Samra Kasim is a Goldman School of Public Policy, UC Berkeley alum (MPP ’08) and current Senior Consultant and GovLab Innovation Fellow at Deloitte Consulting LLP. Her research interests are at the intersection of technology and policy. She can be reached at firstname.lastname@example.org. Matt Caccavale is a Heinz College alum (MSPPM ’10) and current Senior Consultant and GovLab Innovation Fellow at Deloitte & Touche LLP. He specializes in security and privacy for public-sector clients. He can be reached at email@example.com. Originally published at Nextgov Are you ready for 30,000 unmanned aircraft flying our friendly skies? Whether you are or not, Congress and the President mandated that the FAA integrate drones into the national airspace system by 2015. Addressing the security and privacy concerns, while meeting the integration deadline, will likely require federal, state, and local officials to experiment with new regulatory models. There are a number of inventive and creative options emerging for facilitating the integration of remotely-piloted aircraft domestically. These models offer new ways to manage and regulate this disruptive technology: The Licensing Model. To reduce the risk of privacy creep, unmanned aircraft licensing could correspond with the type of tools and capabilities that are employed by the technology itself. If a local weather service wants to access the airspace to take atmospheric readings, a “Category A” license would be required. However, if the local emergency manager wants to access the skies to conduct a disaster assessment by a high resolution camera, a “Category B” license would be required. Commercial truck drivers use a similar model already. For example, trucks carrying toxic chemicals on public roads are required to follow different rules than trucks carrying timber. The ‘Swiss Army’ Drone. A counter to the licensing model, which keeps the unmanned system’s use intentionally narrow, this model is meant to reduce the number of drones in the sky, but increase their technical capabilities. A single aircraft would be supported by a central entity, who then leases out feeds. Imagine a single drone that has a lens for the local news traffic channel, a lens for local law enforcement, a Light Detection and Ranging sensor for the state EPA, and a thermal scanner for the local fisheries association. This is meant to limit the number of drones in the sky, while centralizing the point of regulation. Shared Services Model. State and local jurisdictions already rely on memorandums of understanding and other shared service models to affordably address public needs. In the case of remotely-piloted aircraft, a central service center would manage the operations and oversight of the drone fleet. This is meant to encourage collaboration across jurisdictions and reduce regulatory inconsistency. A shared services model is also meant to reduce the overhead and aircraft downtime. For example, the city of Baltimore could use a shared services drone to survey traffic on Monday and the District of Columbia could use it to assess erosion on the Potomac River on Tuesday. A version of this model is already in use by Customs and Border Patrol, which loans UAVs to local law enforcement agencies. The Payment Card Industry – Data Security Standards Model. To secure payment transactions, the Payment Card Industry enforces a rigorous set of information security controls and standards that focus on securing the networks that host and transfer credit card data. Like the PCI–DSS model, regulators could focus on securing data collected by drones, such as by encrypting feeds, hardening host servers, and obfuscating data, instead of focusing on the aircraft itself. This data-centric approach emphasizes the privacy of those exposed to drone surveillance. A Smartphone that Flies. While much of the conversation has focused on airspace, the reality is that an unmanned platform is essentially a flying computer. During a recent public panel on drones and domestic surveillance, computer security expert Bruce Schneier noted that “drones are really just . . . mobile computers,” which means they have the same strengths and weaknesses as computers. Viewing drones this way provides policy makers a variety of security frameworks to reference for standards and regulations. These frameworks are accompanied by large networks of information security professionals in the form of the ISC2, CompTIA, andISACA. While debating the future of domestic unmanned systems, Schneier commented that everyday use of drones may seem far off, but “today’s expensive and rare becomes tomorrow’s commonplace.” Security and privacy issues resulting from remotely-piloted aircraft in our skies should be of concern to today’s policy makers and regulators. However, there are innovative and practical solutions that can be tailored to address the challenges while still harnessing their benefits. ]]>
About the author
The Heinz Journal is a student-run publication of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, dedicated to publishing works that link critical and theoretical analysis with policy implementation.