As technology continues to blur the lines between privacy and security, the Homeland Security Department has several suggestions to help agencies consider civil rights and liberties issues when setting up their respective unmanned aircraft system programs.
The DHS Unmanned Aircraft Systems Privacy, Civil Rights and Civil Liberties Working Group, which department leaders formed about three years ago, released 15 best practices for agencies as they establish their own unmanned aircraft systems (UAS) or drones.
Co-chairs of the working group acknowledged that all suggestions might not apply to every agency. But DHS, specifically Customs and Border Protection, can draw on 10 years of experience from using unmanned aircraft to protect U.S. borders, they wrote.
“The DHS Working Group neither proposes nor intends that this document regulate any other government entity,” the co-chairs wrote in a joint statement. “Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights and civil liberties throughout the lifecycle of an unmanned aircraft systems program.”
The group includes DHS Officer for Civil Rights and Civil Liberties Megan Mack, DHS Chief Privacy Officer Karen Neuman and CBP Deputy Assistant Commissioner Edward Young.
Many of the group’s recommendations serve as reminders to agencies that as they begin to establish UAS programs, they keep privacy, civil liberties and rights experts involved throughout the entire implementation process — from the procurement to audit and oversight stages.
Agencies should, for example, regularly keep track and submit reports to their legal, privacy, civil rights and civil liberties experts on all of their UAS activities and the complaints they receive.
Other suggestions center around the issue of information sharing and security.
Before setting up a UAS program, the group suggests some agencies conduct a Privacy Threshold Analysis to determine whether their programs will conduct personally identifiable information (PII).
Agencies should also set up security safeguards to prevent data loss or unauthorized access to PII.
“Security measures should be layered to avoid reliance on any single security measure,” the working group said. “Employ several measures that functionally overlap to create redundancy in the security of data and the overall program.”
But the guidelines lack specifics on how long agencies can store information about individuals, which Neema Singh Guliani, legislative counsel at the American Civil Liberties Union, said is a problem.
The working group, for example, suggests agencies establish an approved records retention schedule that would systematically get rid of the information that is no longer useful or legal to keep.
“Ensure retention periods are compatible with the type of data retained and needs of the unmanned aircraft program,” the group suggested. “Data collected that does not pertain to an authorized purpose should not be retained beyond 180 days.”
But Singh Guliani said agencies could do a lot with that information in 180 days. If one agency uses a drone to collect information for a specific, authorized purpose and holds that data for 90 days, it could give another organization that same information, she said.
“Right now, if you have information for an authorized purpose — whatever that means — and throughout the course of that you want to use if for another purpose, there’s nothing that says you can’t do that,” Singh Guliani said.
The 15 best practices are:
Consult legal counsel, privacy and civil rights and liberties experts at each step in the formation process.
Publicly state the purpose for setting up an unmanned aircraft system program.
Publicly document any changes to the program’s purpose.
Put a senior official, preferably one in an agency’s privacy and civil liberties office, in charge of overseeing the program.
Consult privacy and civil liberties experts throughout the implementation process.
Conduct an analysis of possible privacy and civil liberties concerns before establishing a program.
Limit the data and information that unmanned aircraft systems collect and keep, and comply with records retention policies.
Respect constitutional activities.
Set up a redress program that can receive, investigate and address privacy, civil liberties and rights complaints.
Establish audits and other accountability procedures.
Design the UAS with the proper security controls to ensure that the right data stays in the proper place.
Include legal, privacy and civil rights considerations in the procurement process.
Maintain a transparent and open relationship with the public about the UAS and its implementation.
Train personnel on privacy and civil liberties issues that may come up when operating an unmanned aircraft system.
Develop a system for handling UAS service requests.
Though the recommendations are intended for federal, state and local agencies, as well as government partners and grantees, the private sector might also find them useful, the co-chairs wrote.