Consumer Privacy in an Age of Commercial Unmanned Aircraft Systems.

• Author: Hagemann, Ryan
• Position: Essay

In recent years, the commercial potential of unmanned aircraft systems (UASs), more commonly referred to as drones, has captured the public imagination. From Amazon's ongoing testing of a UAS delivery service to Uber's recently proposed vertical take-off and landing transportation network, the commercial possibilities are ever growing.

To begin expediting the deployment of this emerging technology, in October 2017 the Trump administration issued a memorandum to the secretary of transportation directing the establishment of a UAS-integration pilot program (White House 2017). Although this is a notable step toward integrating and operationalizing UAS commercial operations in the national airspace, the privacy implications of this technology remain a pressing concern in many quarters.

UAS privacy issues are often framed in the context of government surveillance and potential First and Fourth Amendment violations. The implications for nongovernmental private-sector data collection, however, have received less attention. An "invasion" of privacy is heavily contextual, based on who is doing the surveilling, how it is carried out, for what purpose, and where it is conducted. For the discussion that follows, the who is specifically siloed to commercial service providers. The government's breach of an individual's privacy is subject to any number of statutory restrictions on law enforcement and intelligence agencies, not least of which include the Fourth Amendment to the Constitution, and is far more clearly legally delineated. The how, what, and where of commercial "surveillance," however, are much less clear, especially in the context of UAS operations.

For the purposes of this paper, the focus on "surveillance" is specifically constrained to commercial UAS data-collection operations and nongovernmental surveillance that does not implicate constitutional considerations under the Fourth Amendment. I begin by discussing more general issues of privacy in the digital age as well as the domestic legal and regulatory structure that governs privacy. Then I examine these issues as they currently relate to UAS data collection for commercial purposes as well as the current debate over acquiring consent. The paper concludes by looking at all of these issues in the context of a hypothetical future-use scenario for commercial UAS data collection and argues that technology-specific regulations would be an ill-advised means of responding to potential privacy challenges.

How We (Paradoxically) Think about Privacy

Privacy is an amorphous concept. Its subjective valuation differs from individual to individual, and conventional expectations have changed considerably over time (Hagemann 2016). For example, in their seminal law review article "The Right to Privacy," Samuel Warren and Louis Brandeis argued that "[t]he intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury" (1890, 194). These concerns were specific to the emergence of a new technology at the end of the nineteenth century: the camera. Samuel Warren, taking great offense at the audacity of local photographers snapping pictures of his daughter's wedding on Boston Common, coauthored the article as a reply to concerning developments over the emergence of a new technology that held the potential to upend traditional sociocultural privacy norms. Such responses were and are nothing new.

These types of fears materialize at regular intervals throughout history and often subside as the new technology proves its utility to individuals. Such fears have been a common enough occurrence that they even have a name: the privacy panic cycle. This cycle is a social phenomenon in which the emergence of a new technology induces fear in a subset of the population. As Daniel Castro and Alan McQuinn have noted, these "techno-panics" result from fears that "center on an anticipated problem that does not come to pass.... While society eventually overcomes techno-panics, they can significantly slow the pace of technological progress, imposing real costs on society in the process" (2015, 2). These cycles occur over time in four stages, distinguished by three inflection points of public concern.

The trusted-beginnings stage occurs when a technology is still emerging and remains a novelty. At a "point of panic," however, public concerns fuel the shift toward the rising-panic stage, during which public concern begins rising until reaching a "height of hysteria." After this high-water mark of public concern, public fears begin subsiding throughout the deflating-fears stage. Once a "point of practicality" is reached--that is, the point at which the technology becomes commonplace, integrated into the public's daily life--the "moving on" commences, characterized by the dissipation of public concern and marking the end of the panic cycle. Regarding UASs, Castro and McQuinn argue that the current debate is in the rising-panic stage:

Given the prevalence of privacy advocates in the [drone] debate, the use of privacy rhetoric by policymakers when they discuss the technology, and the frequency of commercial drone coverage by the media, this technology has moved into its Rising Panic stage. Indeed, a 2014 survey found that nearly three-fifths of U.S. adults have privacy concerns about drones, despite only 3 percent of respondents having actually operated one. The privacy fears coalescing around this technology will continue to build until the technology is integrated into society and commonsense legislation is crafted to mitigate actual harms while protecting innovation. (2015, 21) It is particularly noteworthy that so many individuals have expressed privacy concerns over UASs despite very few having hands-on experience with them. This is a defining characteristic of this early phase of the privacy panic cycle and will likely recede once a critical mass of the public is in close and regular contact with UASs.

Regarding the actual acquisition of consumer data, irrespective of the technological means by which it occurs, consumers' actions tend to be highly mismatched with their revealed preferences. As Will Rinehart has argued, "[P]eople will often state a preference for privacy, and yet will be very willing to trade information for little to nothing. These harms seem to be relatively costless" (2016). Ben Wittes and Emma Kohse concur and argue that this privacy paradox--wherein individuals may tend to state a preference for highly guarded privacy protections but reveal much less concern about the issue through their actions--is quite common:

[T]he many studies of consumer attitudes toward privacy show a real gap between people's stated attitudes and their behaviors. For example, researchers who compared participants' self-reported opinions about privacy with their behavior during an online shopping experience found no correlation between greater concern for privacy and likelihood of taking privacy-protecting actions. Participants who reported concerns about protecting their privacy online were no less willing to reveal "even highly personal information." In another study researchers found that people tended to declare that they would refuse to provide certain personal information to marketers, but did, in fact, reveal that information when asked two weeks later. What people say about privacy does not seem to match what they do--even with respect to disclosure of specific personal information. (2017, 6) Wittes and Kohse go on to conclude that people, taken as a whole, tend to "prioritize privacy from those around them over privacy from the remote companies that collect data on us and, indeed, a preference for facilitating highly local privacy at the expense of privacy from remote data-collectors" (2017, 16). Although Wittes and Kohse...