Legal and Ethical Issues Associated with Sensor and Drone Journalism

On March 18th, the Columbia Journalism School hosted a group of academics, lawyers, journalists and makers who gathered for a workshop on the legal and ethical issues associated with sensor journalism. The event was organized by Fergus Pitt, a Fellow at the Tow Center for Digital Journalism working on the Sensor Newsroom Project funded by the Tow Foundation and the Knight Foundation.

Workshop participants covered a wide range of topics including privacy, data accuracy and intellectual property. I participated in two panels: the first featured a discussion on regulatory and intellectual property issues with Mike Hord, Electrical Engineer at SparkFun Electronics and Matthew Schroyer, Founder and President of the Professional Society of Drone Journalists; and the second featured a discussion with Deirdre Sullivan, Senior Counsel at the New York Times on risks and liabilities associated with drones.

Mike Hord led an interesting discussion on the Federal Communications Commission (FCC) rules governing the electromagnetic spectrum. While commercial entities face stringent testing requirements for electronic devices, the good news for hobbyists is that the rules permit individuals to use a single design to build up to five electronic devices without having to complete any testing. However, even though testing may not be required in these cases, individuals must comply with all applicable rules. For instance, if a device causes unacceptable interference, the user may still face legal penalties.         

Matthew Schroyer explored closed and open source models in the context of sensor journalism. Media companies that develop closed technologies can benefit from clear revenue streams from licensing activities. Although newsroom technologies remain predominantly closed, journalists are increasingly adopting open source tools. The open source model presents many advantages to journalists, for instance it promotes transparency and accountability, which are particularly important in the context of sensor journalism investigations in which accuracy and precision are critical.

Deirdre Sullivan and I explored the risks and liabilities that media companies and journalists face when developing and operating drones, an obvious concern being the risk of physical injury or substantial property damage.

Deirdre approached these concerns from a negligence perspective. Tort liability for negligence can be applied where an individual has a duty, the duty is breached and injury results. A journalist operating a drone has a duty to not place others in foreseeable risks. If the journalist breaches this duty – for example, by flying dangerously close to a crowd at an outdoor concert – and someone is injured, then it is likely that a negligence claim would succeed. Deirdre also explored the potential application of negligence per se in the context of commercial use of drones. Generally, when an action violates a statute (i.e. speeding), such action conclusively establishes negligence, hence the term negligence per se. Since commercial drone operations currently fall in a legal grey area, Deirdre suggests that it is unclear whether negligence would be presumed in personal injury claims arising in the context of commercial drone operations.

I explored the application of product liability concepts to open and closed drones, and suggested that liability is more straightforward in the context of closed drones. For example, a closed drone may be built with safety features such as ‘sense and avoid’ technology to reduce the risk of collision. If these features do not function, then the developer may be held liable for personal injury or property damage. However, if a journalist operator modifies a drone in violation of the end-user license, then the developer could avoid liability by claiming alteration as a defense, and the operator is likely to be on the hook for personal injury or property damage that occurs.  

In the case of open drones, liability is more problematic. Assume a journalist operator modifies a ‘sense and avoid’ radar and adds communication and weather modes. If the revamped drone crashed into a person, causing bodily injury, who would be liable? A court would have to engage in a complicated analysis to determine whether the underlying technology or the modified upgrade is to blame. And, the initial developer of the open ‘sense and avoid’ radar would not be able to avoid liability by simply claiming alteration as a defense.

Although open technologies may be more problematic than closed designs from a liability perspective, industry measures may be adopted to mitigate liability risks. Developers of open technologies can look to licensing as a mechanism to allocate liability and promote non-harmful and ethical use of their technologies. For example, a sufficiently and selectively open license may be used to prohibit end-users from removing safety or privacy features incorporated by upstream developers.

For those interested in further reading, the workshop papers will be published in June by Columbia University.

Privacy Considerations in Setting up Tweed’s Medical Marijuana Distribution Business

 

Image

Medical marijuana growing at Tweed’s Smiths Falls location

 

After April 1st, Tweed Inc. will be among the first businesses to sell medical marijuana in Canada. The new legislative framework that will be in effect on that date allows businesses that have received licenses from Health Canada to grow and sell medical marijuana. Tweed has started production activities in its Smiths Falls facility that was previously home to a Hershey chocolate factory. Over the last couple of months, I had the opportunity to work with Tweed to develop its privacy policy and practices to ensure compliance with the Marijuana for Medical Purposes Regulations (MMPR) and applicable privacy legislation. The following is a summary of some of the privacy considerations we looked at in establishing Tweed’s medical marijuana distribution business.

The Application Process

The MMPR require applicants registering to become clients of licensed medical marijuana producers to provide certain personal information, including their name, date of birth and gender. The MMPR also require information about the residences of applicants. For example, if an applicant does not live in a private residence, the applicant must disclose the type of residence that he or she lives in (i.e. a shelter).

Because an individual is only permitted to use medical marijuana if he or she has a “Medical Document”, a producer seeking to sell medical marijuana must be able to contact the applicant’s health care practitioner to verify the applicant’s prescription. Before this can be done, the applicant must complete a consent form granting the distributor permission to contact the applicant’s health care practitioner to inquire about the prescription.

Purchasing Medical Marijuana

Once applicants become registered clients, they can purchase medical marijuana from their distributors. Distributors are required to maintain records pertaining to purchases in order to comply with regulatory requirements. In certain circumstances, the MMPR requires licensed distributors to disclose information about their clients to the police. In the interest of transparency, Tweed’s privacy policy outlines the legal obligations regarding such disclosure and the steps that Tweed will take prior to responding to such law enforcement requests. For example, before Tweed will disclose information about a client, the police officer making the request must provide Tweed with the full name, date of birth and gender of the individual being investigated.

The Delivery Stage

The delivery stage is very important from a privacy perspective. Health Canada itself learned this lesson last November when it sent notices to 40,000 individuals using medical marijuana in envelopes showing the patients’ names and referencing the Medical Marijuana Access Program. As expected the disclosure of such personal information has resulted in the initiation of a class action lawsuit against Health Canada.

In order to maintain the privacy of its clients, Tweed will be using a secure delivery service. The external packaging of the deliveries will not contain Tweed’s name, its famous address (1 Hershey Drive), or information disclosing the medical marijuana contents of the package.

Transparency and Accountability      

As far as personal information goes, health information ranks among the most sensitive in nature as it reveals the most intimate details of individuals personal lives. Accordingly, it is particularly important for businesses handling such information to operate in a transparent and accountable manner. More information about Tweed’s privacy practices and the contact information of Tweed’s Chief Privacy Officer can be found on Tweed’s website.

*This post was written with permission from Tweed.

Canada’s Anti-Spam Legislation: What businesses need to know

Before Canada’s new Anti-Spam Legislation (CASL) comes into force, businesses operating in Canada will need to review and modify their practices to ensure compliance with the new requirements regarding commercial electronic messages and the installation of computer programs. CASL will come into force in three stages over the next few years – the following is a brief summary of the main provisions of each stage.

Stage 1 (July 1, 2014): Commercial Electronic Messages (CEM) Provisions

Subject to meeting any of the prescribed exceptions, CASL creates a prohibition against sending CEM, except in cases where the receiver has consented to receiving CEM, and the CEM meets the prescribed requirements. There are certain situations in which consent may be implied. For instance, consent is implied where there is an “existing business relationship” as defined in CASL and its accompanying regulations. An example of a qualifying “existing business relationship” is one in which there has been a purchase or lease of a product or a service in the two years preceding the sending of the CEM.

If an existing business relationship does not meet any of the conditions for implied consent, the business must seek express consent from intended recipients. A valid express consent must also meet certain prescribed requirements. For example, a business seeking consent must clearly convey that it is seeking consent to send CEM, and intended recipients must take an active step to indicate their consent to receiving such CEM. This means that standard business practices such as using opt-out mechanisms or implementing a pre-checked consent box will no longer be acceptable.

CASL also specifies certain requirements regarding the form and content of CEM. Each CEM must: identify the sender; disclose the sender’s contact information (as prescribed); and provide a mechanism to allow the recipient to unsubscribe. The unsubscribe mechanism must allow the recipient of the CEM (at no cost to them) to indicate the withdrawal of their consent, and must include the contact information of the sender which must be valid for at least 60 days after the CEM is sent. A request to unsubscribe must be given effect in no more than 10 business days.

Stage 2 (January 15, 2015): Provisions Related to Installation of Computer Programs

CASL prohibits a business from installing certain categories of computer programs on computers belonging to other people, unless the business has obtained express consent from the persons on whose computers the programs are being installed. Additionally, businesses seeking to install computer programs must comply with certain requirements regarding the unsubscribe mechanism. For instance, businesses must provide the recipients of computer programs with an email address to which the recipients may send a request to remove or disable the programs. The email address must be valid for one year after the programs are installed. In cases where consent was obtained based on an inaccurate description of the applicable computer program, the business which installed it must assist in removing or disabling the program.

Stage 3 (July 1, 2017): Private Right of Action

CASL creates a private right of action that enables individuals to seek compensation from individuals and businesses that contravene the provisions. Individuals will be able to seek compensation for actual losses, damages and expenses incurred due to contraventions. It is expected that once these provisions are in force, class actions will soon follow.

Next Steps

As CASL’s three stages come into effect, businesses operating in Canada that are sending commercial electronic messages or installing computer programs should seek legal advice to ensure compliance. This summary is intended to highlight CASL’s key provisions, and in light of the nuances of CASL and its accompanying regulations, it is recommended that businesses obtain legal advice regarding compliance.

Amazon Drones: The gap between vision and regulation

On Sunday’s 60 Minutes interview, Amazon CEO Jeff Bezos unveiled the company’s plans to offer drone deliveries within 30 minutes, igniting discussion filled with excitement and questions.  On the forefront, is the issue of when we can expect to see Amazon’s drones on the horizon.

The current US regulatory framework does not allow for commercial use of drones beyond research and development activities.  However, the Federal Aviation Administration (FAA) is currently devising rules for integration of drones into the domestic airspace, with a view to enabling commercial use by 2015.  Although the FAA rules will certainly open up the airspace to commercial drones, it has yet to be determined whether the licensing framework will enable applications like Amazon’s which rely on a fast approval process.

The Canadian regime can serve as a cautionary tale for US regulators.  Commercial drones are already in use in Canada, however each individual flight operation must be approved by Transport Canada through the issuing of a Special Flight Operations Certificate (SFOC).  In order to be approved, the applicant must complete a risk assessment and outline steps that will be taken to mitigate the risks to an acceptable level.

Normally, it takes at least 20 days for an operator to obtain a SFOC, and in many cases (especially for first-time applicants) the process is longer – is anyone willing to wait that long for an Amazon delivery?  Probably not.

Why does it take so long to obtain approval?  Beyond the fact that each individual operation must be approved, there is a lack of clear standards on what constitutes an “acceptable level of risk”, which makes it very difficult for both applicants and reviewers to fulfill their roles.

The Canadian regulatory framework is also currently under review, as the UAS Program Design Working Group is set to make recommendations for amending aviation regulations by 2017 – and hopefully in doing so will address the inefficiency problem.

Regulators on both sides of the border will have a difficult task ahead – balancing innovation and safety.  Hopefully, the new regulations that are set to come out in Canada and the US in the coming years will not hamper commercial applications like Amazon’s.

A Bundle of Rights Approach to Regulating Drones in Public Space

On October 11-13, I had the opportunity to participate in the Drones & Aerial Robotics Conference (DARC) at NYU Law.  I served as Chair of the Drones and the Future of Public Space roundtable, which hosted Peter Asaro, Stuart Banner, Woodrow Hartzog, Marcel LaFamme, Greg McNeal, Paul Voss, and our moderator Greg Lindsay.

In light of the upcoming approval of commercial licenses by the Federal Aviation Authority (FAA) as of 2015, our roundtable explored how the law should conceptualize “public space” in relation to drones, and to what extent it should privatize or enclose portions of the “public highway” in favor of protecting privacy.

The framework for regulating airspace was established by the Supreme Court in United States v. Causby, which involved a takings claim under the Fifth Amendment.  Causby displaced the old common law doctrine that land ownership extends to the periphery of the universe, replacing it with a conceptualization of airspace as a “public highway”.  The Court reasoned that airspace must be a public highway, otherwise any flight passing over private property could result in a trespass suit. The Court qualified this finding by suggesting that an owner must have exclusive control over the immediate reaches of the atmosphere above his property in order to exercise full enjoyment of land.  The factors that the Court established to determine the boundaries of public and private airspace include whether an aircraft is flying directly over an owner’s property, the altitude and frequency of the flights, and whether such flights interfere with an owner’s enjoyment of his property.

This Causby framework has been transported into trespass and nuisance tort claims involving airspace.  For a trespass claim to succeed, the owner must establish that the intrusion occurred within the immediate reaches of the owner’s land, and that the intrusion resulted in interference with use and enjoyment of the land.  In the case of a nuisance claim – while there is no requirement that an intrusion occur within the immediate reaches of one’s property – interference with use and enjoyment of property must be made out.

More troubling, is the application of Causby reasoning to Fourth Amendment case law involving airspace.  In California v. Ciarolo, the Court found that there was no Fourth Amendment violation when police flew over an individual’s backyard to investigate marijuana growth because the observation occurred in “publicly navigable airspace” (as defined by the FAA). Similarly, in Florida v. Riley, the Court ruled that the Fourth Amendment was not violated when police flew over a greenhouse in a helicopter to investigate a marijuana grow-op because they were “where they had a right to be” (according to FAA guidelines regarding “navigable airspace” for helicopters).  More peculiar than the fact that the Court relies on FAA guidelines designed to ensure safety to determine whether there is a reasonable expectation of privacy, is that the Court in Riley supported its finding by stating that the helicopter did not cause any undue noise, wind, dust or threat of injury.

This progressive mission creep of the Causby framework will be even more consequential to individual rights if applied in the context of drones.  The FAA Modernization Act permits the FAA to regulate drone use in airspace below 400 feet.  Presumably, small drones that don’t pose a significant threat to safety will be permitted to fly at very low altitudes.  Applying the Causby analysis, when such drones will be operated within the FAA definition of “navigable airspace” and there is no interference with use and enjoyment of land, it will be very difficult to establish Fifth Amendment, trespass, nuisance and Fourth Amendment claims.

I suggest that the law must evolve beyond the public vs. private space dichotomy that was enshrined in Causby, and that it ought to enclose portions of the public highway in order to protect privacy.  To be clear, I am not suggesting a complete privatization of public airspace granting the ultimate stick in the bundle – the right to exclude – that the Causby Court was rightfully concerned about.  Instead, I propose a contextualized enclosure of public space that simultaneously recognizes a public right of access and an individual right to privacy.  This proposal is compatible with the general shift in law from the reductive Blackstonian characterization of property as the right to exclude, to a more nuanced conceptualization of property as a bundle of rights.

If we accept that private property is a bundle of rights, we must also accept that public property – including public airspace – is a bundle of rights.  The famous architect and urban space designer Stephen Carr suggested that the bundle of rights in public space includes the right to access, freedom of action (which must be “responsible action” as public space is shared) and even the right to claim a proprietary interest – a degree of spatial control – that is necessary to attain the goals of public space.  Carr relied on Alan Westin’s four states of privacy to substantiate his argument that we have a right to claim certain individual interests in public space such as anonymity and intimacy.

If we apply the bundle of rights metaphor to airspace, I suggest that we can disaggregate the privacy interest from the right to exercise exclusion of others.  The practical implications for drone use are that airspace remains public – no one has a right to exclude others – however we recognize a contextualized enclosure that makes room for a privacy interest.

As a thought experiment, let’s apply the contextualized enclosure of public space framework to the fact scenario in Florida v. Riley.  The Court’s analysis of Riley’s reasonable expectation of privacy would exclude the fact that the police were flying at an acceptable altitude according to FAA regulations, and that the helicopter did not cause any undue noise, wind, dust or threat of injury.  It’s difficult to predict whether a different outcome would occur applying this framework (as doing so would cause the Court to engage in a more nuanced approach to determining what is a reasonable expectation of privacy in public), but what is certain is that the framework would remove factors that don’t seem to have a legitimate place in Fourth Amendment analyses.

Glass, feature creep and the ‘end of privacy’

It’s been a year since Google co-founder Sergey Brin introduced the world to Project Glass, igniting debates about what’s cool and creepy about the specs.

On the one hand, the technology has the potential to disrupt numerous industries – education, medical, and law enforcement to name a few.  But, at the same time, Glass raises obvious privacy concerns, as the web-enabled specs allow users to capture photos, take videos and share live footage.

Google has implemented various measures aimed at alleviating concerns about the privacy implications of Glass.  For instance, Google incorporated a red light intended to put the public on notice when the camera is in use.  The Glass developer policy also provides the following notice:

 “Don’t use the camera or microphone to cross-reference and immediately present personal information identifying anyone other than the user, including use cases such as facial recognition and voice print. Applications that do this will not be approved at this time.”

And, Google states that it intends to remotely block apps and disallow automatic software updates in an effort to prevent unintended uses of Glass.

However, for all of Google’s efforts, preventing feature creep will be a futile exercise.  For example, hacker Stephen Balaban of Lambda Labs is working on developing an alternative operating system that allows users to incorporate facial recognition into the specs.  A quick review of the #ihackglass twitter stream suggests that he’s not the only one…    This reality has prompted some privacy advocates to suggest that Glass may be the end of privacy as we know it.

Is Glass the end of privacy?  Probably not – and certainly not any more so than other emerging technologies that have widespread privacy implications, such as drones (which at least for now are much cheaper to obtain than Glass).  But even if we accept that Glass is the most privacy-invasive technology on the immediate horizon, the net effect of Glass is not necessarily going to be bad for privacy.

Technologies like Glass provide immense opportunity for innovation in privacy.  You know all of those people who are worried about Glass?  They represent a mass consumer market for developers of responsive privacy enhancing technologies.

Admittedly, the trajectory of technological innovation has favored privacy-diminishing products – but this need not be the case.  For instance, NYU researcher Adam Harvey is reverse engineering facial recognition technology with the goal of developing makeup that blocks the technology from being able to read human faces.  As this example suggests, at least from the perspective of innovation in privacy, Glass feature creep may not be such a bad thing.

Coders and Lawyers

I recently started learning JavaScript.  As an aspiring tech lawyer, I thought coding would be a great way to learn a bit more about what my future clients do.  The geek in me was also in need of a hobby – coding was the efficient choice.  Working through the various tasks on Codeacademy, I am beginning to think that coders and lawyers are not *entirely* different breeds.  A similar skill-set is required in both professions – logic, attention to detail, analysis, and problem solving to name a few.  From a process perspective, similarities can also be drawn between developing a program and completing a legal transaction such as an acquisition.  The lifecycles generally proceed as follows:

Planning – This initial stage entails an assessment of the requirements.  The programmer or lawyer determines the desired end-result (i.e. to build a NLP interface, or to facilitate the purchase of a startup).

Design – This stage requires an assessment of the best mode of achieving the desired endgame.  Here, the architecture of the program or transaction is determined.  While a developer deals with questions like which programming language to employ, a lawyer may engage in a determination of the optimal deal structure by weighing the pros and cons of a share vs. asset transaction.

Implementing, Testing, Documenting – Putting the plan into action, and determining whether the prescribed requirements have been met.  In the case of developers, this stage involves coding, preparing documentation and testing for defects.  For lawyers, think negotiating the letter of intent, performing due diligence, and drafting the definitive agreement.

Maintenance – Addressing problems that crop up after the fact.  At this stage, programmers address vulnerabilities and “bugs” that are discovered in the program.  And in the case of lawyers, deal maintenance may involve indemnification claims, post-closing adjustments and earn-out disputes.

Reflecting on these similarities, I am tempted to think that coding presents an innovative and fun way for lawyers to develop and improve their lawyering skills.  At the very least, it’s a stepping-stone towards achieving sexy data-scientist status ;-).

Follow

Get every new post delivered to your Inbox.