11:39 AM

FAA Promises Privacy Standards For Domestic Drones

As law enforcement and civilian use of unmanned aerial drones increases, surveillance fears mount.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The Federal Aviation Administration Thursday announced that it will publicly develop privacy policies to cover the use of unmanned aerial vehicles (UAVs), more often referred to as drones, in U.S. airspace.

"The FAA recognizes that increasing the use of [drones] raises privacy concerns," according a letter the agency sent this week to Marc Rotenberg, president of civil rights group Electronic Privacy Information Center (EPIC). "The agency intends to address these issues through engagement and collaboration with the public."

Privacy concerns surrounding the use of drones in American airspace have been intensifying since President Obama signed the FAA Modernization and Reform Act (FMRA) into law in February 2012. The law includes the requirement that the FAA work toward "integrating unmanned aircraft systems (UAS) into the national airspace system (NAS)," and commence a test program at six different test ranges.

[ How will Obama's cybersecurity directive affect you? See White House Cybersecurity Executive Order: What It Means. ]

After FMRA was signed into law, numerous consumer, technology and civil rights groups -- including the American Civil Liberties Union, Center for Democracy and Technology, Electronic Frontier Foundation, and EPIC -- wrote to the FAA administrator, demanding that the agency develop privacy standards to cover the use of drones in U.S. airspace. "Drones greatly increase the capacity for domestic surveillance," they wrote, noting that the devices could carry not just high-resolution video cameras, but also infrared cameras, heat sensors and automated license plate scanners, and be programmed to track dozens of targets.

"Drones present a unique threat to privacy," they wrote. "Drones are designed to undertake constant, persistent surveillance to a degree that former methods of aerial surveillance were unable to achieve."

One year later, the FAA has responded, noting that as its test program moves forward, it will solicit comments on the privacy language to be included in its forthcoming UAV directive, which will govern the activities of all test site operators, and become the blueprint for general drone use across the country.

"Test site operators will be required to establish a privacy policy that is public, and builds confidence and trust," according to an FAA notice released Thursday, "Furthermore, the FAA expects that the information gathered about UAS operations at the test sites will contribute to the dialogue among privacy advocates, policymakers and the industry about how to address broader questions relative to the technologies used."

Aviation experts expect to see continuing drone uptake -- by hobbyists, businesses, law enforcement agencies and more -- in the future, and some have estimated that 30,000 new drones could be launched in the next decade. Already, low-end devices can be had for $300, programmed with GPS coordinates and left to fly themselves.

Civilian drone makers are touting their vehicles as a platform for handling "dull, dirty and dangerous" jobs. "In a world of Google maps, the advantage of aerial views of the world are clear, but satellites and manned aircraft are expensive and the pictures they take are often too far away or too infrequent to be useful," wrote former Wired editor-in-chief Chris Anderson, who's CEO of 3D Robotics and the founder of DIY Drones, last month in Time magazine. "Drones can get better views, more often. And those shots can be of exactly what you want to see -- an anytime, anywhere eye in the sky, controlled by you, not The Man."

The military continues to invest heavily in new drone technology. NASA, meanwhile, predicts that UAVs may one day account for a sizeable number of the commercial aircraft operating in U.S. airspace.

But security and privacy concerns have long accompanied the use of drones. Last year, for example, security researchers demonstrated that with about $1,000 worth of equipment, they could spoof the GPS signals used by civilian drones and redirect a drone one kilometer (0.6 miles) away. The researchers said they're working this year toward intercepting a drone from 10 kilometers (6 miles) away.

UAVs developed for military use, which may also be sold to police forces, aren't exempt from such concerns. Notably, Iran in 2011 claimed to have captured a U.S. military drone by jamming its remote-control communications channel. Since then, Iran said it's been reverse-engineering the captured RQ-170 Sentinel and developing its own drone fleet.

Drone transmissions can also be intercepted. In 2008, for example, "U.S. military personnel in Iraq ... apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds," reported The Wall Street Journal. The insurgents reportedly used a $26 piece of software to hijack the drone camera feeds.

Despite that known vulnerability, by October 2012 only 30% to 50% of all military UAVs -- including widely used Reaper and Predator drones -- were broadcasting encrypted footage, Wired reported.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
2/24/2013 | 3:16:34 AM
re: FAA Promises Privacy Standards For Domestic Drones
Now, granted, I'm not a lawyer, but... let's throw a scenario out there regarding these drones.

Mid-America, cattle country - you've got a law enforcement drone following a suspect over hill and dale in an area that human officers can't easily get to, out in the middle of a pasture. And you've got a cattle rancher that's had issues with predators attacking his herd in the past, so he or she is on horseback, armed with a shotgun, just in case. Drone pilot loses the suspect and starts a standard, circular search pattern - ends up flying over and seriously disturbing the herd of cattle. Cattle stampede ensues. Rancher doesn't know what's causing the problem, but sees that their herd is "being chased" by a slow moving drone. Shotgun gets trained, trigger pulled, splash one drone.

Now, how does THAT situation get resolved?

Are we going to treat law enforcement drones in the same manner that we do K9 officers or in the same manner as police cruisers? Shooting a K9 officer, in most jurisdictions, is equivalent to shooting a human officer - whereas destroying a police cruiser is a matter of destroying public property.

Who owns and gets final disposition of the footage and sensor information collected by the drones? Does it all get cataloged, put on a shelf and made available to the public? Is it made available to researchers, in this instance, who are looking at cattle herding procedures, soil erosion or other geological/geographical research?

If law enforcement is using a drone for surveillance, how and when does the search warrant get served? I'm sure there are ways around that little annoyance though.

What kind of license is going to be required to fly a drone? Or is it a free-for-all? What about the amount of available spectrum for controlling these drones? What happens when a cargo freighter the size of a 747 gets hi-jacked from the ground? If the military can't keep up with where their RQ-170s are going, how are we supposed to expect commercial or civil operators to keep up with where their drones are going?

And with 30,000 drones over the next decade expected to go operational, how are we supposed to know "the good guys" from "the bad guys" ?

Somebody, preferably outside of Washington, needs to put a LOT of thought into this before turning the spigot wide open.

Andrew Hornback
InformationWeek Contributor
J. Nicholas Hoover
J. Nicholas Hoover,
User Rank: Apprentice
2/15/2013 | 8:03:39 PM
re: FAA Promises Privacy Standards For Domestic Drones
I'm glad the FAA is thinking about this now, rather than years from now when Tacocopter is out delivering tacos and police are regularly operating drones over crime scenes. However, part of me wonders whether new FAA guidance is necessary, or whether instead drone privacy should and could be shoehorned into existing privacy law.
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-06-19
SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows remote attackers to execute arbitrary SQL commands via the ctl00$cphMainContent$txtUserName parameter to frmLogin.aspx.
PUBLISHED: 2018-06-19
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
PUBLISHED: 2018-06-19
The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
PUBLISHED: 2018-06-19
Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.
PUBLISHED: 2018-06-19
D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session.