Risk
2/15/2013
11:39 AM
Connect Directly
RSS
E-Mail
50%
50%

FAA Promises Privacy Standards For Domestic Drones

As law enforcement and civilian use of unmanned aerial drones increases, surveillance fears mount.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The Federal Aviation Administration Thursday announced that it will publicly develop privacy policies to cover the use of unmanned aerial vehicles (UAVs), more often referred to as drones, in U.S. airspace.

"The FAA recognizes that increasing the use of [drones] raises privacy concerns," according a letter the agency sent this week to Marc Rotenberg, president of civil rights group Electronic Privacy Information Center (EPIC). "The agency intends to address these issues through engagement and collaboration with the public."

Privacy concerns surrounding the use of drones in American airspace have been intensifying since President Obama signed the FAA Modernization and Reform Act (FMRA) into law in February 2012. The law includes the requirement that the FAA work toward "integrating unmanned aircraft systems (UAS) into the national airspace system (NAS)," and commence a test program at six different test ranges.

[ How will Obama's cybersecurity directive affect you? See White House Cybersecurity Executive Order: What It Means. ]

After FMRA was signed into law, numerous consumer, technology and civil rights groups -- including the American Civil Liberties Union, Center for Democracy and Technology, Electronic Frontier Foundation, and EPIC -- wrote to the FAA administrator, demanding that the agency develop privacy standards to cover the use of drones in U.S. airspace. "Drones greatly increase the capacity for domestic surveillance," they wrote, noting that the devices could carry not just high-resolution video cameras, but also infrared cameras, heat sensors and automated license plate scanners, and be programmed to track dozens of targets.

"Drones present a unique threat to privacy," they wrote. "Drones are designed to undertake constant, persistent surveillance to a degree that former methods of aerial surveillance were unable to achieve."

One year later, the FAA has responded, noting that as its test program moves forward, it will solicit comments on the privacy language to be included in its forthcoming UAV directive, which will govern the activities of all test site operators, and become the blueprint for general drone use across the country.

"Test site operators will be required to establish a privacy policy that is public, and builds confidence and trust," according to an FAA notice released Thursday, "Furthermore, the FAA expects that the information gathered about UAS operations at the test sites will contribute to the dialogue among privacy advocates, policymakers and the industry about how to address broader questions relative to the technologies used."

Aviation experts expect to see continuing drone uptake -- by hobbyists, businesses, law enforcement agencies and more -- in the future, and some have estimated that 30,000 new drones could be launched in the next decade. Already, low-end devices can be had for $300, programmed with GPS coordinates and left to fly themselves.

Civilian drone makers are touting their vehicles as a platform for handling "dull, dirty and dangerous" jobs. "In a world of Google maps, the advantage of aerial views of the world are clear, but satellites and manned aircraft are expensive and the pictures they take are often too far away or too infrequent to be useful," wrote former Wired editor-in-chief Chris Anderson, who's CEO of 3D Robotics and the founder of DIY Drones, last month in Time magazine. "Drones can get better views, more often. And those shots can be of exactly what you want to see -- an anytime, anywhere eye in the sky, controlled by you, not The Man."

The military continues to invest heavily in new drone technology. NASA, meanwhile, predicts that UAVs may one day account for a sizeable number of the commercial aircraft operating in U.S. airspace.

But security and privacy concerns have long accompanied the use of drones. Last year, for example, security researchers demonstrated that with about $1,000 worth of equipment, they could spoof the GPS signals used by civilian drones and redirect a drone one kilometer (0.6 miles) away. The researchers said they're working this year toward intercepting a drone from 10 kilometers (6 miles) away.

UAVs developed for military use, which may also be sold to police forces, aren't exempt from such concerns. Notably, Iran in 2011 claimed to have captured a U.S. military drone by jamming its remote-control communications channel. Since then, Iran said it's been reverse-engineering the captured RQ-170 Sentinel and developing its own drone fleet.

Drone transmissions can also be intercepted. In 2008, for example, "U.S. military personnel in Iraq ... apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds," reported The Wall Street Journal. The insurgents reportedly used a $26 piece of software to hijack the drone camera feeds.

Despite that known vulnerability, by October 2012 only 30% to 50% of all military UAVs -- including widely used Reaper and Predator drones -- were broadcasting encrypted footage, Wired reported.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
2/24/2013 | 3:16:34 AM
re: FAA Promises Privacy Standards For Domestic Drones
Now, granted, I'm not a lawyer, but... let's throw a scenario out there regarding these drones.

Mid-America, cattle country - you've got a law enforcement drone following a suspect over hill and dale in an area that human officers can't easily get to, out in the middle of a pasture. And you've got a cattle rancher that's had issues with predators attacking his herd in the past, so he or she is on horseback, armed with a shotgun, just in case. Drone pilot loses the suspect and starts a standard, circular search pattern - ends up flying over and seriously disturbing the herd of cattle. Cattle stampede ensues. Rancher doesn't know what's causing the problem, but sees that their herd is "being chased" by a slow moving drone. Shotgun gets trained, trigger pulled, splash one drone.

Now, how does THAT situation get resolved?

Are we going to treat law enforcement drones in the same manner that we do K9 officers or in the same manner as police cruisers? Shooting a K9 officer, in most jurisdictions, is equivalent to shooting a human officer - whereas destroying a police cruiser is a matter of destroying public property.

Who owns and gets final disposition of the footage and sensor information collected by the drones? Does it all get cataloged, put on a shelf and made available to the public? Is it made available to researchers, in this instance, who are looking at cattle herding procedures, soil erosion or other geological/geographical research?

If law enforcement is using a drone for surveillance, how and when does the search warrant get served? I'm sure there are ways around that little annoyance though.

What kind of license is going to be required to fly a drone? Or is it a free-for-all? What about the amount of available spectrum for controlling these drones? What happens when a cargo freighter the size of a 747 gets hi-jacked from the ground? If the military can't keep up with where their RQ-170s are going, how are we supposed to expect commercial or civil operators to keep up with where their drones are going?

And with 30,000 drones over the next decade expected to go operational, how are we supposed to know "the good guys" from "the bad guys" ?

Somebody, preferably outside of Washington, needs to put a LOT of thought into this before turning the spigot wide open.

Andrew Hornback
InformationWeek Contributor
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
2/15/2013 | 8:03:39 PM
re: FAA Promises Privacy Standards For Domestic Drones
I'm glad the FAA is thinking about this now, rather than years from now when Tacocopter is out delivering tacos and police are regularly operating drones over crime scenes. However, part of me wonders whether new FAA guidance is necessary, or whether instead drone privacy should and could be shoehorned into existing privacy law.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.