On October 13, the Federal Trade Commission (FTC) held a workshop on drone privacy and cybersecurity as part of its Fall Technology Series. Close watchers of the drone privacy debate would recognize the arguments presented at the FTC workshop as reminiscent of the comprehensive and productive debate over drone privacy played out before the National Telecommunications and Information Administration (NTIA) earlier this year. The NTIA process concluded with the release of Best Practices for drone privacy supported by a diverse group of industry members and civil society representatives. Although the FTC’s workshop was in many ways a reprise of the NTIA multi-stakeholder debate, the workshop was notable insofar as the public gained new insights into FTC staff views on drone privacy and cybersecurity.
First, we learned that the FTC staff has concerns about drone cybersecurity. At the workshop the FTC’s Office of Technology Research (OTR) demonstrated how it could hack into a drone to surreptitiously monitor the drone’s camera feed and take control of the drone’s flight mechanism, causing it to change direction or fall to the ground. OTR had tested three off-the-shelf drones priced at less than $200 that it believed were representative of drone technology for the hobbyist market, although one industry panelist pointed out that one of the drones tested was ten years old. The FTC said that all three drones were flown using public WiFi access points that were not password protected and none of the drones encrypted communications. In addition to hacking the camera and flight controls, OTR collected MAC addresses and WiFi network information from the drones exploiting this system design. OTR noted that many mitigation strategies exist that could have frustrated this hack, including the use of encryption, network passwords, and alternative secure pairing mechanisms.
Second, we learned that FTC staff may be skeptical of the effectiveness of consumer notice and consent as a remedy for drone privacy concerns. FTC staff moderators questioned workshop participants on whether, in practice, notice could be provided to persons who a drone captures on video and further questioned whether drone operators could obtain consent from these persons. Following this discussion, FTC moderators asked whether there should instead be rules limiting data collection by drones, or restrictions on how data collected is used. This line of questioning echoes aspects of the FTC’s 2015 report on the Internet of Things, where Commission staff opined that there is no one-size-fits-all approach to privacy notices since some Internet of Things devices may have no consumer interface. The Commission staff also recommended in that report that companies consider data minimization to protect consumer privacy.
Third, we learned that FTC staff may believe that consumers perceive drones as invasive of their privacy. One of the FTC staff moderators indicated that he had a negative first impression of drones because he felt he was being watched. He also recounted a story of how a drone supposedly followed one of his colleagues as he walked down the street. The workshop included a presentation on consumer perceptions of drones by Yang Wang, an Assistant Professor at Syracuse University. Professor Wang communicated results of a study on public perception of drones, though his sample size was very small (with 16 total participants). Some participants in the study voiced concern regarding stalking, and the recording and sharing of their images by drone users.
Accordingly, the workshop provided new insight into how the FTC is thinking about drone privacy and cybersecurity. We expect that these issues will inform the Commission’s future research, enforcement, and policy work, including, potentially, the FTC’s issuance of a report on the workshop or perhaps even a new set of best practices for drone manufacturers and operators. Regardless of what direction FTC decides to go, it will be important to keep in mind the Best Practices released as part of the NTIA multi-stakeholder process earlier this year.
The FTC will accept public comments on the workshop through November 14th, 2016.