A topic discussed for years in the counter-UAS industry and within law enforcement, public safety, and critical infrastructure security circles is the legality of some radio frequency (RF) drone detection systems. The topic has been confusing from both a legal and logical standpoint. Recently, with the implementation of the Remote ID rule, many have been wondering what the difference is between Remote ID message elements and the typical data communicated between the drone and the ground control station (GCS). Some passive RF drone detection systems can acquire one or both data streams.
The confusion stems from sensors that can decode or demodulate the information contained within RF signals. As an example, The Wiretap Act prohibits “intentionally intercept[ing]” the content of “any…electronic communication[,]” unless it is conducted under a court order or a statutory exception applies. Some exceptions apply to the Wiretap Act, but existing case law raises questions as to the scope of those exceptions.
For additional information and guidance regarding the applicable laws relating to the use of detection and mitigation systems in the United States, please visit– Advisory on the Application of Federal Laws to the Acquisition and Use of Technology to Detect and Mitigate Unmanned Aircraft Systems
In addition to the unclear laws and how they are applied, privacy and civil liberties groups have expressed Fourth Amendment concerns about the interception of communications between the ground control station and the drones. In an article published last Fall by the Electronic Frontier Foundation, one of the concerns stated, “..the Administration proposes to give itself permanent, unfettered access to the communications of private drones, as well as the drones themselves, without having to get a warrant or explain their actions to the public.”
Based on the concerns of some lawmakers and special interest groups who oppose elements of proposed legislation that would provide critical infrastructure and law enforcement with legislative relief to use a full range of RF detection equipment, it is essential to explore this topic in further detail. With the Remote ID rule in effect, what are the real concerns with gathering similar information broadcast between the drone and the ground control station with an RF-based drone detection sensor?
The Remote ID Rule
One quick thing to get out of the way, because I’ve heard it asked before- The Remote ID rule is not a replacement for Counter-UAS detection equipment. First, it is important to understand that not all drones are required to broadcast Remote ID message elements. Additionally, the broadcast range of Standard Remote ID and drones with a Remote ID Broadcast Module may be limited due to various technical factors, such as RF interference, vegetation, terrain, etc. For those reasons and many others that we won’t cover in this article, Remote ID does not negate the need for law enforcement, public safety, and critical infrastructure to access a full range of drone detection technology at a minimum.
Remote ID serves as a digital equivalent of a license plate and aids the FAA, law enforcement, and security personnel in locating the control station when a drone is observed flying unsafely or within restricted airspace. This regulation necessitates that drones possess the capability to transmit specific identification, location, and performance data to be received by individuals on the ground and other airspace users. RID establishes the essential foundation for enhancing safety and security measures to support more intricate drone operations.
The FAA’s final rule on Remote ID requires most drones operating in the U.S. to have Remote ID capability. Drone operators can comply with the Remote ID rule by acquiring a conventional drone equipped with Remote ID technology from a manufacturer or obtaining a Remote ID broadcast module attached to existing drones lacking Remote ID capabilities. Drones without Remote ID can operate without broadcasting by flying within the visual line of sight of the drone pilot in an FAA-Recognized Identification Area (FRIA).
The Remote ID rule was not without controversy. In the 60-day comment period after the Remote ID Notice of Proposed Rulemaking (NPRM) was published in December 2019, over 53,000 comments were received by the FAA. The comments ranged from broad support to outright disapproval.
RaceDayQuads (RDQ) did more than comment on the NPRM; they filed a lawsuit.
In an article for Inside Unmanned Systems, Dawn Zoldi summarized the lawsuit in a way non-attorneys can understand. The RDQ lawsuit outlined several arguments, including the rule violated the Fourth Amendment by permitting persistent warrantless tracking. RDQ contended that the Remote ID rule was inherently unconstitutional under the Fourth Amendment. This assertion was based on the argument that Remote ID’s continuous GPS tracking, accessible by law enforcement without a warrant, would infringe upon an individual’s reasonable expectation of privacy.
The U.S. Court of Appeals for the D.C. Circuit ultimately ruled against RDQ because drones fly in public and in the air, stating, “…Drone pilots generally lack any reasonable expectation of privacy in the location of their drone systems during flight…”
Although the court deemed the rule acceptable as it stands, it kept the possibility open for potential challenges on a case-by-case basis in the future.
When the FAA published the final rule on Remote ID in January 2021, the privacy concerns were addressed as follows, “As explained in the proposed rule, remote identification message elements that are broadcast would be publicly available to any device capable of receiving the broadcast. The proposed rule explained that though the message elements themselves would be publicly accessible information, the ability to cross-reference that information with non-public registry data would not be publicly available. This information would be limited to the FAA and available only to government agencies for the purpose of security or enforcement of laws, unless otherwise required by law to be released. This policy remains unchanged for this rule.”
What is communicated between the ground control station and the drone… and why?
Before we explore the message elements required to be broadcast by the Remote ID rule, let’s first explore the data stream communicated wirelessly between the GCS and the drone. What is the purpose of transmitting the data in the first place?
A GCS is a ground-based hardware and software component of an uncrewed aerial system (UAS). It allows drone operators to communicate with and control a drone and its payloads by setting parameters for autonomous operation or by allowing direct control of the uncrewed aerial vehicle (UAV).
The GCS also receives important drone telemetry data from the aircraft. Drone telemetry is information collected about the aircraft and its environment transmitted to the operator or GCS. This data can be extracted from the drone’s autopilot, sensors like accelerometers, gyroscopes, GPS, or subsystems such as the aircraft’s power supply.
The wireless data links do not have unlimited bandwidth to transmit data to and from the GCS. Therefore, only essential and available data is transmitted for the safe and efficient operation of the drone.
This leads to a logical question- assuming personally identifiable information is available to be transmitted: What would be the purpose of transmitting that data? What value would it add to the safe and efficient operation of the drone or its payload? I can’t think of any.
Because of the limited bandwidth of wireless data links and the necessity to transmit and process only relevant data, personally identifiable information, if it were being transmitted, would serve no purpose in that data stream.
Remote ID Data and Drone Telemetry Data Comparison
With an understanding of the concerns of some lawmakers and special interest groups, as well as a cursory review of the Remote ID rule and the purpose of the data transmission in the first place, let’s explore what message elements are being broadcasted by drones with Standard Remote ID, and the Remote ID Broadcast Module and compare those message elements to a sample of information being communicated to or from the ground control station and the drone by popular drone manufacturer DJI (per the source for this article), Parrot, and the type of telemetry data available from the Team Black Sheep (TBS) Crossfire protocol.
Remote ID Compared to a Sample of DJI Telemetry Data
The Unique User Identifier (UUID) ties information input into a registered DJI account to the drone. A drone’s serial number, Drone ID, or UUID, is equivalent to a license plate on a car. I can see a license plate on a car as it drives by me, but it does not tell me who owns the car, where the owner lives, or any other personal data (unless the vehicle owner voluntarily puts their name on a vanity plate). If available, this additional layer of personal information is not available to the general public and, in some cases, may require a legal process, such as a court order, subpoena, or warrant, to access the information.
The Parrot AirSDK allows developers to access all of the built-in drone sensors, such as the Inertial Measurement Unit (IMU) and Global Positioning System (GPS), all cameras, connectivity interfaces (WiFi, 4G), and drone autonomous features such as the autopilot, flight plans, sensing, and obstacle avoidance planning.
The Air SDK documentation lists the following types of telemetry data available to developers:
- Flight sensors data: barometer, battery, GPS, IMU, magnetometer, motors, time of flight
- Flight data: altitude, angles, position, velocity
- Camera stabilization data: angles, position
- Camera settings
Team Black Sheep Crossfire
According to Team Black Sheep (TBS), the Crossfire protocol is a long-range R/C link based on the newest RF technology, capable of self-healing two-way communications, ultra-low latency, and range beyond comprehension.
It is also important to note in the RaceDayQuads case, the court ruled that “the drone system’s real-time location data says nothing qualitative about the nature of the location nor the operator’s relationship to it (e.g. whether he is at his home).”
Although this sample does not include a comprehensive list of the data transmitted by a large sample of makes/models of drones or protocols, none of the information transmitted by the sample list of protocols or Remote ID message elements would be considered private or personally identifiable information. If readers know of any protocols transmitting personally identifiable information, please contact me on LinkedIn; I’d be happy to correct this article.
This leads me to my last point: If lawmakers and privacy and civil liberties advocates are concerned about personally identifiable information being intercepted and demodulated by passive RF sensors, perhaps it would be more effective to pass a law prohibiting that type of information from being transmitted by the GCS or the drone in the first place. Resolve the perceived issue at the source of the problem. Don’t inhibit the ability of law enforcement and security personnel to access essential telemetry data to make timely decisions that impact the lives of others.
What is this telemetry data needed for anyway?
The importance of the data in the wireless signal between the GCS and the drone for law enforcement or security operations can not be understated. The process of first detecting the drone and then assessing the threat of the drone are two of the most crucial aspects of a Counter-UAS operation.
Drones don’t come out and tell you they are a threat, so a counter-UAS operator must assess the threat based on their training, policies, and procedures or with the assistance of available software. The only method by which a counter-UAS operator can assess the threat of the drone is through information provided by available sensors such as cameras, radars, acoustic sensors, and passive-RF detection sensors.
Knowing that a drone is near the area you are trying to protect is a good start. Still, additional data is necessary for a well-informed and efficient threat assessment.
For example, data such as the longitude, latitude, and altitude of the drone will help assess whether the drone has violated restricted airspace, is flying over a crowd at a stadium, or is in the vicinity of aircraft that are taking off or landing at a crowded airport.
The drone type (make/model) would provide a knowledgeable counter-UAS operator with enough information to estimate the drone’s payload capacity, flight time, and range, to name a few.
The pilot or control station latitude/longitude would inform law enforcement or security personnel where to find the drone operator if that operator is flying recklessly or violating federal, state, or local laws.
Without this additional information, law enforcement and security personnel are left to assess and resolve the situation without access to relevant data that may assist in efficiently resolving the incident.
The Takeaway- What’s the Beef?
With the Remote ID rule in effect, the U.S. Appeals Court ruling that there is no expectation of privacy in the airspace, and the non-personally identifiable telemetry information communicated between the ground control station and the drone, why is the use of certain RF-based drone detection systems that decode this type of data such a controversial issue?
It should be a relatively easy political decision with a high impact on public safety to provide legislative relief from applicable laws that would allow all law enforcement agencies and owners and operators of critical infrastructure to use a wide variety of drone detection tools to achieve airspace awareness above and around protected assets and facilities. We cannot afford to think that physical security is still two-dimensional. It also includes the three-dimensional airspace above us.
And while we are at it, what is the issue with retaining this telemetry data? Current and proposed laws seek to limit the time (180 days) this data can be retained unless it falls under a specific exception. Again…why? No personally identifiable information is being collected, and the data can be essential in connecting criminal, nefarious, and suspicious incidents at critical infrastructure, mass gatherings, and other important assets at multiple, separate locations.
Mitigation of Drone Threats
The ability to use a wide variety of detection technologies and data retention are not the only essential topics of this discussion. Let’s quickly talk about mitigation.
Mitigation can be described as the ability to use technology to disrupt, disable, or destroy a drone that is believed to be a credible threat. The number of agencies with authority in the United States to use this type of technology is limited to the Department of Justice, Department of Homeland Security, Department of Energy, and the Department of Defense.
State, local, tribal, and territorial law enforcement (SLTT) agencies must be trained and certified to employ mitigation technologies and techniques to protect mass gatherings, assets, and critical infrastructure locally from the quickly evolving drone threat. The four agencies with existing authority either don’t have jurisdiction to support specific public safety missions or lack the personnel and resources to protect the numerous mass gatherings and critical infrastructure locations throughout the United States.
The Biden Administration Domestic Counter-UAS National Action Plan released in 2022 recommended the creation of a “… Federally-sponsored pilot program for selected SLTT law enforcement agency participants to perform UAS mitigation activities and permit critical infrastructure owners and operators to purchase authorized equipment to be used by appropriate Federal or SLTT law enforcement agencies to protect their facilities.” The plan also recommended establishing a National Counter-UAS training center to facilitate interagency cross-training and collaboration.
The Senate and House versions of the “Safeguarding the Homeland from the Threats Posed by Unmanned Aircraft Systems Act of 2023” contain language of the pilot program and training for SLTT law enforcement. This portion of the legislation must also be passed for the homeland’s security.
In addition to legislative relief for RF detection, a federally created and sponsored school to standardize drone mitigation tactics, techniques, and procedures and a pilot program for SLTT are the most logical next steps in evolving this new security specialty. It allows for expanding capabilities to SLTT law enforcement to protect our communities while ensuring the Counter-UAS mission is conducted in a way that minimizes the risk to the national airspace and the communications spectrum and ensures the protection of important First and Fourth Amendment rights.
The threat is real and present and knows no borders. Congress must act now.
Special thanks to Casey Flanagan for his telemetry data research for this article.