Drones have rapidly transformed dozens of industries since hitting the commercial market. International aid groups use medical drones to deliver life-saving medications and vaccines to remote areas. Agricultural drones have revolutionized how farmers tend their fields. Film and television producers embrace drones for their ability to capture once prohibitively expensive or outright impossible camera shots. Hobbyists love the technology for a variety of recreational purposes.
However, as drones have become increasingly commonplace, lawmakers and policymakers have struggled with effectively regulating this emerging domain. In addition, no federal law, state law, or industry best practice adequately addresses the unique privacy and cybersecurity risks drone operations pose. Until federal regulation catches up with the technology, lawyers could move courts to mitigate the issue by arguing for strict liability for drone operators and manufacturers.
Although drones may seem like traditional aircraft, they actually pose unique privacy concerns. Drone systems rely on real-time and simultaneous data exchanges between the operator, GPS positioning, cloud-based processing and telemetry, and the drone itself. Each facet in such a complex system presents a new opportunity for attackers. Besides the vulnerability of data traveling between the drone and its control systems, drones are also physically vulnerable. Researchers at the University of Texas Austin successfully hijacked a drone using commercially available equipment. The researchers used a local GPS transmitter to send the drone false GPS coordinates, causing it to fly off its preprogrammed path. The criminal and terror applications are evident – terror groups could use this technique to hijack drones and cause them to fly into buildings, thieves could intercept consumer drone deliveries, and militant groups could capture and ransom critical medical deliveries. Before they can enjoy widespread use, drone operators (and manufacturers) must adequately secure their devices.
Courts and policymakers have sought to address the obvious and highly publicized issues associated with drone flight, such as irresponsible pilots harassing pedestrians and disrupting airports, while neglecting the novel threat that drones pose to personal privacy. Unlike crewed aircraft, drones often use remote cameras and other sensory inputs to guide their operators. In this way, drones are more akin to flying smartphones than traditional crewed aircraft. Additionally, drones can collect visual and other sensory data at a great distance and without alerting the data subject. As a result, individuals whose privacy is infringed will likely never know (or identify) the drone operator, regardless of whether they see the offending device. In addition, the growing ubiquity of drones, such as deliveries to consumers, may further obfuscate a voyeur’s identity. Was that drone looking through my window or just delivering the neighbor’s package?
Surprisingly, the FAA doesn’t have authority to regulate data flow from drones; the Administration considers it outside of its congressional mandate. And while other federal statutes address specific drone data flows, no complete regulatory scheme exists. State-level regulations are similarly lacking. While some states regulate drone use by law enforcement and many smaller localities have piecemeal ordinances regulating drone activity, no state law entirely protects the privacy and security of data flowing to and from civilian drones. While the states have theoretical regulatory authority over drones, they are ultimately ill-suited to address the industry and, in most cases, lack the resources to meet the task. Finally, common tort law falls short here as well. It may address intentional voyeurs, but there’s no common law “negligent invasion of privacy” cause of action to cover accidental disclosures.
The courts are the last body that may step in to regulate drone operations in the absence of effective bureaucratic, legislative, or industrial authority. While Supreme Court Associate Justice Samuel A. Alito, Jr. has indicated that legislative action is needed to handle changing technology effectively, the courts have a history of reining in maverick industries. For example, Judge Benjamin N. Cardozo, who would go on to serve on the Supreme Court, famously developed the concept of strict products liability to address unsafe practices in the burgeoning automotive sector. That industry shared many critical elements with today’s drone industry: the emergence of a disruptive new technology promised to both revolutionize human productivity while upsetting traditional notions of public safety. In case before Judge Cardoza, a manufacturer purchased a defective wheel from a third-party supplier. The injured driver had no legal recourse: the automotive manufacturer pointed the finger at their supplier, and the supplier owed no contractual duty to the consumer. Judge Cardozo came up with the legal innovation that underpins modern products liability law: he determined that a manufacturer that enters a product into the stream of commerce must reasonably foresee injury to the ultimate consumer.
Faced with another disruptive technology, courts today will likely develop case law that: 1) redefines the duty of care for drone operators for the audio or visual data that they collect in-flight which infringe on the seclusion of others, and 2) imposes strict liability on drone manufacturers for compromises in drone cybersecurity. Under this proposed liability theory, the law would expect drone operators to consider the entire data chain generated by their activities. A bird watcher using a drone to film into a lofty nest, for example, would be held responsible for the content of their video stream if it accidentally spied someone through their bedroom window. This would encourage drone operators to take reasonable care with their flying cameras. While accidental peeks into a neighbor’s home may not be highly offensive, drone-mounted cameras are risky enough to justify a heightened standard of care. This system would also draw attention to the current regulatory gaps and provide a stopgap measure until Congress broadens the FAA’s mandate or enables another regulatory authority.
Similarly, this type of strict liability scheme would compel drone manufacturers to consider the possible collateral damage caused by their products. For example, the manufacturer of a drone hijacked in a terror plot would be held responsible for failing to protect their product from hackers. Manufacturers are already liable for foreseeable injuries caused by their products, but this proposed modification to products liability law would broaden the definition of reasonably foreseeable injury to include widely publicized exploits such as UT Austin’s GPS spoofing. Again, this burden isn’t unreasonable – manufacturers are in the best position to implement some of the necessary protections and safeguards for widespread drone use.
Drones will inevitably become integral to our society; however, without proper regulation the novel legal issues that they raise will stunt the industry’s growth and dampen the many benefits it promises.
Congress will need to give the final word on drone use, but the courts – urged by persuasive attorneys – may offer stopgaps to foster sustainable growth in the meantime. Such a model would likely force every participant in the drone data chain to enter privity with the ultimate consumer and give injured individuals a temporary recovery mechanism until Congress empowers the FAA or another agency to regulate drone activity adequately.
Kathryn M. Rattigan (krattigan@rc.com), J.D. With deep experience in the law and regulation of unmanned aerial vehicles, Kathryn practices in the Providence, R.I., offices of Robinson+Cole. She is a member of the firm’s groups that focus on business litigation, data privacy and security, and drone compliance. Kathryn is also a member of the Editorial Board of Advisors for the Journal on Emerging Issues in Litigation and the Emerging Litigation Podcast.
Blair Robinson is a cybersecurity intern at Robinson+Cole. She will graduate in 2023 with a J.D. from the Roger Williams University School of Law to complement her Masters of Science degree in Cybersecurity also from Roger Williams University.
