Last August, the Department of Justice (DOJ), Federal Aviation Administration (FAA), Department of Homeland Security (DHS), and Federal Communications Commission (FCC) issued an advisory guidance document to help non-federal public and private entities navigate the laws and regulations related to Unmanned Aircraft Systems (UAS), commonly referred to as drones, mitigation and detection technology. The advisory references various federal provisions and laws that could render such technology illegal to use but does not cover state and local laws that might also be relevant.
The advisory states radar, electro-optical, infrared, and acoustic detection systems are less likely to pose concerns under federal criminal surveillance statutes. However, Radio Frequency (RF) based systems may implicate these statutes. This should not rule out RF-based systems as an option, though, because among other unique benefits, they are the only type that can reliably detect the drone’s pilot (controller), and there are existing technologies that don’t violate the referenced statutes.
American Security Drone Act of 2021
The American Security Drone Act of 2021, formerly introduced as the American Security Drone Act of 2019, was given new life in January 2021 with bipartisan support and now incorporates drone detection and mitigation systems, not just drones. It would ban federal entities from purchasing drones and detection/mitigation systems developed by “covered foreign entities” which includes entities who pose a national security risk or are influenced by or located in the People’s Republic of China (PRC).
The bill stems from the U.S. government’s long-standing concerns about the popular Chinese-made DJI drone collecting information that could be exploited by the Beijing government. As a result, several government agencies have grounded their DJI fleets.
Get to The Bottom of System Legality and Security
The federal advisory cautions against relying solely on vendors’ representations of their systems’ legality or functionality. Here are five questions you can ask RF-based technology vendors to determine if they are in compliance with the federal advisory or could be banned by the American Security Drone Act of 2021 for security and cybersecurity reasons.
- Does the system include any mitigation capabilities?
Mitigation includes any method that takes a drone out of the sky which falls into two categories: non-kinetic and kinetic. Non-kinetic mitigation uses non-physical measures such as signal jamming or a geo-fence to disrupt or disable a drone. Kinetic methods include physical measures like lasers or projectiles.
The FAA considers drones as aircrafts, so bringing one down comes with a host of legal ramifications. The advisory doesn’t even go into the potential legal consequences of the property damage or injury to people a drone could cause upon a sudden landing.
For good reason, Congress only allows the Departments of Defense, Energy, Justice, and Homeland Security mitigation authority which makes the ability to locate the drone pilot even more important for the majority without this authority.
- What information is the technology collecting (e.g., UAS type, manufacturer, model, protocol, unique identifier, telemetry)?
This question comes straight from the advisory and is related to The Pen/Trap Statute. Use or installation of a pen register or trap and trace device is prohibited unless conducted with a court order or statutory exception or if you are a provider of wire or electronic communication services. The term “pen register” means a device or process which records or decodes dialing, routing, addressing, or signaling (DRAS) information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.
Put simply, signal communications between a drone and its controller are protected by this statute. So RF-based systems cannot interfere with these communications or extract any information from them. This includes UAS type, manufacturer, model, protocol, unique identifier, and telemetry.
If a vendor’s answer to this question is anything but no information at all is collected, their system may implicate the Pen/Trap Statute.
- Is any of the information extracted DRAS information?
It is possible that as little as extraction of a timestamp from the drone signal by a drone detection system may qualify as DRAS information. This is why it’s better to opt for technology that only monitors for the existence of RF signals without reading or intercepting them in any way.
*Image courtesy of the author
Figure 1 helps visualize how different types of RF-based drone detection systems operate. Systems that “read the letter” would extract things within the drone signal like GPS coordinates of the drone/controller to locate the devices. Systems that “read the address on the envelope” may read the timestamp, for example. Systems that only “look for the presence of the envelope” do not implicate the Pen/Trap Statute because they only monitor for the presence of RF signals in the environment much like a Geiger-counter detects the presence of radioactive material.
- Are electronic communications being acquired? If so, are any portions of the communications acquired by the technology “content?”
These are also questions from the advisory but this time related to the Wiretap Act which prohibits the interception of radio communications. It defines “content” as “any information concerning the substance, purport, or meaning of any wire, oral, or electronic communication” which does not include the existence of the communication.
Refer to Figure 1 to help determine which systems implicate the Wiretap Act. Systems that read or extract information inside or outside of the drone signal would be in violation.
- What is the equipment and software country of origin?
This question goes back to the security and cybersecurity concerns related to the American Drone Security Act of 2021. Network-connected hardware from an adversarial country presents a significant security risk and may soon be illegal to purchase.
Systems that illegally demodulate and decode drone signals may be reading ALL signals in your environment to determine which are the ones it’s looking for. Do you really want to take that risk even if the bill doesn’t pass?
Also, be cautious if you are working with a reseller of drone detection technology. They may be whitelabeling another technology.
Disclaimer: I am not a lawyer and this should not be considered legal advice. You should seek appropriate counsel for your own situation.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.