homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Cyber Aces
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Indoor Drones Raise Privacy Law Risks
370x370_Benjamin-Wright.jpg
Benjamin Wright

Indoor Drones Raise Privacy Law Risks

As indoor drones become more common, notices and warnings about recordings can help to promote compliance with complex privacy laws.

October 5, 2020

Small drones are coming to the great indoors. For example, Ring, the home security division of Amazon, announced it will in mid-2021 release a small, connected security drone that will patrol inside your home.


The drone will fly about and capture video of what it observes, such as an intruder or an open door. The video would be viewable from your PC or smart phone, wherever you happen to be, whether in another room or in another country. The drone is ingeniously designed to avoid flying into objects like people and furniture. Its propellers are surrounded by fenders so they will not cause damage if the drone happens to collide with something. And it will cost only $250.

This is exciting technology! It promises to have many uses beyond just home security. In this age of COVID-19 and social distancing:

  • One can imagine a student observing an experiment in a school science laboratory vicariously through a drone that hovers above a teacher who is executing the experiment.
  • A dance coach might observe a student who is practicing dance moves at home.
  • A remote proctor might observe a student taking a test too ensure the student is not cheating with unauthorized notes or devices.
  • An investigator might use an indoor drone to gather evidence about a physical intrusion into a building.
  • An engineer could remotely observe and advise coworkers as they work on a machine in a factory.

A flying bot is not the only kind of indoor drone one can imagine. Indoor drones might crawl or roll on wheels.

Naturally, indoor drones can be equipped with microphones and video cameras, and users will be tempted to make audio and video records of what their drones encounter indoors. These recordings raise a host of privacy law concerns.

Records have legal implications.

Laws Against Recording of Voice Conversations: Special Caution with Audio

Recordings that are too intrusive can creep people out, and legislatures have responded. To regulate the recording of human activity, many anti-surveillance laws have accumulated over the years. In the US the laws are complex, and vary by locale.

A federal law that applies nationwide is the Wiretap Act. But many states have their own wiretap laws. So when one records a conversation, both federal and state law need to be considered.

Even though the names of these so-called “eavesdropping” laws emphasize the tapping of wires like telephone wires these laws commonly restrict the recording of oral conversations, regardless of whether the conversations go through a wire or any electronic medium.

Three general rules of thumb can help drone owners avoid legal risk.

  1. Beware Voice Recordings

The first general rule of thumb is that to record a voice conversation without first getting the consent of each party to the conversation can be legally dicey.

The federal Wiretap Act requires consent of one party to a conversation, so under federal law consent of only one party is enough.

But wiretap laws in a number of states like Pennsylvania generally forbid recording a voice conversation unless all the parties to the conversation consent. So unless you are sure that no applicable state law requires consent of all parties, you are often wise to make sure you have obtained consent of all parties to a conversation.

Here is an example of wiretapping law being applied in the home. An ex-wife (mother) planted an audio recorder in a teddy bear and collected evidence of an ex-husband (father) talking to a child. In a child custody dispute, the judge rejected the ex-wife’s audio evidence because neither of the parties to the conversation (father or child) consented to the recording. Todd Cooper, "Custody case tip: Don't bug kid's teddy bear," Omaha World Herald, January 7, 2008.

  1. Visual Recordings Are Often Less Risky

The second rule of thumb is that privacy laws place fewer restrictions on visual recording (such as with video) of people in public. But that second rule of thumb comes with a caveat. Advanced artificial intelligence systems are able to interpret human speech by reading lips from video, rather than listening to voices from audio. "Google’s DeepMind AI can lip-read TV shows better than a pro," New Scientist, Nov. 21, 2016. https://www.newscientist.com/article/2113299-googles-deepmind-ai-can-lip-read-tv-shows-better-than-a-pro/ Therefore, a visual recording (no audio) of people moving their lips may qualify as the recording of a conversation under the wiretap laws.

Still, recording very much lip movement with a drone won’t be easy.

Given the present state of law, a common practice for property owners is to record activity on their premises with video cameras but not audio recorders.

  1. More Consent Is Better

The third rule of thumb is that the more that you get consent from the subjects of your recording, the less is your legal danger.

In the application of these three rules of thumb, much depends on whether the subject of recording had a reasonable expectation of privacy. Ray Sanchez, “Growing Number of Prosecutions for Videotaping the Police,” July 16, 2010 https://abcnews.go.com/US/TheLaw/videotaping-cops-arrest/story?id=11179076

An expectation of privacy can be influenced by context and notices. What does a person know or what is the person reasonably likely to know in a given situation? That question is often hard to answer. But if a person has been informed in advance through a written warning, then it's harder to conclude that they had a reasonable expectation of privacy.

So legal risk to the drone owner is lower if the subject of recording knows they are being recorded and has an opportunity to leave so they are not recorded. Obviously, an audio or visual warning (such as written sign) can be powerful evidence that the subject knew of the recording and consented to it.

201005_BWright_drone_blog_Image1.png

Photo Credit: Ben Wright

If a written sign is not displayed, contextual clues might be enough to establish that the subject consented to the recording or otherwise had no reasonable expectation of privacy. The Ring drone gives clues by making noise as it flies and hovers, which draws attention to its presence and contributes to alerting a person that the drone might be observing and recording the person. Lindsey O'Donnell, “Ring’s Flying In-Home Camera Drone Escalates Privacy Worries,” September 25, 2020 https://threatpost.com/ring-dr... A flashing light on a drone might further suggest to a person that they are being recorded.

Anti-Stalking Law

The operator of an aggressive recording system runs another legal risk: Excessive, creepy recording may amount to illegal stalking.

Legislatures like Minnesota’s have enacted broad anti-stalking laws that read like this:

"stalking" means to engage in conduct which the actor knows or has reason to know would cause the victim under the circumstances to feel frightened, threatened, oppressed, persecuted, or intimidated, and causes this reaction on the part of the victim regardless of the relationship between the actor and victim. . . .

A person who stalks another by committing any of the following acts is guilty of a gross misdemeanor: follows, monitors, or pursues another, whether in person or through any available technological or other means . . .

Section 609.749, 2011 Minnesota Statutes

So in Minnesota one might be deemed to be stalking another if they use an indoor drone unreasonably too record a person and buzz around that person.

One Domestic Dispute

Court cases interpreting the application of such a stalking law to modern technology are few. But here is one case. A Minnesota court convicted Danny Lee Hormann of stalking, sentencing him to 30 days in jail. He put spyware on his wife’s mobile phone and on the family computer; he attached a GPS tracking device to his wife’s automobile. The court dismissed Mr. Hormann’s argument that what he did was morally justified under the circumstances in his household. “A Spy-Gear Arms Race Transforms Modern Divorce,” Wall Street Journal, Oct. 6-7, 2012.

But if Mr. Hormann had given his wife advance warning of what he was doing, the court might have considered his guilt to be less severe and might have given him a lighter sentence.

Reduce Legal Risk by Securing Data

A factor that might aggravate an allegation of eavesdropping or stalking with a drone would be failure to secure the data collected by the drone. Ring products are known to store records in the cloud, but failure of the owner to use security procedures like multi-factor authentication might allow those records to leak out. Lindsey O'Donnell, “Ring’s Flying In-Home Camera Drone Escalates Privacy Worries,” September 25, 2020 https://threatpost.com/ring-drone-privacy/159562/ Accordingly, the use of prudent data security methods can reduce a drone owner’s legal risk.

Privacy Warning Posted on Drone

Maybe drones or other robots could themselves communicate privacy warnings. Maybe a written notice could flash somewhere on the bot, or maybe the bot could emit an audio notice: “Warning. If you approach me, I will make a video and audio recording of you.” Such a warning reduces the appearance that the subject of recording suffered harm.

Conclusion

Given the law’s special disfavor for the recording of conversations, the designers of drones and similar systems have reason to avoid recordings of the words that come from a human mouth.

If the owners of indoor drones exercise good judgment, they are less likely to violate a law.

I would be pleased to hear your comments.

==

Benjamin Wright is an attorney based in Dallas, Texas. He advises a wide range of clients around the world on privacy, cybersecurity and digital forensics law. He is a senior instructor at the SANS Institute, teaching its 5-day course titled LEG523: Law of Data Security and Investigations. https://www.sans.org/cyber-sec... He is author of the book The Law of Electronic Commerce (Wolters Kluwer). Read more about Ben here.

This article provides general education and not legal advice for any particular situation. If you need legal advice, you should consult your own lawyer.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • LEG523: Law of Data Security and Investigations
  • SEC504: Hacker Tools, Techniques, and Incident Handling
  • SEC504J: Hacker Tools, Techniques, Exploits, and Incident Handling - Japanese

Tags:
  • Security Management, Legal, and Audit

Related Content

Blog
SSA-_Renewing_Your_SSAP_-_Two_Easy_Steps_-_340x340_Thumb.jpg
Security Awareness, Security Management, Legal, and Audit
March 22, 2023
Renewing Your SANS Security Awareness Professional (SSAP) – Two Easy Steps
You will need to renew your SSAP every four years, a process we've worked hard to keep as simple as possible to ensure it helps you grow your career.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
_Which_human-focused_cybersecurity_course_is_best_for_me_340x340.jpg
Security Management, Legal, and Audit
March 16, 2023
Which Human-Focused Cybersecurity Course is Best for Me?
Examine the differences between the MGT433: Managing Human Risk course and MGT521: Building a Security-Based Culture course.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Security Management, Legal, and Audit, Cloud Security
September 17, 2020
No Trespassing In The Cloud
Many organizations are wise to post no trespassing signs on their data resources, such as files and databases hosted in a public cloud.
370x370_Benjamin-Wright.jpg
Benjamin Wright
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn