What you’ll learn in this article:
- Discussions leading to Portland’s new surveillance tech policy adopted February 1 revealed a plan by the Portland Police Bureau to test drones over major crime and traffic crash sites.
- A “restricted” privacy impact assessment of the drone plan labels it “Medium Risk” and provides the most detail about the possible program available yet.
- The police bureau said it will likely buy the same types of drones available widely to anyone, which could pose serious cybersecurity risks.
- Portland’s surveillance tech policy will not cover technology used in public schools, the airport, or by Metro, the regional government group that runs transit projects, parks, cemeteries and venues in and around Portland.
Ever since Portland established privacy principles in 2019 to guide city data use, it has continued building additional layers of data safeguards on top of that foundation. On February 1, Portland City Council added another layer of protection, voting unanimously in favor of a surveillance tech policy resolution that had been in the making for somewhere around two years.
The binding resolution passed unanimously. For more information on what’s in it and some of the political reasons behind what’s not in it, check out my CityLab story.
The policy comes at a crucial time when Portland is considering adoption of surveillance technologies with the potential to violate civil liberties and personal privacy. Not only is the city considering use of gunshot detection technology (likely ShotSpotter), the Portland Police Bureau (PPB) has been discussing a plan to launch a limited trial of Small Unmanned Aerial Systems equipped with sensors and infrared real-time video cameras.
This was made public back in September during a City Council work session addressing the surveillance tech policy. It was surprising to see there seems to have been no media coverage of the police drone plan until I reported it in my CityLab story this week.
What we know about the police drone project
The drone trial has yet to begin, and there is no projected start date, according to the police bureau’s Public Information Officer Lieutenant Nathan Sheppard. But it appears there is enough of a plan to have allowed for a privacy impact assessment, finalized in July 2022, which the bureau agreed to on a voluntary basis.
The detailed analysis in that assessment is labeled “restricted and for internal use only,” but that full privacy impact assessment, restricted info and all, is available here for anyone who wants to take a look.
The assessment gives us some valuable information about the police bureau’s trial of small unmanned aerial systems, a.k.a drones. A project of the bureau’s Major Crash Team and the Explosive Disposal Unit, it would involve drones equipped with sensors and forward looking infrared real-time video cameras* to support search and rescue operations, conduct traffic flow studies of high-crash roadways, and document and assess traffic crash scenes for presence of explosives or suspicious items.
The privacy impact assessment (PIA) states that data would be collected by the drones, cameras and sensors “in response to major crime or crash events.” (Note: The original version of this story unintentionally omitted the reference to “major crime” in the PIA.)
The PIA also states that the drone pilot will be “only for field assistance and support during tactical events, investigative, training, and administrative needs,” which actually seems like a lot use cases.
No fly zones
The PIA determined that the drone plan had a “Medium Risk” of privacy impacts related to the possibility of civil rights infringements, unauthorized data sharing, data breach, lack of transparency and lack of oversight and public reporting. The assessment report features several risk types related to a system’s data capture and use, scoring the risk impact level of each, and predicting the likelihood of that impact.
The PIA evaluated the types of sensitive data that could be generated or accessed through the drone program, including contextual information derived through sensors that could identify individuals, and “the presence of children, victims, and imagery representing crime scenes,” for instance, from still or video images captured using the drone cameras.
The PIA recommends ways the police bureau could reduce privacy risks associated with the drone project. For one, it says the bureau could do separate PIAs for individual sensors mounted on the drones.
Another recommendation: Don’t fly drones over sensitive places.
The PIA recommends that the police bureau “Identify no-fly or highly sensitive zones, potentially working with community and local organizations to inform and define such zones. These sensitive zones could include schools, hospitals, and churches and spaces for worship.” Especially now that data showing people visited an abortion clinic can get them arrested in some states, this is a more serious issue than ever.
Off-the-shelf police tech from Amazon?
Drones carry very real risk of system hacks, data breaches and cybersecurity vulnerabilities if the bureau does not use systems operating on an encrypted channel.
The risks could be heightened if the police bureau does what Sheppard told me they might when I asked him about what drone vendor they will buy from: “I don’t believe there will be discussions around a vendor since the types of drones will most likely be the same ones that are already very widely in use and anyone can order off of Amazon,” he told me.
“I don’t believe there will be discussions around a vendor since the types of drones will most likely be the same ones that are already very widely in use and anyone can order off of Amazon.”– PPB’s Public Information Officer Lieutenant Nathan Sheppard
The PIA recognizes these security risks, and recommends the police bureau establish information protection best practices to minimize privacy breaches and work with the city’s Information Security Office to minimize cybersecurity threats.
This is bound to be an issue if the police bureau, as Sheppard put it, just buys the same type of drones “anyone can order off of Amazon.”
Some other tidbits and background:
Drone flight reports: According to the PIA, the police bureau will document each “Remote Person in Command” flight with a report that will include information about where and when the flights occurred and “disposition of digital media evidence and other data gathered,” but it is not clear whether those reports will be made public.
37 police surveillance technologies: An April Portland city auditor report — prompted by concerns regarding excessive surveillance and data collection about people attending Black Lives Matter protests — found that, of the 37 different surveillance technologies used by the city’s police bureau, policies existed for just 16 of them including license plate readers, body wires, and cell phone data extraction software.
In response, the police bureau said it would start including an inventory of surveillance tech in its annual reports. Its most recent annual report for 2021 does not include such a list, but referenced use of surveillance tech including license plate readers and a fixed-wing plane.
Policy sausage making: Original surveillance tech policy language directly referenced the city auditor’s report. However, in part to appease pro-police lawmakers, an amendment was adopted the day of the vote to strike that reference and instead make clear that more transparency around surveillance tech use by all city bureaus is needed.
Surveillance policy gaps: Like Portland’s facial recognition ban, there are exceptions to what the surveillance tech policy covers. It only applies to city bureaus, meaning it will not apply to tech purchased by Portland public schools or Portland International Airport, for example. It also won’t apply to Metro, the multi-county regional government group that oversees a lot of projects affecting Portlanders.
That means, in a case such as Replica, the controversial Google-linked mobility data tracking system it once considered using, the surveillance tech policy would not apply. In that case, Metro put Replica through a lot of privacy vetting on its own, and as I reported about in depth here in Redtail, its privacy concerns contributed to the demise of the project. Still, Metro is a sprawling operation that runs transit projects, several parks, cemeteries and venues; there’s no telling what types of technologies it could be using that do not fall under the policy requirements.
Who did the PIA anyway? The PIA was conducted by Hector Dominguez, open data and privacy coordinator for Portland’s Bureau of Planning and Sustainability Smart City PDX program, who also helped draft the surveillance tech policy. The PIA was done for PPB Commander Art Nakamura, who oversees the bureau’s Air Support Unit.
*About those FLIR cameras: It’s unclear what types of forward looking infrared real-time video cameras the Portland Police Bureau plans to attach to drones. Seattle law enforcement also use FLIR cameras, and the city conducted surveillance and privacy impact assessments of that technology use in 2020. It’s worth noting these systems have some valuable uses unrelated to law enforcement – like tracking wildfires through dense smoke. I actually got a chance in 2020 to fly over the massive Beachie Creek Fire in an Oregon Department of Forestry plane equipped with a thermal imaging camera, something like those infrared cameras. A Portland area company, FLIR Systems, made that camera. I wrote about that experience and the technology, and actually got to talk about it on public radio’s Science Friday.