Image: Steve Rhodes/Flickr
UPDATE, 7:50PM EST: When asked to clarify the wholesale redaction of the privacy impact assessment, the FBI cited its litigation with CREW as a block on responding. "Unfortunately this matter is pending litigation," wrote Christopher Allen of the FBI Office of Public Affairs, "so I will not be able to comment."
The FBI has been flying drones since 2005, according to a trickle of documents released over the last eight months. Agents called in a small surveillance drone on a hostage situation in Alabama in February 2013, and to monitor a dog-fighting scheme in August 2011.
But despite a mandatory process designed to mitigate privacy concerns, the question of how FBI drones may be impacting Americans' privacy rights remains unanswered.
Federal law requires the FBI to assess its own surveillance technologies for potential privacy and civil liberties snags. While these technology assessments are typically prepared for public consumption, the FBI has refused to release its privacy reviews on drones.
The E-Government Act of 2002 obliges federal agencies to conduct a privacy impact assessment (PIA) prior to deploying any information technology that collects personal information. Per Department of Justice guidelines, the PIA process ensures that privacy protections “are built into the system from the start—not after the fact,” in order to “promote trust between the public and the Department by increasing transparency of the Department’s systems and missions.”
In keeping with their fundamentally public function, privacy impact reports must be “clear, unambiguous, and understandable to the general public” under DOJ guidelines. The default is for agencies to complete a given privacy impact assessment with enough lead time for it to be evaluated, approved and posted online before any testing or piloting of the given technology.
Last July, Sen. Rand Paul (R-KY) wrote a letter to the FBI expressing concern that privacy protections around surveillance drones "could be undercut by the Bureau's interpretation of what constitutes a 'reasonable expectation of privacy.'"
An audit of the DoJ's use of drones released in September determined the FBI had not addressed the danger to privacy posed by unmanned vehicles, and recommended implementing drone-specific guidelines to protect privacy rights. One of the report’s footnotes highlighted that the FBI’s Office of General Counsel was "conducting a privacy review" of its drone program as of June 2013, but any documents relating to this review have not been released.
An internal FBI slideshow released in December aimed to justify the constitutionality of the FBI's use of UAV domestically, but rests on legal precedent involving manned aircraft.
The Justice Department PIA template walks agencies through the necessary steps to justify data collection, account for potential privacy threats and mitigate such risks. This includes listing out all potential threats along with steps taken to hedge against abuses.
Per these guidelines, the FBI was required to conduct a privacy assessment prior to establishing its unmanned aerial vehicle surveillance program in 2005, or at least before conducting its first operational deployment in October 2006.
Responding to a hard-fought FOIA request and lawsuit from watchdog organization Citizens for Responsibility and Ethics in Washington (CREW), the Bureau has appeared to have completed at least one review (and possibly two) of its drone surveillance program, but all documents have been redacted in full.
The FBI website has a dedicated page for privacy impact assessments. Since 2003, the agency has posted more than 30 assessments for such tools as a database of its agents’ firearms training, an application to detect fraudulent property flipping schemes and a university partnership to develop facial recognition technology. Nary a mention of drones or unmanned aerial vehicles, though.
By comparison, the Department of Homeland Security has completed two drone PIAs and posted them in full online: the first for Predators operated by Customs and Border Patrol, the second for a project to evaluate small unmanned vehicles for emergency responders.
The Predator assessment, completed in September 2013, identifies a handful of potential privacy liabilities for CBP drone operations, particularly the relative difficulty of detecting drones given their small relative size and ability to hover at length at high altitudes:
But the report also specifies the number of Predators flown by CBP, the specific regions and altitudes at which they fly and the particular sensors they carry. Sensor payloads include still and video cameras enabled for both daytime and infrared collection, plus a Wide Area Surveillance System (WASS) radar sensor for sweeping six kilometer swaths along the Mexican border.
Broad as they are, the DHS privacy assessments posted online allow for some measure of public vetting and accountability. Each PIA outlines granularity for collected data, as well as the procedures for sharing, processing and storing that data. The same basic privacy flags presumably apply to FBI drones, but the agency has so far refused to disclose basic PIA documents and the concerns that might be contained within them.
Justice Department agencies may withhold PIAs if publication would “reveal classified, sensitive, or otherwise protected information (e.g., potentially damaging to a national interest, law enforcement effort, or competitive business interest).” The FBI has claimed to both FOIA requesters and members of Congress that it is “not in a position to disclose publicly more detailed information concerning the Bureau’s specific use of UAVs,” and that releasing details regarding its drone inventory, policies or deployment procedures would jeopardize “the effectiveness of this capability in law enforcement and national security matters.”
If an agency chooses to withhold publication, the Justice Department guidelines require that the agency publish a separate justification for keeping PIA findings from the public. In response to the CREW document request, the FBI withheld the assessment in full as well as documents justifying the decision not to post drone privacy reviews online.
The FBI's withholding of documents follows a pattern of obscurity surrounding its drone surveillance operations: the FBI has redacted everything from basic invoice details to congressional correspondence already posted in full online. "Reckless use of drones by the FBI could threaten the constitutional right to privacy of every American, yet we have still not seen documents explaining FBI policies and how they intend to protect privacy rights," CREW wrote in a blog post.
MuckRock has submitted a fresh request for all of the FBI’s privacy impact assessment documents, including the Bureau’s justification for keeping its assessment report offline.