Privacy battle against U.S. drone surveillance ramps up

The Federal Aviation Administration (FAA), which oversees the domestic deployment of the digital eyes in the sky known as drone aircraft, is suffering from a major blind spot: protection of personal privacy.

That message is now coming not just from privacy advocates but from both federal and state legislators, including Congressmen Ed Markey (D-Mass.), who recently filed a bill to require the FAA to strengthen privacy provisions governing drone surveillance.

The use of drones, more formally labeled unmanned aircraft systems (UAS), has expanded well beyond war zones. Their high-resolution, digital eyes are being used for surveillance in the U.S. with increasing frequency.

Estimates are that there will be 30,000 of them deployed domestically by 2020, by both commercial and government entities.

And the capabilities of those cameras combined with facial recognition technology and databases add up to "not just surveillance, but ubiquitous surveillance," said Bruce Schneier, author, blogger and chief security technology officer at BT. "Instead of 'follow that car,' it's 'follow every car.' And follow it for six months back."

USA Today reported recently that lawmakers are finally taking notice. "Congress and at least 10 state legislatures could consider bills this year that would limit the use of the camera-equipped, unmanned aircraft in the USA," it said.

Markey, now running for the U.S. Senate seat being vacated by recently confirmed Secretary of State John Kerry, filed a bill in December titled the Drone Aircraft Privacy and Transparency Act (DAPTA) to require privacy provisions "relating to data collection and minimization, disclosure, warrant requirements for law enforcement, and enforcement measures in the licensing and operation of ... drones."

Markey and U.S. Rep. Joe Barton (R-Texas) said in an earlier statement that it took them five months to get a response from the FAA on questions about privacy. And Markey said last Nov. 29 that the agency's answers "make it clear that privacy is a 'blind spot' in its oversight of non-military domestic drones. This is misguided and wrong."

Among still-unanswered questions, Markey said: "How [the FAA] plans to notify the public about where and when drones will be used, who will operate the drones, what data will be collected, how will the data be used, how long will the data be retained, and who will have access to the data."

Privacy advocates have been concerned about the proliferation of drones for some time. The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) request nearly two years ago, in April 2011, and then a lawsuit a year ago against the FAA's parent agency, the Department of Transportation, seeking information on drone licensing. It finally obtained several thousand pages of records this past December on hundreds of domestic drones.

[See related: Drones increasing used for surveillance in the U.S.]

Part of the concern is over the capabilities of cameras and other equipment in drones, which can track people, vehicles and even small objects from altitudes greater than 20,000 feet. A recent video posted on YouTube shows Yiannis Antoniades of BAE Systems demonstrating the reach of the 1.8 gigapixel ARGUS-IS video surveillance camera, which can track people and vehicles in a medium-sized city of 15 square miles. Every moving object is tracked and stored.

Amie Stepanovich, associate litigation counsel at the Electronic Privacy Information Center (EPIC), said ARGUS means "a city can be under constant, 24/7 surveillance."

"[ARGUS] will likely operate with numerous, smaller drones that are able to navigate close to buildings and structures and carry sophisticated equipment, like facial recognition, terahertz scanners, and license plate readers," Stepanovich said.

The EFF complaint cited one drone that can crack Wi-Fi networks and intercept text messages and cell phone conversations, "without the knowledge or help of either the communications provider or the customer."

As several comments on the group's website noted, if the government allowed this to become public, it is likely well out of date, and the current capabilities are much greater.

That, according to author and former political consultant Naomi Wolf, is enough to declare that, "the police state [in the U.S.] is now officially here."

Writing in The Guardian, Wolf notes that among the information collected by EFF is that some drones are "as small as hummingbirds -- meaning that you won't necessarily see them, tracking your meeting with your fellow activists, with your accountant or your congressman, or filming your cruising the bars or your assignation with your lover, as its video-gathering whirs."

The drones will not all be from the government either. The FAA, which has already issued permits to Raytheon, General Atomics, Telford Aviation, and Honeywell to test new drones, has been charged by Congress to develop guidelines for both commercial and government drone use by October 2015.

"HSBC, Chase, Halliburton etc. can have their very own fleets of domestic surveillance drones," Wolf wrote. And that, combined with drones used by the military, by the Department of Homeland Security (DHS) and local law enforcement, adds up to some serious surveillance. "The meshing of military, domestic law enforcement, and commercial interests is absolute. You don't need a messy, distressing declaration of martial law."

Schneier agrees the technology is now in place for "a wholesale surveillance state."

"And, you have to remember that technology never gets worse," Schneier said. "It always gets better. That's what's worrisome."

He said Markey's bill will not solve the problem, because it is already arriving a bit late. "It's very difficult to produce regulations with money involved," he said. "Once there is a drone industry, it makes it harder."

But he said there is some value to that and other legislative efforts. "At least it gets a conversation started," Schneier said.

Stepanovich said EPIC has petitioned the FAA to issue "regulations that are based on principles of transparency and accountability for all drone operators."

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsEFFARGUS-ISdronessoftwaredata protectionData Protection | Data PrivacyEd Markey

More about 24/7BAE Systems AustraliaBT AustralasiaEFFElectronic Frontier FoundationElectronic Privacy Information CenterFAAFederal Aviation AdministrationHalliburton AustraliaHoneywellHSBCRaytheon AustraliaTransportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place