Privacy for Citizen Drones: Use Cases for Municipal Drone Applications

Privacy for Citizen Drones: Use Cases for Municipal Drone Applications

By Timothy Yim, CTSP Fellow and Director of Data & Privacy at Startup Policy Lab | Permalink

Previous Citizen Drone Articles:

1. Citizen Drones: delivering burritos and changing public policy
2. Privacy for Citizen Drones: Privacy Policy-By-Design
3. Privacy for Citizen Drones: Use Cases for Municipal Drone Applications

Startup Policy Lab is leading a multi-disciplinary initiative to create a model policy and framework for municipal drone use.

A Day in the Park

We previously conceptualized a privacy policy-by-design framework for municipal drone applications—one that begins with gathering broad stakeholder input from academia, industry, civil society organizations, and municipal departments themselves. To demonstrate the benefits of such an approach, we play out a basic scenario.

Even with this “basic” scenario, a number of questions immediately jump to mind. Here are a few:

Intentional & Unintentional Collection

• Will the drone be recording audio as well as video? And will the drone begin recording within the boundaries of the park? Or over surrounding public streets? What data is actually needed for the stated flight purpose?
• Will the drone potentially be recording city employees or park-goers? Does the city need to do so for the stated purpose of monitoring for park maintenance? Is such collection avoidable? If not, how can the city build privacy safeguards for unintentional collection of city employees or park-goers into the process?
• How can notice, consent, and choice principles be brought to bear for municipal employees for whom data is collected? How can they be applied to park-goers? To residents of surrounding homes? To citizens merely walking along the edge of the park?

 

Administrative & Technical Safeguards

• What sort of access to the collected data will the employees of the recreation and parks department have? Will access be tiered? Who needs access to the raw video? Who needs access only to the post-processed data reports?
• What sort of processing on the video will occur? Can the processing be algorithmically defined or adapted for machine learning? Can safeguards be placed into the technical processing itself? For example, by algorithmically blurring any persons on the video before long-term storage?
• What sort of data retention limits will apply to the video data? The post-processed data reports? The flight plans? Should there be a shorter retention period, e.g., 30 days, for the raw video footage?

 

Sharing: Vendors, Open Data, & Onward Transfer

• Who outside the recreational and parks department will have access to any of the data? Are there outside vendors who will manage the video processing? Are there other agencies that would want access to that data? Should the raw video data even be shared with other agencies? Which ones? Under what conditions?
• What happens if the drone video data is requested by members of the public via municipal FOIA-analogue requests? What sorts of data will be released via the city’s open data portal? In each case, how can the privacy of city employees and park-goers be protected?

 

Assessing Stakeholder Interests

We’ve got a good list of potential issues to start considering, but in the interest of demonstrating the process as a whole and not getting lost in the details, we’re going to limit the scope of discussion down to just one facet—the unintentional collection of municipal employee data.

The Park Dept. begins by assembling both internal municipal stakeholders and external stakeholders—such as industry stakeholders, interdisciplinary academics, and public policy experts—and then proceeds to iterate through a simple privacy impact assessment.

Data Minimization for Specified Purposes

Stakeholder: Parks Dept. Drone Project Lead

After assembling the stakeholder group, the Parks Dept. drone project manager outlines the use case above, adding the following relevant details:

The Parks Dept. then defers to the privacy and data subject matter experts to highlight the potential legal and policy issues at stake.

Stakeholder: Privacy & Data Expert, Legal Academic or Civil Society

Privacy best practices usually dictate that data collected, processed, or stored be limited to that which is necessary for the specified purpose. Here, the Parks Dept.’s purpose is to detect changes in park features and vegetation that will allow the Parks Dept. to better maintain the park. The drone flight video and associated data will focus on the trees, foliage, and plant debris. Unfortunately, this video data will also unintentionally capture, on occasion, the two Parks Dept. workers. Perhaps there’s a way to limit the collection of video data or secondary data on the Parks Dept. employees?

Stakeholder: Outsourced Video Processing Vendor

At this point, the external vendor that handles the processing of the video data helpfully chimes in. The vendor can create a machine learning method that will recognize human faces and bodies and effectively blur them out of both the subsequently stored video and the data analytics report produced. Problem solved the vendor says.

Stakeholder: Privacy & Data Expert, Engineering & Public Policy Academic

The privacy academic pipes up. That might not solve the problem the academic says. Even if blurred, because there are likely only a limited number of employees who would be performing a given task at a given date, time, and location, it might be easy to cross-reference the blurred images with other data, and identify the Parks Dept. gardener. Even going beyond blurring and producing full redactions within the video data might be insufficient. It would be safer to simply discard those portions of video data entirely and rely on the data reports.

Stakeholder: Parks Dept. Management

One manager within the Parks Dept. speaks up. Why do we even care? If we have Parks Dept. employees in the video data, that’s not so bad. We can monitor them while they work, to see how hard they’re really working.

Another manager responds. That wasn’t an approved purpose for the drone flights. Plus we already have performance metrics that help assess employee productivity.

Stakeholder: Union of Laborers Local 711

The representative from the Union Laborers Local 711, to which the two municipal workers belong, adds that there are pre-existing agreed-upon policies around the privacy of their union members. Especially since we haven’t determined how this data might be made available via the city’s open data portal or via municipal FOIA-analogue requests. While the union understands that drone video might unintentionally capture union members, it appreciates best efforts to cleanse and disregard that information.

 

Notice, Consent, & Choice

The team comes to a consensus that Parks Dept. employees may be unintentionally captured on drone video footage, but will not be factored into the post-processed data summary reports. Additionally, the raw footage will include video redactions and will be retained for a shorter period of time than the data summary reports.

The team meeting goes on to determine how to provide and present notice and choice options to the Parks Dept. workers.

Stakeholder: City Attorney

The city attorney happily reports that he can easily write notification language into the Parks Dept. employee contracts. Will that be enough for meaningful notice? And will there be any choice for Parks Dept. workers?

Stakeholder: Privacy & Data Expert, Academic or Civil Society

The privacy expert addresses the group. That may depend on the varying privacy laws in a particular state or country, but it’d be much better if additional notice were given. For example, the flights could be limited in number and scheduled, with updates accessible via the city’s mobile application for employees.

Stakeholder: Union of Laborers Local 711

The representative from the Union Laborers Local 711 adds that simplified, graphic drone flight notice should also be posted as a supplement to the physical Board of State and Federal Employee Notices in the Parks Dept. staff lounge.

 

Data-Driven “Pan Out”

As the camera pans out from our imagined privacy policy-by-design meeting, the privacy and policy expert from civil society suggests that the general policy framework around municipal drone use should start with broad privacy safeguards, evolving from that beginning only once additional data is gathered from both actual municipal drone use as well as stabilizing societal norms.

Takeaways

The creation of a robust, privacy policy-by-design framework for municipal drone use is indeed a challenging endeavor. Understanding the privacy interests for the many impacted stakeholders is a critical starting point. Policymakers should also encourage meta-policies that allow the collection of data around the implemented policy itself. Our goal is develop frameworks that enable law and policy to evolve in lockstep with emerging technologies, so that society can innovate and thrive without compromising on its normative values. Here that means the creation of innovative, positive-sum solutions that safeguard privacy while enabling modern drone use in and by cities.

If you are one of the interested stakeholder groups above or are otherwise interested in participating in our roundtables or research, please let us know at drones@startuppolicylab.org.