Six months ago, the Federal Bureau of Investigation refused to release its plans to tackle privacy risks posed by drone surveillance. Now the agency claims it can't track them down at all. So does the one Justice Department office responsible for making sure such reports get filed in the first place.
The FBI has flown unmanned aerial vehicles since at least 2005, and has fought in court for the past year and change to divulge as little information about them as possible. While the Bureau and its privacy overseers have released hundreds of heavily redacted pages, they have seemingly conflicting answers as to whether one crucial set of legally-mandated privacy documents even exists at all.
Federal agencies must conduct a privacy impact assessment prior to deploying any technology that collects personal information, courtesy of the E-Government Act of 2002. At minimum, such assessments must address what information is being collected and why, how it will be used, who will be able to access it, and other basic details.
By design, then, PIA reports are meant for public consumption. They are supposed to candidly outline potential privacy risks for a given piece of software, data collection initiative or other technology, as well as the steps taken to address such risks. And unless an agency presents a good case otherwise, PIAs are supposed to be published online.
The FBI previously withheld drone privacy documents
Last summer, in response to a Freedom of Information Act lawsuit, the FBI refused to release its privacy impact assessment on drones. MuckRock thus filed subsequent requests to the FBI and the Office of Privacy and Civil Liberties, which manages the PIA process for the entire Justice Department. The follow-up FOIAs specifically sought all privacy impact assessments submitted by the FBI regarding its drone deployments, as well as corresponding review paperwork completed by the OPCL.
MuckRock also requested memos explaining why such reports had not been posted online per standard protocol.
Last week, the Justice Department confirmed that neither the FBI nor OPCL had been able to find anything despite "an adequate, reasonable search for such records."
Again, for those keeping score at home, the FBI previously withheld drone PIA documents, the review of which is conducted by the OPCL. The OPCL even wrote the template for all Justice Department agencies to use as they complete privacy impact assessments.
What's more, top Justice Department officials have previously highlighted the OPCL's role in assessing drones and privacy measures. In September 2013, responding to an audit of drone deployments, the Deputy Attorney General answered that it had charged a working group "including the Office of Privacy and Civil Liberties, to identify and address any policy and legal issues pertaining to the use of UAS for surveillance purposes."
A footnote in the same report indicated that the FBI's Office of General Counsel was likewise "conducting a privacy review" of its drone program as of June 2013.
The OPCL also gave a shoutout to its drone working groups in an annual report published last October.
A search through FBI and OPCL files, though, apparently failed to produce any PIA documents suitable for release.
Privacy watchdogs at the Electronic Privacy Information Center in Washington, DC are currently suing the FBI over its failure to publish privacy impact assessments online. EPIC lawyers are stumped by the Justice Department's response to FOIA requests for its drone reports, and particularly the OPCL's claim not to have any PIA documents.
"They review the privacy impact assessment—that's part of their responsibility within the Justice Department," says Ginger McCall, who heads EPIC's Open Government Project.
For comparison, the Department of Homeland Security has posted two PIAs online in full that cover drones. The first was completed in November 2012 for a relatively small project to evaluate small unmanned vehicles for emergency responders. The second, dated September 2013, outlines the potential privacy risks from Predator drones operated by Customs and Border Protection.
The DHS assessment acknowledges that, because of their small size and high operational altitude, drones flying along the border "can monitor either a moving target or a fixed location for relatively longer periods of time without the likelihood of detection."
In proposed standard operating procedures from 2010, the FBI's Operational Technology Division similarly acknowledged that drone's capacity to record and transmit video made them subject to the agency's electronic surveillance policies.
While DHS has been relatively forthright with the privacy implications of drones, top FBI officials insist that, despite not releasing federally-mandated privacy documents, they have taken adequate steps to address privacy concerns over drones. But they have yet to produce any slice of the paperwork created precisely for that purpose.
Per Department of Justice guidelines, the PIA process ensures that privacy protections "are built into the system from the start—not after the fact," in order to "promote trust between the public and the Department by increasing transparency of the Department's systems and missions."
The FBI declined even to confirm that it had conducted a drone PIA at all, while the OPCL did not respond to numerous requests for comment.
MuckRock has submitted an additional FOIA request to the Justice Department for reports coming out of its drone privacy working group.
UPDATE: Two hours after publication and in the wake of three FOIA requests, the Justice Department declined to clarify whether the FBI has analyzed potential privacy risks posed by its drones. "The questions you raised are best addressed through FOIA," wrote Peter Carr, a Justice Department public affairs specialist, in reply to an email asking if the FBI had filed drone privacy impact assessments, "and it is my understanding that you sought similar information already through our FOIA office."
The Justice Department's privacy office thus dodged a yes-or-no matter—has the FBI has completed the legally mandated privacy analysis process?—by referring to previous, unclear FOIA responses. "Should you seek further information, please submit another request," suggested Carr in conclusion.