11:39 AM

FAA Promises Privacy Standards For Domestic Drones

As law enforcement and civilian use of unmanned aerial drones increases, surveillance fears mount.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The Federal Aviation Administration Thursday announced that it will publicly develop privacy policies to cover the use of unmanned aerial vehicles (UAVs), more often referred to as drones, in U.S. airspace.

"The FAA recognizes that increasing the use of [drones] raises privacy concerns," according a letter the agency sent this week to Marc Rotenberg, president of civil rights group Electronic Privacy Information Center (EPIC). "The agency intends to address these issues through engagement and collaboration with the public."

Privacy concerns surrounding the use of drones in American airspace have been intensifying since President Obama signed the FAA Modernization and Reform Act (FMRA) into law in February 2012. The law includes the requirement that the FAA work toward "integrating unmanned aircraft systems (UAS) into the national airspace system (NAS)," and commence a test program at six different test ranges.

[ How will Obama's cybersecurity directive affect you? See White House Cybersecurity Executive Order: What It Means. ]

After FMRA was signed into law, numerous consumer, technology and civil rights groups -- including the American Civil Liberties Union, Center for Democracy and Technology, Electronic Frontier Foundation, and EPIC -- wrote to the FAA administrator, demanding that the agency develop privacy standards to cover the use of drones in U.S. airspace. "Drones greatly increase the capacity for domestic surveillance," they wrote, noting that the devices could carry not just high-resolution video cameras, but also infrared cameras, heat sensors and automated license plate scanners, and be programmed to track dozens of targets.

"Drones present a unique threat to privacy," they wrote. "Drones are designed to undertake constant, persistent surveillance to a degree that former methods of aerial surveillance were unable to achieve."

One year later, the FAA has responded, noting that as its test program moves forward, it will solicit comments on the privacy language to be included in its forthcoming UAV directive, which will govern the activities of all test site operators, and become the blueprint for general drone use across the country.

"Test site operators will be required to establish a privacy policy that is public, and builds confidence and trust," according to an FAA notice released Thursday, "Furthermore, the FAA expects that the information gathered about UAS operations at the test sites will contribute to the dialogue among privacy advocates, policymakers and the industry about how to address broader questions relative to the technologies used."

Aviation experts expect to see continuing drone uptake -- by hobbyists, businesses, law enforcement agencies and more -- in the future, and some have estimated that 30,000 new drones could be launched in the next decade. Already, low-end devices can be had for $300, programmed with GPS coordinates and left to fly themselves.

Civilian drone makers are touting their vehicles as a platform for handling "dull, dirty and dangerous" jobs. "In a world of Google maps, the advantage of aerial views of the world are clear, but satellites and manned aircraft are expensive and the pictures they take are often too far away or too infrequent to be useful," wrote former Wired editor-in-chief Chris Anderson, who's CEO of 3D Robotics and the founder of DIY Drones, last month in Time magazine. "Drones can get better views, more often. And those shots can be of exactly what you want to see -- an anytime, anywhere eye in the sky, controlled by you, not The Man."

The military continues to invest heavily in new drone technology. NASA, meanwhile, predicts that UAVs may one day account for a sizeable number of the commercial aircraft operating in U.S. airspace.

But security and privacy concerns have long accompanied the use of drones. Last year, for example, security researchers demonstrated that with about $1,000 worth of equipment, they could spoof the GPS signals used by civilian drones and redirect a drone one kilometer (0.6 miles) away. The researchers said they're working this year toward intercepting a drone from 10 kilometers (6 miles) away.

UAVs developed for military use, which may also be sold to police forces, aren't exempt from such concerns. Notably, Iran in 2011 claimed to have captured a U.S. military drone by jamming its remote-control communications channel. Since then, Iran said it's been reverse-engineering the captured RQ-170 Sentinel and developing its own drone fleet.

Drone transmissions can also be intercepted. In 2008, for example, "U.S. military personnel in Iraq ... apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds," reported The Wall Street Journal. The insurgents reportedly used a $26 piece of software to hijack the drone camera feeds.

Despite that known vulnerability, by October 2012 only 30% to 50% of all military UAVs -- including widely used Reaper and Predator drones -- were broadcasting encrypted footage, Wired reported.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
2/24/2013 | 3:16:34 AM
re: FAA Promises Privacy Standards For Domestic Drones
Now, granted, I'm not a lawyer, but... let's throw a scenario out there regarding these drones.

Mid-America, cattle country - you've got a law enforcement drone following a suspect over hill and dale in an area that human officers can't easily get to, out in the middle of a pasture. And you've got a cattle rancher that's had issues with predators attacking his herd in the past, so he or she is on horseback, armed with a shotgun, just in case. Drone pilot loses the suspect and starts a standard, circular search pattern - ends up flying over and seriously disturbing the herd of cattle. Cattle stampede ensues. Rancher doesn't know what's causing the problem, but sees that their herd is "being chased" by a slow moving drone. Shotgun gets trained, trigger pulled, splash one drone.

Now, how does THAT situation get resolved?

Are we going to treat law enforcement drones in the same manner that we do K9 officers or in the same manner as police cruisers? Shooting a K9 officer, in most jurisdictions, is equivalent to shooting a human officer - whereas destroying a police cruiser is a matter of destroying public property.

Who owns and gets final disposition of the footage and sensor information collected by the drones? Does it all get cataloged, put on a shelf and made available to the public? Is it made available to researchers, in this instance, who are looking at cattle herding procedures, soil erosion or other geological/geographical research?

If law enforcement is using a drone for surveillance, how and when does the search warrant get served? I'm sure there are ways around that little annoyance though.

What kind of license is going to be required to fly a drone? Or is it a free-for-all? What about the amount of available spectrum for controlling these drones? What happens when a cargo freighter the size of a 747 gets hi-jacked from the ground? If the military can't keep up with where their RQ-170s are going, how are we supposed to expect commercial or civil operators to keep up with where their drones are going?

And with 30,000 drones over the next decade expected to go operational, how are we supposed to know "the good guys" from "the bad guys" ?

Somebody, preferably outside of Washington, needs to put a LOT of thought into this before turning the spigot wide open.

Andrew Hornback
InformationWeek Contributor
J. Nicholas Hoover
J. Nicholas Hoover,
User Rank: Apprentice
2/15/2013 | 8:03:39 PM
re: FAA Promises Privacy Standards For Domestic Drones
I'm glad the FAA is thinking about this now, rather than years from now when Tacocopter is out delivering tacos and police are regularly operating drones over crime scenes. However, part of me wonders whether new FAA guidance is necessary, or whether instead drone privacy should and could be shoehorned into existing privacy law.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.