Folks may have heard about the new Amazon prototype, the Ring Always Home Cam. Scheduled for release in early 2021, the”Drone Cam” will run a pattern of flight around your house to allow you to check on things when you are away. As you might imagine, given a history of Amazon’s Alexa recording things without permission, the announcement generated plenty of pushback among privacy advocates. But what attracted my attention was this addendum at the bottom of the Amazon blog post:
“As with other devices at this stage of development, Ring Always Home Cam has not been authorized as required by the rules of the Federal Communications Commission. Ring Always Home Cam is not, and may not be, offered for sale or lease or sold or leased, until authorization is obtained.”
A number of folks asked me why this device needs FCC authorization. In general, any device that emits radio-frequency radiation as part of its operation requires certification under 47 U.S.C. 302a and Part 15 of the FCC’s rules (47 C.F.R. 15.1, et seq.) In addition, devices that incorporate unlicensed spectrum capability (e.g., like Wi-Fi or Bluetooth) need certification from the FCC to show that they do not exceed the relevant power levels or rules of operation. So mystery easily solved. But this prompted me to ask the following question. “Does the proposed Amazon “Drone Cam” violate the FCC’s rule against using electronic wireless devices to record or listen to conversation without consent?
As I discuss below, this would (to my knowledge) be a novel use of 47 C.F.R. 15.9. It’s hardly a slam dunk, especially with an FCC that thinks it has no business enforcing privacy rules. But we have an actual privacy law on the books, and as the history of the rule shows the FCC intended it to prevent the erosion of personal privacy in the face of rapidly developing technology — just like this. If you are wondering why this hasn’t mattered until now, I will observe that — to the best of my knowledge — this is the only such device that relies exclusively on wireless technology. The rule applies to the use of wireless devices, not to all devices certified under the authority of Section 302a* (which did not exist until 1982).
I unpack this, and how the anti-eavesdropping rule might impact the certification or operation of home drone cams and similar wireless devices, below . . .
*technically, although codified at 47 USC 302a, the actual Section number in the Comms Act is Section 302. Long story not worth getting into here. But I will use 302a for consistency’s sake.
Most people don’t know that the Federal Communications Commission (FCC) has an anti-eavesdropping rule. Fewer know that this rule goes back to 1966. (I initially thought it went back to the 1987 rulemaking that gave us modern unlicensed spectrum, but a colleague pointed me to the earlier rulemaking.) While this generally applies to the manufacture and sale of wireless electronic listening devices (“bugs” in the vernacular), the language has potentially broad application.
What Does the Rule Say?
As always when dealing with law, precise language matters. Here is the full text of Rule 15.9:
§15.9 Prohibition against eavesdropping.
Except for the operations of law enforcement officers conducted under lawful authority, no person shall use, either directly or indirectly, a device operated pursuant to the provisions of this part for the purpose of overhearing or recording the private conversations of others unless such use is authorized by all of the parties engaging in the conversation.
“Authorized pursuant to this provision” in 1966 meant operation without a license — what we now call “unlicensed” or Part 15 spectrum. Yes, the FCC has had rules authorizing “unlicensed” spectrum use since 1938. But prior to 1989, the FCC used to authorize these uses and equipment on a case-by-case basis. (You can read a short regulatory history of the evolution of unlicensed spectrum access in this article I wrote 15 years ago.) Technically, these days, “authorized pursuant to this provision” would also include authorizations for devices required under Section 302a. But the FCC explicitly invoked its power under Section 303(b) (power to set service rules for wireless services), Section 303(g) (responsibility to encourage greater use of radio spectrum in the public interest) and Section 303(r) (general authority to make rules governing wireless that serve the public interest). So while the plain language would apply to any device, the history of the rule implies that this means wireless devices certified under Part 15 to operate without a license.
But I digress. The key point here is that the rule, at a minimum, applies to devices using unlicensed spectrum. Critically for our analysis here, the rule acts not as a restriction on manufacture, but a restriction on use. No one may “directly or indirectly” use a device using unlicensed spectrum to listen or record a private conversation without consent of all parties to the conversation.
How Does A Rule Adopted in 1966 Apply to Drone Cams? Why Did the FCC Adopt This Rule at All? This Technology Was Science Fiction Back Then.
One of the things about laws is that they may be inspired by a particular situation, but they are usually meant to address a general problem illustrated by the particular event or events that prompted folks to make the law in the first place. This doesn’t always work out, of course, which is why we sometimes update or amend laws. But the theory pushed by the Federalist Society and their members in the judiciary that laws only address the specific thing that existed at the time and that any changes in technology require new laws is, to use the fashionable retro word, malarkey. We don’t need to update the murder laws to cover every new way people find to kill other people. While it certainly makes sense from time-to-time to review and update laws in light of changing technology, the laws on the books apply even if the drafters could not foresee the specific situation in question.
Read the Fed Reg publication of the Order (can’t find the FCC text online, it’s old). It speaks to general concerns in a way even more applicable today than in 1966. (Mind you, the FCC actually cared about privacy in 1966, and about the public interest and protecting consumers. None of this “Oh, it’s a job for the FTC not us” bullsh*t malarkey.) As the FCC noted, advances in technology made it trivially easy to secretly transmit and/or record private conversations without a person’s knowledge. After tracing the history of the common law prohibiting eavesdropping and the common law right of privacy, the FCC concluded that permitting the use of electronic wireless devices for eavesdropping was contrary to the public interest. The FCC also recognized that, without FCC action, “The right of privacy is precious, and should not be sacrificed to the eavesdropper’s needs without compelling reason. We cannot find such reason here….Upon reflection, we do not believe it to be consistent with the public interest to permit this new product of man’s ingenuity to destroy our traditional right to privacy.” Furthermore, as the FCC noted, without a rule making it illegal to use electronic wireless devices to eavesdrop and record conversations, existing wireless microphones could be easily adapted for this purpose.
Doesn’t Customer Consent Make This Irrelevant? Not So Much.
Even more so now, the proliferation of devices that surreptitiously record our private conversations without our knowledge “destroys our traditional right to privacy.” Virtually every device capable of recording our data does so. As I have written elsewhere at great length (and I am hardly alone in making this observation), disclosure and consent are worse than useless since (a) companies frequently lie; (b) companies can change their service whenever they want, so even if they promise to be good with your data now they can change their minds later and you have no recourse; and, (c) companies make their privacy policies as dense and difficult to read as possible.
But as of today, the law is that if I buy the product and consent to the terms, the product provider can record whatever they want and do whatever they want with the data. So if you buy the product, yu consent. What difference does the rule make?
Happily, the FCC thought about that. The rule requires all participants in the conversation to consent to the listening and/or recording. Although the FCC has initially proposed a rule permitting a single party of the conversation to consent for all participants on the grounds that people routinely took the risk of having their conversations overheard, the final order rejected this reasoning. “The ordinary risk of being overheard is converted into another risk entirely when the electronic device is made the instrument of the intruder. Coupled with a recording device, this new eavesdropping tool puts upon the speaker a risk he has not deliberately assumed, and goes far toward making private conversation impossible.” The final rule therefore requires consent of all the parties to the conversation. While I will grant the common law concept that a host owes no duty to a trespasser and therefore say this does not apply to criminals breaking into the home (as apparently shown in the Amazon promo), it still covers other members of the family who do not consent, employees (so no using this as your nanny cam), guests in the home, and so forth.
For extra good measure, the FCC made it clear when adopting the rule that it didn’t matter whether you recorded something and then transmitted it or transmitted to a recording device, or even skipped the recording device and just listened to a conversation remotely. The language and the intent are sweeping in scope (to prevent listening via unlicensed spectrum devices without consent)
What about the fact that it is the device owner who sets up the flight pattern and when to activate the device? Amazon maintains that the camera and recording capability are blocked when the drone is docked, and the battery only lets it fly for 5 minutes at a time. To further protect privacy, at least for now, the device owner can’t directly control the flight of the Ring Drone — it will only fly preset patterns. But this doesn’t necessarily get Amazon off the hook. The rule prevents anyone from directly or indirectly recording or listening to a conversation without consent. If Amazon insists on accessing and sharing the data, it violates Rule 15.9 unless all parties to the conversation consent.
Finally, because it sadly needs stating these days, the FCC made it expressly clear that it did not intend to preempt any state law or common law right of action.
So Does This Make the Ring Drone Illegal?
No. The FCC rule goes to behavior. You can’t — either directly or indirectly — deliberately use a device authorized for unlicensed use under Part 15 to listen or record a private conversation without consent of all the parties. But this isn’t like radar jammers where the manufacture, sale, purchase or possession of the device is illegal pursuant to Section 302a. If used only for its stated purpose — times when the house is otherwise empty — the Amazon Ring Drone is perfectly legal to use. So it is perfectly legal to sell, or buy. You just cant use it to listen or record someone’s conversation without permission.
This is what the “for the purpose of” language in the rule means. As the 1966 Order explains, you can use a wireless microphone to do an interview but catch someone in a private conversation on a “hot mic” or in the background. That’s not a violation of the rule, because you weren’t operating the device “for the purpose” of listening or recording a private conversation. But on the flip side, the “for the purpose of” applies to the intended use at the time of the listening/recording, not at the time of certification. Again referring to the 1966 Order, it posits using a wireless microphone, properly authorized and sold for the proper purpose, for eaves dropping on someone else. There is no liability for the manufacturer or seller of the wireless microphone, but there is liability for the individual buying the device and then using it “for the purpose” of eavesdropping.
So, my deployed Amazon Drone flies around my house for security and catches someone’s private conversation probably does not violate the rule, since I did not deploy the device primarily to spy on people passing by (I say “probably” because if I know it will happen and I am reckless indifferent to their privacy it might be different.) OTOH, Amazon using the device to capture all conversation and then downloading that into a database to use for its own purposes arguably would violate the rule, even though the primary job of the device is to be a security system. But Amazon (in our hypothetical) is making the recording primarily for its own purposes unrelated to being a burglar alarm.
So What Good Does This Do?
An excellent question. Since enforcement is left to the FCC, that depends on what the FCC wants to do.
Swell.
I feel you, but given how Trump feels about Amazon you never know. Heck, we may someday have an FCC that cares about privacy for its own sake. So this isn’t entirely academic.
Fine. What Can the FCC Do?
The FCC has a couple of options. We can divide them into “pre-certification” and “post-certification enforcement.”
In the Pre-Certification bucket, the FCC can require that Amazon demonstrate how it will ensure that use of the device won’t violate Rule 15.9. The FCC does this as a matter of course for the technical aspects of certification. Generally, when you get your unlicensed transmitter certified, you need to demonstrate that you have taken some basic precautions to prevent users here in the U.S. from violating the power limits or other technical rules. That’s part of what Amazon is doing now with the Ring Drone in certification.
Nothing prevents the FCC from requiring as a condition of certification that Amazon also show how it intends to prevent unauthorized listening/recording by itself or users. That can range from anything from technical fixes to a big warning saying: “FCC rules prevent the use of this device for listening to, and/or recording private conversations without the consent of all parties to the conversation.” It would be up to the FCC to figure out what is reasonable.
In Post-Certification enforcement, the FCC can levy fines agains Amazon if Amazon listens and/or records private conversations in violation of Rule 15.9. That’s not much, given Amazon’s size and value, but could conceivably sting depending on how widespread the violation is.
This Doesn’t Seem Like a Great Solution to the Privacy Problem.
No, it isn’t. Which is why I and my Public Knowledge colleagues keep pushing for comprehensive privacy laws and support states passing comprehensive privacy protection laws. But Congress seems deadlocked at the moment on privacy, as it is on just about everything else. As one of the few remaining bridge players, I like to say: “when you have a bad hand, make every card count and take every trick you can.”
But if we do discover in the future that Amazon (or others) are using wireless devices to listen or record conversations without consent of all the parties, at least we — possibly — have something we can do about it.
Stay tuned . . .
Interesting post.
A query. There are lots of devices, such as Ring’s video doorbells, that create audio/video links that are transmitted on unlicensed spectrum. And, I can activate a Zoom conference on my computer (connected to the net via WiFi) and leave the room—turning my laptop into a wireless surveillance box.
It seems to me that the regulatory problems you identify must apply to hundreds of millions of devices in widespread use. Has anyone filed a complaint under 15.9?
Chuck
It’s a good question. I’m unaware of any complaints filed.