What Is the Eye in the Sky Actually Looking at and Who is Controlling It? An International Comparative Analysis on How to Fill the Cybersecurity and Privacy Gaps to Strengthen Existing U.S. Drone Laws.

• Author: Urban, Jennifer

TABLE OF CONTENTS

1. INTRODUCTION 3 II. TECHNOLOGICAL EXPLANATIONS 6 III.HISTORY OF BASIC 7 DRONE LAW IV. DRONE CYBERSECURITY ISSUES 11 V. DRONE PRIVACY 15 ISSUES A. HISTORY OF DRONE PRIVACY LAWS 15 B. GENERAL PRIVACY LAWS 16 C. DRONE SPECIFIC PRIVACY LAWS 18 D. VOLUNTARY BEST PRACTICES FOR UAS PRIVACY, TRANSPARENCY, AND ACCOUNTABILITY 20 VI. GLOBAL DRONE LAWS AND SOLUTIONS 22 A. ADDITIONAL COUNTRY SPECIFIC SOLUTIONS 24 1. AUSTRALIA 25 2. CANADA 26 3. CHINA 28 4. EUROPEAN UNION 30 5. FRANCE 32 6. GERMANY 33 7. ISRAEL 35 8. NEW ZEALAND 37 9. SWEDEN 38 10.UNITED KINGDOM 39 VII. SOLUTIONS 42 VIII. CONCLUSION 44 APPENDIX A: ADDITIONAL COUNTRIES THAT HAVE ENACTED 45 PRIVACY LAWS REGARDING DRONE OPERATIONS APPENDIX B: CANADIAN DRONE INCIDENT REPORT FORM DEPICTIONS 50 APPENDIX C: CLASSIFICATION OF DRONE OPERATIONS IN CHINA 52 APPENDIX D: CLASSIFICATION OF DRONE OPERATIONS IN THE 53 EU Recent years have proved such a splendid success for aeronautics that it really seems justifiable for law to begin to take its share in the aerial labour. - Johanna Francina Lycklama A Nijeholt. (1) I. INTRODUCTION

   Drones are no longer seen as toys only techies get as Christmas gifts; (2) nor are they seen as only being used in new military operations; drones are becoming an integral part of today's global society. UAVs are being used for many different purposes ranging from the National Aeronautics and Space Administration's ("NASA's") use of a drone to collect data and monitor Hurricane Matthew, (3) to construction companies use of drones to map out and supervise large construction projects in order to cut their labor time from months down to minutes. (4)

   While UAVs are making many things easier, the benefits come with unique challenges. For example, over the last two years, Dubai International Airport ("DXB") had to shut down three times due to unauthorized drone activity. (5) Each time DXB shut down, it caused a loss of approximately $1,007,310 USD per minute, (6) meaning the shut down on September 28, 2016, for twenty-seven minutes cost Dubai's economy $27,197,370 USD. (7) These shut downs prompted the United Arab Emirates General Civil Aviation Authority ("GCAA") to make DXB a no-fly zone, illustrating the immediate need for drone regulations globally. After these shut downs occurred, Emirates airline asked the GCAA and Dubai Civil Aviation Authority ("Dubai CAA") to enact stricter regulations regarding drone operations around DXB in order to improve the safety of manned aircraft flights departing from and arriving at DXB. (8) Due to the difficult nature of identifying the drone operator, it has proven to be challenging to enforce UAS no-fly zones. (9) In order to better enforce the UAS no-fly zone around DXB, the Dubai CAA has begun experimenting with a "drone-hunting" drone that can identify unlawful drone operations within the zone. (10) According to UAs attorneys Jennifer E. Trock and Chris Leuchten, "[t]he drone-hunter aerially patrols the airport perimeter, using a thermal and infrared imaging to detect unauthorized drones, tracks their frequencies, follows the uAs back to its owner, and sends a signal to the Dubai police." (11) The "drone-hunting" drone is one solution posed thus far to help solve unauthorized drone operations and could be helpful in protecting the privacy of ordinary citizens. (12)

   Drones violating air space is not the only problem this new technology creates. Both cybersecurity and privacy issues arise as a result of drone activities. A research team at the University of Texas at Austin employed "spoofing" (13) to hack a drone belonging to the university. (14) The spoofing was done through a mechanism where the hackers were able to get the drone to mistake their signals for the ones sent by the owner's GPS satellites. (15) This hack was done for research on drone vulnerability, which confirmed the fear that it is not very difficult for a drone to be hacked and the realization that many cybersecurity implications that could come from this.

   The privacy issue related to drones arose in a 2015 lawsuit where David Boggs, a resident of Kentucky, had his drone shot down by his neighbor william Merideth. (16) Merideth argued that the drone operations caused a trespass on his right to privacy. (17) On the opposing side, Boggs argued that, according to title 49, section 40103 of the U.S. Code, "the United States Government has exclusive sovereignty of airspace of the united states," and therefore, Merideth did not own the airspace, so no trespass could have occurred. (18) There is a lack of precedent on this issue. The most recent case on point is United States v. Causby in 1946, where the United States Supreme Court held that a landowner's property rights extended up to 83 feet above his land into the air space. (19) Although this case is relatively on point, it is outdated. it is unlikely the justices in 1946 could have imagined the holding's implications on drones decades later.

   Another theory that has been argued is the common law rule of Cujus Est Solum, Ejus Est Usque Ad Ccelum Et Ad Inferos, which is defined as "[t]o whomever the soil belongs, he owns also to the sky and to the depths. The owner of a piece of land owns everything above and below it to an indefinite extent." (20) Therefore, if a drone trespasses in air space, it will depend on how high the drone is flying as to whose air space it is violating. Also, this raises the following question: if drones are always violating either a third party's or the government's air space, then where can drones legally fly, besides right above the drone operator's own property? Boggs' lawyer, James Mackler, noted that an important precedent could be set by this case when he stated, "[p]roperty owners deserve to be free from harassment and invasion of their privacy... Likewise, aircraft operators need to know the boundaries in which they can legally operate without risk of being shot down. This lawsuit will give clarity to everyone." (21) In a press release, the Federal Aviation Administration ("FAA") clarified that the assumption that airspace below 400 feet is not controlled by the FAA, was false. (22) The FAA further stated that, "[t]he FAA is responsible for the safety of U.S. airspace from the ground up. This misperception [about the FAA's jurisdiction over airspace below 400 feet] may originate with the idea that manned aircraft generally must stay at least 500 feet above the ground." (23) Both cybersecurity issues and privacy issues relating to drones exemplify the lack of laws and solutions on how to handle UAS flights.

   This paper will argue that it is imperative for regulations on UAVs to address cybersecurity and privacy issues in order to remain on the forefront of technology within the aviation industry. Although it may seem like it is more important to establish basic laws on UAS usage, legislators need to work proactively, rather than retroactively, to prevent detrimental cybersecurity and invasions of privacy from occurring.

2. TECHNOLOGICAL EXPLANATIONS

   The definition of "unmanned aircraft" is "an aircraft that is operated without the possibility of direct human intervention from within or on the aircraft." (24) Hot air balloons are likely the first unmanned aircraft; however, they are not always considered as such because the pilot cannot fully control the balloon's flight operations. (25) Further, the term "unmanned aircraft system" means "an unmanned aircraft and associated elements (including communication links and the components that control the unmanned aircraft) that are required for the pilot in command to operate safely and efficiently in the national airspace system." (26) A small unmanned aircraft is "an unmanned aircraft weighing less than 55 pounds." (27) The small unmanned aircraft is what the newly enacted Part 107 regulates, which will be discussed later in this paper. (28)

   The International Telecommunication Union defines cybersecurity as:

   the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user's assets. Organization and user's assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user's assets against relevant security risks in the cyber environment. The general security objectives comprise... availability, integrity,... [and] confidentiality. (29) According to the United States National Academy of Sciences, cyber attacks are defined as the "deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks." (30)

3. HISTORY OF BASIC DRONE LAW

   The United States' airspace is the busiest in the entire world; (31) yet, the government has not provided adequate solutions on how to handle drones and its operations within US airspace. In February 2007, the FAA released a statement that UAS are aircrafts and, as such, the FAA banned commercial drone operations unless the drone operator was given an exemption and was a licensed pilot. (32) The exemptions for commercial operations were to be reviewed by the FAA on a case-by-case basis. (33)

   In 2012, Congress enacted the FAA Modernization and Reform Act, which required that the FAA establish regulations to bring UAS into the overall national airspace system. (34) The new FAA regulations had to be established by September 30, 2015. (35) The FAA missed the deadline for enacting regulations regarding drones, claiming that their number one goal was safety and that the enactment of these regulations would take...