Roger Clarke's Web-Site © Xamax Consultancy Pty Ltd,  1995-2024
HOME	eBusiness	Information Infrastructure	Dataveillance & Privacy	Identity Matters	Other Topics
What's New		Waltzing Matilda	Advanced Site-Search

Managing Drones' Privacy and Civil Liberties Impacts

For first presentation to the UAV Triple Zero Summit: Mobilising & Regulating Unmanned Aerial Vehicles in Emergency Response, 23 - 24 July 2014, Melbourne

Version of 21 July 2014

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2014

This document is at http://www.rogerclarke.com/SOS/Drones-PCLI.html

The accompanying slide-set is at http://www.rogerclarke.com/SOS/Drones-PCLI.pdf

Abstract

Privacy is the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisation. Privacy has multiple dimensions. Drones have potentially serious negative implications for both the privacy of the physical person, and the privacy of personal behaviour. Uses of drones for emergency response have a less threatening profile than surveillance applications more generally, but a number of concerns exist even in this area.

The current regulatory frameworks for both public safety and drone surveillance fall seriously short of what the Australian public needs and expects. Unless appropriate policy responses are forthcoming, public opinion will harm the prospects of drone applications and drone producers. An outline is provided of appropriate regulatory arrangements, and of the actions that need to be taken by individual organisations.

Contents

• 1. Introduction
• 2. Privacy Impacts of Drones
• 3. Current Protections
• 4. APF's Policy
• 5. Privacy as a Strategic Factor
• 6. Conclusions
• References

1. Introduction

Drones have considerable promise in a range of applications (Clarke 2014b). Privacy concerns about them are very real, however, and are capable of being fanned by media coverage, and becoming a serious impediment to adoption. This presentation provides a scan of the field, based on research undertaken in consultancy and research capacities, together with relevant policy statements of the Australian Privacy Foundation (APF).

The APF is the primary association dedicated to protecting Australians' privacy rights. The Foundation aims to focus public attention on emerging issues that pose a threat to the freedom and privacy of Australians. It is also active in international fora, such as the Council of Europe and APEC, and is a participant in Privacy International, the world-wide privacy protection network. Where possible, it cooperates with and supports official agencies, but it is entirely independent of - and unfortunately often has to be critical of - the performance of Privacy Commissioners.

The Privacy Foundation is a voluntary organisation of professionals, including lawyers and technologists. It establishes evidence-based policies, and provides submissions that:

• argue for positive changes to laws affecting privacy
• argue against negative changes to laws affecting privacy
• contribute to the development of industry codes
• highlight privacy risks in emerging technologies
• contribute to global efforts to improve computer and Internet security

APF works in concert with with a wide variety of consumer rights organisations, and with civil liberties organisations, in particular NSW CCL, Liberty Victoria, QCCL, CLA and EFA.

Many people assume that privacy is primarily about personal data. That is, however, only one of five dimensions of privacy. These dimensions are discussed in detail at Clarke (1997, 2006), but in outline comprise:

• privacy of the physical person, sometimes referred to as 'bodily privacy'. This is concerned with the integrity of the individual's body. Drones may themselves represent a threat to personal safety. They may also gather and disclose data, in particular human identity and location data, which may give rise to threats to personal safety
• privacy of personal communications. This is concerned with access to and interception of data-flows. It may become relevant to the extent that drones are used for such purposes
• privacy of personal data. This is concerned with the handling of data about individuals, including collection, use and disclosure that abuse individuals' expectations. Drones may impact the privacy of personal data to the extent that they play a role in the collection, storage and retention of data, including images and video
• privacy of personal behaviour. This is concerned with behaviour in 'private places' such as the home and toilet cubicle, and in 'public places', where casual observation by the few people in the vicinity is very different from systematic observation and the recording of images and sounds. Drones:
  • directly interfere with behaviour to the extent that they are used for the targeted observation of individuals
  • may indirectly interfere with behaviour as a side-effect of the observation of an area that contains individuals, and
  • contribute - probably significantly - to the public sense of a 'panoptic', which has a 'chilling effect' on behaviour generally
• privacy of personal experience. This is concerned with the rapidly increasing extent to which individuals' reading, viewing, and interacting and associating with other people is being converted from unrecorded ephemera to data that is stored and exploited by organisations

Human rights and civil liberties as a whole are of course a much broader field than privacy. This presentation limits its scope to those aspects of civil liberties that are within the five dimensions of privacy outlined above.

This presentation follows Clarke (2014b) in treating the defining elements of a drone / UAV / UAS / RPA / RPAS as being:

• the device must be heavier-than-air (i.e. balloons are excluded)
• the device must have the capability of sustained and reliable flight
• there must be no human on board the device (i.e. it is 'unmanned')
• there must be a sufficient degree of control to enable performance of useful functions

This presentation firstly outlines the impacts of drones on privacy values, some real, some at this stage potential. It then notes that current protections for public safety and privacy are seriously deficient, and outlines the APF's policy position on actions needed by parliaments, regulators, industry associations and corporations.

Inadequate controls will result in negative public perceptions of drones, and public and media activity may well extend beyond sullen dislike to strenuous opposition. It is therefore in the interests of all parties for early action to be taken to ensure that the negative impacts do not come about, or at least are suitably risk-managed. The presentation accordingly outlines the way in which proponents of drone implementation can insure against privacy concerns blocking progress.

2. Privacy Impacts of Drones

In APF (2014b), the following impacts of surveillance on behavioural privacy were identified:

• the perspective of the observation is from above, which enables obstructions to view to be much more readily overcome
• the manoeuvrability of the aircraft means that the point-of-view can be moved, and moved quickly
• in some circumstances, the craft's manoeuvrability, speed and endurance are sufficient that pursuit of a surveillance target becomes feasible
• many more organisations and many more individuals will find it economic to conduct surveillance
• a much greater degree of automated monitoring is feasible
• multiple sources and live feeds can be used at the same time
• because the economic constraints are much lower, it is feasible to conduct more intensive surveillance of individuals and locations (i.e. more of the time), and more extensive surveillance (i.e. in more places)
• as battery technology improves, long-term surveillance becomes a more realistic possibility
• the enforcement of laws that constrain surveillance will become more difficult, because of the number of organisations and individuals breaching them

In addition, the following impacts of surveillance on the physical privacy of individuals were identified:

• there is a likelihood of a high level of accidents, as a result of lower quality of product engineering, lower quality of training, lower quality of operations, increased density of air traffic, and extended areas in which airspace congestion arises
• there is a likelihood that drone operations will come into conflict with other activities, in some cases threatening public safety. This may arise from, for example, interference with important law enforcement and emergency services operations, or from intentional or accidental jamming of electronic communications
• there is considerable scope for aggressive and hostile use of drones, sometimes referred to as 'weaponisation'. Examples include the delivery of explosive and inflammable payloads, and the carriage of weaponry. A drone could be used in 'kamikaze' mode by flying it into a terrestrial target or at an airborne target such as another drone, a helicoptor's blades, or the air-intake of a commercial jet
• there is considerable risk of the application of military capabilities in civilian contexts, particularly by law enforcement agencies, but also by the burgeoning categories of mercenary corporations that offer 'security' services, in war zones, and increasingly outside them as well

Virtually all of the generic concerns about surveillance apply to drones. This is expressly addressed in s.3.1 of Clarke #SC(2014c). In addition, surveillance concerns are greatly heightened by drones. This is expressly addressed in s.3.2 of Clarke (2014c). Public fears are considerable, and are capable of being quickly fanned by the media as examples of abuses arise.

In relation to emergency response applications of drones, it is clear that there are positive impacts on personal safety, and hence on privacy of the physical person. In addition, negative privacy impacts are largely incidental, negative behavioural privacy impacts will often be outweighed by the importance of public safety, and negative privacy impacts are manageable.

On the other hand, negative privacy impacts of emergency response applications of drones are only manageable if all of the following criteria are satisfied:

• use is made of them only where an 'emergency' demonstrably exists, rather than, for example, at public events, rallies, protests and demonstrations
• the action is a 'response' to circumstances, not in anticipation of circumstances, or in pre-emption of circumstances
• the surveillance is no more intensive, extensive and persistent than is justified by the circumstances
• the activities are subject to transparent pre- and post-controls
• opportunistic use of data arising from the activity is precluded
• a transparent complaints and enforcement mechanism is in place

The use of drones for surveillance purposes by all organisations must be subject to an effective regulatory regime. This applies to emergency services applications as it does to every other category of use. Otherwise, abuses will very likely occur, and, even if they did not, there would be considerable public disquiet about the scope for organisations to abuse their powers.

3. Current Protections

In Clarke & Bennett Moses (2014), a comprehensive review was undertaken of the regulatory framework governing aviation safety. As stated in evidence to the House of Representatives Committee in February 2014 (APF 2014a), public safety aspects lag seriously, and the Civil Aviation Safety Authority (CASA) has to date still not awakened from its slumbers.

In addition, Clarke (2014c) examined Australian laws relating to drone surveillance. The Privacy Act is all but irrelevant to behavioural privacy protection. All of the available torts such as trespass and nuisance - even the modern ones such as harassment and stalking, are effectively irrelevant to all of the situations that arise with drone surveillance. Commonwealth laws relating to visual surveillance are for the purpose of authorising Commonwealth agencies, not protecting privacy. and those State and Territory jurisdictions that have laws regulating visual surveillance, the scope is exceedingly narrow and the laws have been shown to be ineffectual.

In short, the regulatory framework for visual surveillance in Australia is a shambles, with scattered provisions relating to some aspects, and nothing at all relating to others.

This is evident to the federal Parliament (APH 2014). Whether that will be sufficient to cause legislative action remains unclear, and whether the resulting Bills will be subject to appropriate consultation, whether lobbying behind closed doors will undermine the Bills' quality , and whether this or any Government will actually pilot the Bills through the House and Senate, are all up in the air.

4. APF's Policy

Given the importance of appropriate protections, and the absence of anything like an appropriate body of laws and practices, the Australian Privacy Foundation's Policy Statement on Drones (APF 2014b) calls for all of the following:

• in relation to Privacy of Personal Behaviour, and of Personal Data
  1. Comprehensive laws regulating surveillance activities, by all organisations and individuals
     For further details, see APF's Meta-Principles, APF's Policy on PIAs and APF's Policy on Privacy and the Media
  2. Provisions that relate to private places, but also provisions that relate to private space in public places
  3. Provisions relating specifically to visual surveillance
     For further details, see APF's Policy on Visual Surveillance and APF's Policy on ANPR
  4. Provisions relating to aerial surveillance, reflecting the additional vulnerabilities that arise from it
  5. To the extent necessary, provisions relating to surveillance by means of drones
  6. The provision of the necessary responsibilities, authority and resources to an appropriate agency, to ensure that threats to behavioural privacy arising from unjustified and inappropriate surveillance are addressed, and that laws are enforced
• in relation to Privacy of the Physical Person:
  1. The application of well-established Technology Impact Assessment processes to drone technologies, including through the publication of background and issues papers, public hearings, published outcomes, and commitments to action arising from the outcomes
  2. The provision of the necessary responsibilities, authority and resources to CASA, to ensure that threats to public safety arising from drone accidents are addressed rather than being avoided, and that laws are enforced
  3. Enhancements to laws protecting the public against drone usage for physical and electronic interference, against aggressive use of drones, and against the application of military capabilities of drones in civilian contexts

5. Privacy as a Strategic Factor

Parliament and regulators have a job to do. But, even while they're prevaricating, and even if they fail to protect privacy and the drone industry, there are things that corporations, government agencies and industry associations can do.

Privacy has long been of strategic significance in many sectors of business and government (Clarke 1996, 2006b). A Privacy Strategy involves a proactive stance, an express strategy, an articulated plan, resourcing, monitoring against the plan. A number of well-established business processes can be applied to ensuring that an organisation's privacy strategy is appropriate to the needs of the organisation and the people its actions affect.

Critical among those business processes is a Privacy Impact Assessment (PIA). The APF's Policy Statement on PIAs (APF 2013) identifies eight attributes of an effective PIA process: purpose, responsibility, timing, scope, stakeholder engagement, orientation, process design and outcomes.

The guidelines of the Victorian Privacy Commissioner are very workable (OVPC 2009), and (with a few qualifications) the recently-revised guide by the Australian Privacy Privacy Commissioner is also quite reasonable and usable (OAIC 2014). A small number of specialist consultants exist in Australia who have experience in assisting organisations to conduct PIAs and get out ahead of privacy problems.

6. Conclusions

Applications of drones in emergency contexts are of very apparent value. Moreover, they tend to have only limited scope for privacy-invasiveness, and a strong argument exists for taking measured risks with behavioural and data privacy when human life and human safety are at risk.

However, there's an apparent, and entirely rational, tendency for drone applications in emergency contexts to be at the forefront of marketing communications by both suppliers and law enforcement agencies. The hope would appear to be that drones / UAVs / RPAS / very small aircraft by any other name will come to be accepted by the public; and that, subsequently, other, more threatening applications can have an easier ride. Many people are accordingly both:

• strongly supportive of the current emphasis on emergency response, and the use of drones to limit harm to frontline staff, hostages and victims of natural disasters and accidents; and
• cynical about the extent to which the current efforts are 'the thin end of the wedge'

The industry can do something constructuve about that. It can apply technology assessment techniques to public safety issues. It can apply privacy impact assessment methods to behavioural and data privacy concerns. It can engage with the public, with its representatives, and with civil society.

Some limited engagement is apparent, in the form of discussions between the suppliers' lobby group, the Australian Association for Unmanned Systems (AAUS), and Liberty Victoria. On the other hand, those discussions were undertaken in secret, and requests by APF for involvement, and even for a copy of the resulting document, have not at this stage borne fruit. Contact was made with APF by the operators' lobby group, the Australian Certified UAV Operators (ACUO), but nothing has come of it to date. No law enforcement agency has been in contact with APF on the subject of drones. No supplier has sought to engage with the organisation.

To date, supplier and user organisations have abjectly failed to protect their own interests, either through constructive activities by their industry associations or through their own actions. APF finds this behaviour remarkable, and recommends that proponents of drone applications of all kinds, including to emergency response, get their act together.

References

APF (2013) 'Policy Statement on Privacy Impact Assessments' Australian Privacy Foundation, March 2013, at http://www.privacy.org.au/Papers/PS-PIA.html

APF (2014a) 'Roundtable on drones and privacy' Hansard of the House of Representatives Standing Committee on Social Policy and Legal Affairs' 28 February 2014, pp. 38-46, at http://www.privacy.org.au/Papers/SenCtee-Drones-140228.pdf

APF (2014b) 'Policy on Drones' Australian Privacy Foundation, March 2014, at http://www.privacy.org.au/Papers/PS-Drones.html

APH (2014) 'Inquiry into drones and the regulation of air safety and privacy' House of Representatives Standing Committee on Social Policy and Legal Affairs, Australian Partliament House, 14 July 2014, at http://www.aph.gov.au/Parliamentary_Business/Committees/House/Social_Policy_and_Legal_Affairs/Drones/Report

Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy' Keynote Address to the Conference of the I.S. Audit & Control Association (EDPAC'96), in Perth, Western Australia, on 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html

Clarke R. (1997) 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms' Xamax Consultancy Pty Ltd, August 1997, at http://www.rogerclarke.com/DV/Intro.html#Priv

Clarke R. (2006a) 'What's 'Privacy'? Prepared for a Workshop at the Australian Law Reform Commission, 28 July 2006, at http://www.rogerclarke.com/DV/Privacy.html

Clarke R. (2006b) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006), at http://www.rogerclarke.com/DV/APBD-0609.html

Clarke R. (2014a) 'Drones and Privacy' Notes in Preparation for a Roundtable of the House of Representatives Standing Committee on Social Policy and Legal Affairs' Xamax Consultancy Pty Ltd, February 2014, at http://www.rogerclarke.com/SOS/Drones-HoR.html

Clarke R. (2014b) 'Understanding the Drone Epidemic' Computer Law & Security Review 30, 3 (June 2014) 230-246, PrePrint at http://www.rogerclarke.com/SOS/Drones-E.html

Clarke R. (2014c) 'The Regulation of of the Impact of Civilian Drones on Behavioural Privacy' Computer Law & Security Review 30, 3 (June 2014) 286-305, PrePrint at http://www.rogerclarke.com/SOS/Drones-BP.html

Clarke R. & Bennett Moses L. (2014) 'The Regulation of Civilian Drones' Impacts on Public Safety' Computer Law & Security Review 30, 3 (June 2014) 263-285, PrePrint at http://www.rogerclarke.com/SOS/Drones-PS.html

OAIC (2014) 'Guide to undertaking privacy impact assessments' Office of the Australian Information Commissioner, May 2014, at http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/guide-to-undertaking-privacy-impact-assessments

OVPC (2009) 'Privacy Impact Assessments Guide' Office of the Victorian Privacy Commissioner, April 2009, at http://www.privacy.vic.gov.au/domino/privacyvic/eb2.nsf/files/privacy-impact-assessments-guide

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University. He has also served as Chair of the Australian Privacy Foundation (APF) during the period 2001-08, and is Secretary of the Internet Society of Australia (ISOC-AU).

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer

Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916

Created: 13 July 2014 - Last Amended: 21 July 2014 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/SOS/Drones-PCLI.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy