They're buzzing over your parks, photographing your wedding, even roasting your Thanksgiving turkeys. They're drones and unmanned aerial vehicles (UAVs), those futuristic flying devices that can be found everywhere from the forefront of U.S. military research to aisle 17 of the local Walmart -- and they raise significantly data privacy concerns.
It is undisputed that drones and other UAVs are becoming an ever-growing common facet of both our recreational and business lives. At least twenty-two major companies, including Amazon and the BBC, are currently incorporating drones into their day-to-day operations. One proposed congressional bill even estimates that up to 2.7 million drones could be sold per year by 2020.
These remote controlled "eyes in the sky" can collect a vast amount and array of data. Many drones and UAVs are used for aerial surveys, for example, whether of a day in the park or the best route for a pipeline. In 2013, the Air Force Intelligence, Surveillance and Reconnaissance Agency was collecting nearly 1,600 hours of video a day. Its Gorgon Stare drone technology can capture 70 terabytes of surveillance data every 14 hours. The Argus surveillance system, which utilizes drones and UAVs to monitor every moving object in a 36-square-mile radius, can create 85 years worth of video in 24 hours -- an absurd amount.
Video information isn't the only data drones can gather, either. If there's a sensor for it, a drone can detect it, whether it's thermal information, chemical composition, magnetic fields, sound, light, speed, or distance. This data collection isn't limited to government surveillance, either -- any individual or business with a properly equipped drone can rack up huge amounts of potentially sensitive information in a short time.
Perhaps because of drones’ rapid rise to popularity, however, many drone companies have been surprisingly lax on keeping their products hacker-proof. This fact was underscored when one Dutch researcher successfully hijacked a $35,000 police drone with only a laptop, an inexpensive radio chip, and a USB port.
Though the rules and regulations related to drone and UAV technology are only beginning to develop, drone hacking could become a critical problem for a profession that is only starting to take notice of humdrum hacking tactics.
While drones vary in their size and sophistication, the software, WiFi and radio frequency connections they rely on can be easily manipulated, allowing a cybercriminal to commandeer the data connections between the owner’s controls and the drone itself. A drone operator can usually control a commercial drone’s movements by sending signals from an app or computer-based controller to the drone’s flight controller, which acts as the drone’s “brain”. To establish this link, however, mainstream drones such as quadcopters often rely on unencrypted WiFi or radio frequencies to sync up with the owner’s smart device or computer. Because of this, a cybercriminal could hijack the drone’s flight controller by launching man-in-the-middle attacks, where the hacker jumps into the “middle” of the communication exchange between drone and owner to commandeer both the drone and any of its stored data.
While many hackers often hack into drones to steal them or make them crash using GPS spoofing, many others have more intrusive motives. One of the most popular uses of drones, for example, is to capture aerial video footage, which is recorded and transmitted to an operator’s cell phone or other device to edit and publish. A cybercriminal, however, could easily take advantage of software vulnerabilities to gain access to the video feed or, as one Redditor discovered, save the full video feed into a downloadable file on a different computer. In the end, any biometric, visual, and other personally identifiable data stored in the drone could be easily transferred into in a cybercriminal’s hard drive.
As with any new emerging technology, the legal community is only starting to grapple with the data privacy implications that drones and other UAVs pose. Drone privacy data regulations were first addressed when the Federal Aviation Administration was tasked with integrating drones, UAVs, and other advanced flight technology into US airspace as part of the FAA Modernization and Reform Act of 2012. The FAA, however, did not consider data privacy considerations in doing so.
As a result, the Electronic Privacy Information Center, a privacy and civil liberties nonprofit, partnered with other organizations to challenge the FAA’s failure to solicit and consider comments related to data privacy issues. The FAA eventually denied EPIC’s petition in 2014, explaining in a subsequent notice of proposed rulemaking that privacy issues were beyond the scope of its rulemaking powers. The FAA had already taken steps, the agency added, to work with other government agencies and conduct mandatory assessments on the impact proposed laws would have on personally identifiable information. EPIC, unmollified, submitted a petition for judicial review, which floundered in the D.C. Circuit. When the FAA’s final regulations on UAVs were released in 2016, they ultimately did not address privacy considerations whatsoever.
Although EPIC has filed a second petition against the FAA that is still ongoing, one member of Congress has voluntarily stepped in to fill this legal and legislative void. Earlier this year, Senator Edward Markey (D-MA) introduced the Drone Aircraft Privacy and Transparency Act, which, if passed, would subject both private and governmental drone owners to data privacy usage restrictions.
Notably, the bill would prevent private drone operators from acquiring drone licenses unless they release so-called “data statements” that describe the following information to individuals and groups of individuals whose data would be collected:
(A) the circumstances under which the system will be used; and
(B) the specific kinds of information or data the system will collect about individuals or groups of individuals and how such information or data, as well as conclusions drawn from such information or data, will be used, disclosed, and otherwise handled, including--
(i) how the collection or retention of such information or data that is unrelated to the specified use will be minimized;
(ii) whether such information or data might be sold, leased, or otherwise provided to third parties, and if so, under what circumstances it might be so sold or leased;
(iii) the period for which such information or data will be retained; and
(iv) when and how such information or data, including information or data no longer relevant to the specified use, will be destroyed
The law would also affect how law enforcement officials use drones as well, requiring them to issue a so-called “data minimization statement” that would require government drone operators to not only minimize collection of, and subsequently destroy, data not relevant to the investigation of a crime under a warrant, but also describe audit and oversight procedures to regulate agency, contractor and subcontractor conduct while using drones during these investigations.
The proposed law would also give members of the public greater access to any data collected on them by drones. It would also grant private citizens the right to a private cause of action against drone users that would allow them to either enjoin data collection activity or requests damages of up to $1,000 per violation, with an opportunity for treble damages in cases of intentional statutory violations, provisions that won't see much objection from the plaintiffs bar.
While this bill is currently being reviewed by the Senate Committee on Commerce, Science and Transportation, it could spur groundbreaking data protection measures that could bring major changes for the drone and UAV industry -- and for lawyers as well.