South Africa

Op-Ed: What Ramaphosa needs to do to fix state spying, part 6 – drones

By Jane Duncan 7 March 2018

Many drone manufacturers and operators want to see minimal regulation of drones to encourage innovation. Yet, civil society organisations have been warning about the dangers of under-regulating drones. What are the issues, and how concerned should South Africans be? By JANE DUNCAN.

Drones. Otherwise known as Unmanned Aerial Vehicles (UAV’s), they are those small flying machines buzzing over your head as you’re taking a dip in False Bay. They’re out there, looking for sharks.

We’re all familiar with the incredible panoramic views drones have shot of places like Cape Point. They can do all these incredible things because they’re small and piloted remotely, so that they can fly into places that may be inaccessible otherwise.

Many drone manufacturers and operators want to see minimal regulation of drones to encourage innovation. Yet, civil society organisations have been warning about the dangers of under-regulating drones. What are the issues, and how concerned should South Africans be?

Drones can malfunction, falling out of the sky, potentially injuring or even killing people. As a result, more countries are regulating drones to ensure public safety, but the concerns do not stop with safety only.

Drones have an unprecedented potential to violate privacy, because they lower the cost of aerial surveillance. Increasingly, drones are being equipped with highly sophisticated video equipment, night vision and zoom lenses. More sophisticated drones have the technological capabilities to identify human targets or intercept communications.

Their unprecedented capacity for undetected, pervasive mass surveillance of people – including of actions that may not usually be discernible to the naked eye – makes it easier for governments to use them to collect information on their citizens. S

Drones can also contribute to a routinisation of surveillance in public life, which can alter peoples’ behaviour in undesirable ways. People can become more fearful and timid when they suspect that the government may be watching them (even if it is not). They can become yet another building block in the ever-expanding surveillance state and make people feel dehumanised.

People have a right to know the circumstances under which they will be watched by the government. As a result, there need to be specific, articulable reasons for drone uses for state surveillance purposes. Drones can play a hugely important role in disaster management, where public safety is more important than the right to privacy. They can also serve other functions where reasonable expectations of privacy do not arise.

But governments enter into dangerous territory if they start to use them for dragnet policing practices, law enforcement fishing expeditions and even speculative, pre-crime type law enforcement, over private property, or to monitor protests.

As the American Civil Liberties Union (ACLU) has argued, drones are notoriously susceptible to mission creep, where drones are acquired for one set of stated purposes, and then used for another. So, a drone that is acquired for utility management, for instance, could be used to keep tabs on public utility workers.

Drones with “hover and stare” capabilities can violate physical privacy by, for instance, filming a person without their consent and even knowledge. They can also violate informational privacy, in that this data may be used to expose things about people that they don’t want to be exposed. The fact that drones operate well above eye level gives them massively intrusive potential.

To address these concerns, the ACLU developed a set of core principles that should govern drone use. These principles applied mainly to law enforcement and intelligence-gathering, where their use is likely to the most invasive.

The ACLU argued that governments should ensure usage restrictions on drones, so that they are not used to intrude on privacy unduly. They should not be allowed at all for indiscriminate mass surveillance, especially of constitutionally protected activities such as engaging in public assemblies.

When it comes to law enforcement purposes, the ACLU argued that drones should be deployed only for the clear purposes, in a targetted fashion against a person where a reasonable suspicion of wrongdoing exists and where the law enforcement officers have obtained a warrant. Government agencies should also use them for a time-limited emergency or where privacy will not be substantially affected, such as for geological or environmental purposes.

State agencies should also limit the retention of data unless there is a reasonable suspicion that the images show wrongdoing and may be used as evidence in criminal proceedings. The policies and procedures that guide the overall use of drones should be written and explicit, and subjected to public consultation and these decisions should be democratically-controlled. Information about drone usage should be made openly available, with narrowly tailored exceptions to protect ongoing investigations.

The ACLU argued further that drones acquired by the state for law enforcement purposes should be subjected to independent audits, so that the public can assess whether they are being used for the stated purposes, and whether they represented “value for money” for the taxpayer. In particular, the public should be in a position to assess if “function creep” is apparent. Drones should also not be fitted with weapons.

So how does South Africa measure up against these principles? Badly, I’m afraid.

Even before the CAA’s regulations were finalised, at least one local government – the City of Cape Town – was already testing drones for safety and security purposes and their stated uses were worryingly broad.

The city dismissed privacy concerns, arguing that residents do not need to be informed about the purposes of drone flights, as they are not informed about the purposes of helicopter missions. This argument missed the essential difference between helicopter surveillance and drone surveillance.

The Civil Aviation Act, which established the CAA, confines the authority’s role to airspace safety and security: it was not set up to consider privacy issues, although it could (and should, I would argue) read the security aspect of its mandate broadly to include privacy issues.

In this regard, it is instructive to look at what happened when US civil society petitioned their Federal Aviation Authority to conduct a public rule-making process on drones and their implications for privacy and other civil liberties. The authority refused, claiming that doing so did not fall within its mandate.

South Africa’s Protection of Personal Information (POPI) Act could prevent the misuse of personal data recorded by drones, but its mandate is confined to informational privacy, which raised the very real risk that the physical privacy aspects of drone usage would be unregulated.

The CAA regulations, released in December 2014 for public comment and finalised in a huge rush, were problematic as they were completely silent on privacy questions. The regulations also made no mention of the POPI Act, and failed to set baseline standards for privacy.

As mentioned in my previous article, the information regulator, envisaged by the POPI Act, is still in the process of being set up. This regulatory gap makes it all the more important for the CAA to take the initiative and set privacy standards, as these aspects of drone activity are unregulated at the moment.

However, it would appear that the CAA has chosen to deal with privacy concerns on a case-by-case basis as they arise, rather than setting privacy-enhancing standards in advance. This approach is problematic, as the regulations are not sensitising the drone industry to these considerations at the point of licensing, which increases the potential for privacy violations.

Most concerning are the lack of controls over using drones for surveillance purposes, with wide discretion given to the CAA’s Director to authorise drone usage for such purposes.

The regulations were particularly weak on the responsibilities of drone operators to respect privacy. Rightfully, the CAA should have specified minimum privacy requirements for drone operators, and required each operator to comply with these requirements.

The CAA should have also ensured that all drone operators were familiar with the requirements of the POPI Act, and required explicitly that all data gathered from drones should be handled in terms of the act. The CAA should have also made sure that the contents of the act and its data protection principles should be included in the theoretical knowledge examinations and the flight training of drone pilots.

Another gap in the regulations was that drone operators were not required to have written plans for the operator’s use and retention of data collected by the drone, which included a data minimisation statement. These requirements are particularly important in operations in the vicinity of people, property, structures and buildings, or in the vicinity of public roads.

In fact, the duties of a pilot should have explicitly included minimising unwarranted invasions of privacy. In order to ensure that this duty is adhered to, then drone operator should ensure that their system of record-keeping covers privacy aspects, and to the extent that they contain personal information, people should have a right to request the information or to request that it be deleted.

Furthermore, the CAA should have committed itself to an annual review of operators to verify compliance with the stated privacy policies and share these outcomes publicly, and invite public feedback on its findings. With regards to drone sales or re-sale labelling, the labels should state explicitly that usage must comply with the POPI Act. The regulations were silent on all these issues, too.

Rightfully, if drones are going to be deployed for the purposes of law enforcement or national security surveillance, then even more stringent principles should apply. Such surveillance should require a warrant, and be deployed only to address a real, pressing and substantial need. In fact, these forms of drone surveillance should be viewed as an exceptional step, only to be taken when less privacy-invasive interventions have failed.

Unless there are pressing public interest reasons not to, the public should be informed about the surveillance missions and they should also be able give inputs on the circumstances in which public surveillance is acceptable or not.

Another gap in the CAA’s regulations were that they did not ban weaponised drones entirely; while it did forbid drones from carrying dangerous objects or substances, the CAA Director can give permission for them to do so. Such drones are dangerous as they can potentially cause great injury, with little threat to the actual operators, increasing the risk of them being used recklessly.

The fact that the drone operators function at some distance from their targets can create a moral vacuum, in which engaging in violent incidents becomes easier. This point is not germane to the US and its drone strike programme only; a South African company has manufactured weaponised drones to control strikes in the wake of the Marikana massacre. This “risk free” method of policing strikes could well propel the drone operators to use excessive force, even where there is no compelling need to do so.

South Africa has a burgeoning drone industry, in much the same way that it has a burgeoning communication surveillance industry. It is in the best interests of this industry to remain under-regulated, as this will allow them to grow relatively unhindered by government strictures.

According to a CAA response to a Promotion of Access to Information Act request (which had to be dragged out of the clearly-reluctant CAA), by June 2017, hardly any approvals had been issued for beyond visual line of sight operations, or for operations in controlled airspace. These statistics suggested that the majority of approvals were for non-intrusive activities. But this does not mean that such applications will not be forthcoming in future.

Cyril Ramaphosa’s Presidency needs to ensure that the information regulator is empowered to take on other privacy-insensitive regulators, such as the CAA. Otherwise, don’t be surprised if you see a drone hovering over your protest and live streaming you and your comrades to the spooks. DM

Jane Duncan is a professor in the Department of Journalism, Film and Television at the University of Johannesburg. Her new book is called Stopping the spies: constructing and resisting the surveillance state in South Africa (forthcoming from Wits University Press)

Drone Photo by Pixabay