs, Australian Partliament House, 14 July 2014, at http://www.aph.gov.au/Parliamentary_Business/Committees/House/Social_Policy_and_Legal_Affairs/Drones/Report
Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy' Keynote Address to the Conference of the I.S. Audit & Control Association (EDPAC'96), in Perth, Western Australia, on 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html
Clarke R. (1997) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms' Xamax Consultancy Pty Ltd, August 1997, at http://www.rogerclarke.com/DV/Intro.html#Priv
Clarke R. (2006a) 'What's 'Privacy'? Prepared for a Workshop at the Australian Law Reform Commission, 28 July 2006, at http://www.rogerclarke.com/DV/Privacy.html
Clarke R. (2006b) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006), at http://www.rogerclarke.com/DV/APBD-0609.html
Clarke R. (2014a) 'Drones and Privacy' Notes in Preparation for a Roundtable of the House of Representatives Standing Committee on Social Policy and Legal Affairs' Xamax Consultancy Pty Ltd, February 2014, at http://www.rogerclarke.com/SOS/Drones-HoR.html
Clarke R. (2014b) 'Understanding the Drone Epidemic' Computer Law & Security Review 30, 3 (June 2014) 230-246, PrePrint at http://www.rogerclarke.com/SOS/Drones-E.html
Clarke R. (2014c) 'The Regulation of of the Impact of Civilian Drones on Behavioural Privacy' Computer Law & Security Review 30, 3 (June 2014) 286-305, PrePrint at http://www.rogerclarke.com/SOS/Drones-BP.html
Clarke R. & Bennett Moses L. (2014) 'The Regulation of Civilian Drones' Impacts on Public Safety' Computer Law & Security Review 30, 3 (June 2014) 263-285, PrePrint at http://www.rogerclarke.com/SOS/Drones-PS.html
OAIC (2014) 'Guide to undertaking privacy impact assessments' Office of the Australian Information Commissioner, May 2014, at http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-undertaking-privacy-impact-assessments
OVPC (2009) 'Privacy Impact Assessments Guide' Office of the Victorian Privacy Commissioner, April 2009, at http://www.privacy.vic.gov.au/domino/privacyvic/eb2.nsf/files/privacy-impact-assessments-guide
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University. He has also served as Chair of the Australian Privacy Foundation (APF) during the period 2001-08, and is Secretary of the Internet Society of Australia (ISOC-AU).
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 13 July 2014 - Last Amended: 21 July 2014 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/SOS/Drones-PCLI.html