Skip to content

Privacy Commissione

The Commissioner's Blog

The Privacy Challenges of Google Glass and Drones (29.04.14)


The ubiquitous commercial and personal use of digital and affordable mobile technology, across all social and economic strata of society, has been changing the world. In particular, it has allowed unprecedented levels of surveillance and tracking of individuals' activities and recording their communication involving personal information, and intrusion into physical space. As examples, we have Google Glass and drones.


Google Glass

Google Glass is a wearable computer that resembles standard eyeglasses. It has a miniature projector, a camera, a microphone, and a touchpad on one side of the device. Users exercise control by way of voice commands as well as swipes and tabs on the touchpad. With the device linked to the Internet and using Google as well as third-party applications, Glass wearers are able to see meaningful information superimposed on the physical scenes.

The use of Google Glass could be highly privacy-intrusive. For example, the device could be used surreptitiously to record and broadcast private conversations. It can be used to conduct secret surveillance on people. If facial recognition capabilities are incorporated, anyone that comes within sight of the Glass wearers could be instantly identified, with details of all personal information that can be searched online.

Despite these privacy-related concerns, Google has rolled out Glass to the masses, albeit for one day on 15 April 2014 in the United States for the time being, for US$1,500.


Drones

Drones are also referred to as remotely piloted aircraft and unmanned aerial vehicles. They are equipped with a range of surveillance devices including sophisticated zoom cameras, infrared thermal imagers, radar, location-based tracking tools, communication interception and listening devices, and other technologies that can record and transmit digital data to ground control systems. They may be deployed for a wide range of purposes to produce enormous societal and economic benefits. For example, the Hong Kong SAR government has deployed drones for land surveying, instead of sending surveyors to rough terrains. Drones may also be used by law enforcement agencies in search and rescue operations, at hostage-taking incidents and other emergencies.

But drones present unique privacy challenges. Their capabilities to collect data with great resolution and granularity at distant vantage points – often for long periods, and on a continuous and covert basis, enable them to conduct effective aerial surveillance of persons of interest in a sustained and surreptitious manner. As the cost of drones becomes more affordable, they are increasingly used by civilians as well. While drones (and Google Glass) could be used purely for recreational purposes, they could also be used for surveillance by private actors like private detectives and journalists, including the stalking of celebrities by paparazzi.

In Hong Kong, professional users and hobbyists alike are required to apply for a permit 28 days prior to flight from the Civil Aviation Department, but only if the drone weighs 7kg or more. Aviation safety is undoubtedly the primary concern of the Civil Aviation Department. But whether or not the department is concerned with privacy and data protection in the issue of the permits is unknown.


Limited Legislative Control

Faced with the challenges of these technologies, the privacy protection that can be provided under the present Personal Data (Privacy) Ordinance is very limited. Enforcement action may be taken by invoking the Data Protection Principle (DPP) on collection of personal data which requires, among other things, that personal data shall be collected by fair means and that practical steps shall be taken to notify the person before collecting his data. I am empowered to remedy a contravention of a DPP by issuing an enforcement notice to the organisation or person at fault. However, while contravention of the enforcement notice is an offence, contravention of the DPP per se is not. There is also the practical difficulty of identifying or tracing the culprit responsible for the surreptitious data collection.

To enjoy the benefits of technological innovations and to safeguard privacy in an increasingly digital and connected world may not be mutually exclusive. A win-win outcome could be achieved by the collaborative efforts of all the stakeholders concerned as explained below.

Enhanced Legislative Sanctions

First, the government should take the lead to look at innovative law reforms to address the privacy issues concerned. It needs not look far for ideas. The privacy subcommittee of the Law Reform Commission of Hong Kong completed six reports during the period from 1990 to 2006, with a full range of recommendations on resolving different privacy topics1. However, only the report relating to the protection of personal data has been thoroughly and comprehensively followed up, culminating in the implementation of the Personal Data (Privacy) Ordinance.

As regards the report on interception of communications and the report on covert surveillance, only the recommendations relating to actions by law enforcement agencies were considered, leading to the enactment of the Interception of Communications and Surveillance Ordinance 2006, while none of the proposals that would have regulated private interception and covert surveillance has been adopted. We have witnessed that many legislators are sceptical on the Police use of body-worn video cameras in handling confrontational incidents where a breach of peace has occurred or is likely to occur2. There is no reason why we are not equally or more concerned about private surveillance and snooping, which are facilitated by technological innovations like Glass and drones.

Further, the other three reports on stalking, privacy torts and media intrusion respectively are still in limbo, except that a public consultation on stalking was conducted from December 2011 to March 2012. The government's position on the way forward is still unknown. Hence the government's re-focus on these controversial areas (private surveillance, stalking, privacy torts and media intrusion) is called for.


Technology Providers to be Accountable for Privacy

In parallel, technology providers should be committed to building privacy and data protection into their products and services. They play a key role in maintaining a trustworthy and privacy-assuring ecosystem, which is essential for technologies to reach their full potential.

Regrettably, in the case of Glass, Google has so far failed to assure me that they have taken privacy seriously in the design and launch of the product. In June 2013, a number of my overseas counterparts jointly issued a letter to Google seeking responses to questions and concerns related to Glass3. In their letter of response, unfortunately Google did not answer many of the queries raised4. On my part, I have since July 2013 made repeated requests for Google to brief my team on Glass and answer the privacy concerns that we have. After a lapse of nine months, I am still awaiting their confirmation of the date of this dialogue.


Consumer Advocacy

Ultimately, customer attitudes and preferences will determine the success or failure of a product or service and the details of its offerings. While Glass is at its infant stage of product launch, it is important for consumers and privacy advocates to speak up and raise their concerns. For example, should we insist that the device must include social cues (e.g. audible noise when taking pictures) as part of its design?

In the U.K., studies have revealed that 20% of consumers feel Glass should be banned due to privacy concerns. In the U.S., similar studies have concluded that 72% of Americans will not wear Glass because of privacy concerns. Further, a number of U.S. businesses (cafes, bars, casinos, movie theatres, parks, etc.) are working towards banning this eyewear or drawing up use restrictions. It will be interesting to watch the reaction of the Hong Kong businesses and consumers.


1 The Law Reform Commission reports for Reform of the Law Relating to the Protection of Personal Data (August 1994), Regulating the Interception of Communications (December 1996), Stalking (October 2000), Civil Liability for Invasion of Privacy (December 2004), Privacy and Media Intrusion (December 2004), The Regulation of Covert Surveillance (March 2006) can all be found at: http://www.hkreform.gov.hk/en/publications/subject.htm#privacy

2 See video recordings of the meeting of LegCo's Panel on Security on 18 March 2014 at:
http://webcast.legco.gov.hk/public/en-us/SearchResult?MeetingID=M14020016

3 See https://www.priv.gc.ca/media/nr-c/2013/nr-c_130618_e.asp

4 See https://www.priv.gc.ca/media/nr-c/2013/let_130627_google_e.asp


The Commissioner's Blog