To understand the use and impact of encryption, consider the following facts:
Forty-four percent (44%) of financial services use encryption technology.
30 million householders use online banking.
E-commerce produces $341.7 billion of revenue to the U.S. economy.
Because encryption is frequently used by businesses and other people in their daily lives, the tragic events of Paris and in San Bernardino shows how encryption can also be used for wrong. Unfortunately, law enforcement has not developed the technology to break an encryption code.
The report recognizes this dilemma, as do most law enforcement officials. One approach that has been suggested comes from Professor Ron Canetti, a cryptology expert from Boston University. Professor Canetti called for law enforcement, “[to] concentrate on encryption made by bad guys. Making the everyday encryption of the general public weak isn’t going to get you what you want, [not] when it comes to coordinated terrorist attacks. There’s no silver bullet answers.”
The majority staff agreed with Professor Canetti’s perspective that there are no easy answers. The committee recommends and supports the call for a Digital Security Commission to address this dilemma. The Commission will include individuals from the various sectors that are impacted by encryption, including, but not limited to: law enforcement, e-commerce, tech, intelligence, data privacy, and civil liberties. The Commission’s focus will be to address the encryption issue and “develop policy and legislative recommendations to present to Congress.”
The committee recognizes that the encryption debate is a very complex matter and that it will take time to reach a consensus. Kudos to them for realizing this and hopefully, the committee members would heed their advice.
As former House speaker, Newt Gingrich (R-GA) and former House Intelligence Committee Jane Harman (D-CA) wrote, “The question of encryption is too central to this country’s future to answer without a real dialogue.”
The latest announcement, Part 107 of the Federal Aviation Regulations, allows business to fly drones as long as they meet the described operational requirements. Among the regulations promulgated by the FAA:
Drones must weigh less than 55 pounds, including securely attached systems and/or cargo.
Unmanned Aircrafts must remain within unaided sight, meaning a person must be able to physically see their aircraft without the assistance of binoculars or any other device.
Flights must occur during daylight hours at no more than 400 feet above ground level, or remain within 400 feet of a structure.
Flights cannot exceed 100mph (87 knots) and must remain within state boundaries.
It is also prohibited to fly a small UAS “over any persons not directly participating in the operation.”
The FAA airworthiness certificate is no longer required so long as the pilot checks the aircraft pre-flight to ensure it is operating correctly.
The biggest changes to the regulations is the requirement of commercial drone operators to take a written drone-specific knowledge test, must be at least 16 years old, and must know English.
Though privacy concerns were not specifically addressed at this point, it was noted that future guidelines will be issued and that a government campaign educating businesses and commercial drone operators on privacy issues is taking place. The FAA does however recommend that drone operators check with state and local laws regarding privacy and data collection.
The White House noting the unaddressed privacy concerns in a general Fact Sheet on aviation technology stated:
“Looking forward, in consultation with industry and research partners, the FAA is considering additional rules that will further enable safe unmanned aircraft operations—including, for example, to govern the flight of unmanned aircraft over people. This rule is the first step towards a long-term vision of the airspace of the future that will be fully integrated, allowing for the routine safe operation of unmanned aircraft alongside manned aircraft.”
Many large companies interested in expanding on delivery services are not satisfied with the latest set of rules. According to the Wall Street Journal, many manufacturers and trade associations find the FAA regulations too narrow in scope and hinder growth by industries looking to expand exponentially in the near future. However, many of the corporate concerns were addressed by the Obama Administration’s release, which points to further research on areas such as integration of technology for public data collection and expansion of economic opportunities.
The FAA says that industry estimates are predicting that commercial drone operations will generate billions of dollars in the United States alone, with millions joining the commercial drone market, and thousands of jobs created. Companies looking to advance drone delivery services will have to wait for more extensive safety research for the time being as the government races to keep up with the latest technology.
Smaller companies have commented that the regulations cover basic requirements needed for services in various sectors such as agriculture, maintenance and safety projects. US Transportation Secretary Anthony Foxx voiced similar satisfaction in a press release on the latest rule stating, “We are part of a new era in aviation, and the potential for unmanned aircraft will make it safer and easier to do certain jobs, gather information, and deploy disaster relief.”
The drone debate will inevitably continue as new questions and concerns arise and technology expands. Commercial interests and the advancement of current technology must be conducted safely, with civilian interests and privacy concerns given equal attention. Secretary Foxx noted that the administration “look[s] forward to working with the aviation community to support innovation, while maintaining our standards as the safest and most complex airspace in the world.”
The FAA has taken a great leap towards integrating unmanned aircrafts safely into the national airspace, but this is just the first step with many still to come.
More information on Part 107 – Small Unmanned Aircraft Regulations can be found at the following websites:
*The regulations and prohibitions listed under the latest FAA rules also include the ability to apply for a certificate of waiver. If the FAA finds that proposed operations can be performed safely, they may allow for small UAS operations to deviate from specific rules.
More information on Waivers to Small UAS Operating Rules can be found here.
Senator John Thune (R-SD) said the FAA “will be better able to grant permission for new and safe drone usage” as a result of this new law. A federally authorized drone program appears to have support from UAS industry companies. Supporters of this approach believe business ventures would become less complex should interstate commerce, such as delivery services, become implemented. The bill specifically approves commercial drone flights during night-time hours which advocates have praised as it allows for further innovation in commercial and delivery drone services.The legislation also calls for increased funding to be used in keeping drones away from airports and enforcement of drone regulations.
Critics of the bill, such as Senator Diane Feinstein (D-CA), proposed eliminating language that gives FAA authority over state regulations. Though she supported the bill as a whole, she strongly opposes specific rules that would prohibit local and state safety laws. Feinstein spoke out against the bill stating, “Reckless drone use varies significantly in different states and even within a state, which is why we need to maintain the ability for states to set their own standards of drone operation.”
PobleteTamargo attorney, Jason Poblete says, “As the State and Federal government jockey to regulate the industry, UAS operators, as well as manufacturers, should closely monitor these developments.”
The House version of FAA Reauthorization legislation has been stalled for some time now. Many reports point to disagreements over a proposal by the Transportation and Infrastructure Committee that would privatize air traffic control operations and place it under a non-profit corporation. This proposal was left out of the version passed by the Senate.
The debate will no doubt continue as research continues on UAS technologies as well as applications. Should companies begin utilizing cross-state delivery services via UAS, the regulatory landscape may drastically change and new safety and privacy concerns will likely develop. Regardless of support or opposition over FAA authority, the bill includes many provisions which outline further research and program development that will benefit the aviation sector as well as the general population.
More information on the Senate’s plans for the future of aviation can be found on the Senate Committee for Commerce, Science and Transportation’s summary of FAA Reauthorization.
The full text of the FAA Reauthorization Bill can be found here.
See Sec. 2124 for information on the effects on state and local regulations.
In 2012, the FAA was instructed by the Congress to create guidelines regulating drone operations in national airspace.2 For the most part the FAA has gone unchallenged as the governing body of air transportation mainly because boundaries and state lines don’t exist past a certain altitude making federal control over airspace logical.
However, more specifications describing the authoritative parameters will be necessary as a number of conflicting regulations have been passed on both the State and Federal level. Last year, 45 states debated 168 drone bills and 20 states passed at least 26 pieces of legislation related to civilian drone use.3
In May 2015, Sen. Cory Booker (NJ) introduced to the Senate the Commercial UAS Modernization Act (S.1314), addressing the extent to which the FAA can regulate Unmanned Aircraft Systems. The bill, which is currently under review, aims to amend the previous FAA Modernization and Reform Act of 2012 so that drone owners will be able to operate without an airworthiness certificate, currently outlined by the FAA’s notice of proposed rule making published in February 2015.4
The Commercial UAS Modernization Act is still in the works following the approval of legislation in February, which establishes an independent group outside of the federal government to update current air traffic control systems. The Aviation Innovation, Reform, and Reauthorization (AIRR) Act (HR.4441) also reaffirms the FAA’s authority as the nation’s aviation safety regulator. Critics of the AIRR Act point out that provisions of the current text would thwart potential innovation and expansion of drone technology by prohibiting flight of any drone made by unapproved manufacturers.5
As these various regulations and proposals overlap, control over airways, however, is typically a safety concern and does not include protection of an individuals’ privacy. In 2015, the majority of State laws and regulations passed pertained to privacy, gaming, and use by law enforcement.
Technology expansion, interstate commerce and airway safety, as important as they are, remain far less complicated than the underlying struggle between federal and state authority over the protection of an individuals’ privacy. The protection and comfort once associated with private property are now threatened by the possibility of low-flying drones capable of surveying and transmitting image and video content.
Historically, privacy and aerial surveillance laws have been largely a State issue. Statutory and Common Law protections against non-governmental intrusions, wiretap laws preventing the recording of images and/or conversations without both parties consent, and Peeping Tom and anti-voyeurism laws have been largely the responsibility of State governments.
Privacy protection in this sense is dependent on the law of that land which determine to what extent privacy is protected and enforced. States do not have a uniform definition of privacy nor do they have a uniform disciplinary action should privacy be encroached upon. These variations have raised concerns amongst the UAS community as drone operation is not restricted by State lines. Creating a successful nation-wide privacy protection policy would require extensive research and testing making it more than a long term solution.
Instead of prematurely assigning authority to one governing body or another, potentially dismantling all current privacy protection laws which have been established over hundreds of years of litigation, we should consider a more balanced approach and make adjustments as concerns present themselves. States are already addressing related matters in local courts and legislation, and through trial and error, successful policies will develop. Over time, once nation-wide information is available, we will be able to pick out location specific factors and see the universally applicable details.
As I have written in the past, a balanced approach between privacy interests and national security interests is critical in developing successful policies. Should compromise become one sided, making it “either…or” in terms of interest, i.e. either a privacy issue or a national security issue, then the resolution to this debate becomes more difficult to find.
In March, Representative Trey Gowdy questioned Bruce Sewell, the General Counsel and Senior Vice President of Legal & Global Security for Apple, during a House Judiciary Committee hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy”. The focus of the hearing was to examine the present issues which law enforcement faces in protecting the public should encryption technology be used for harmful purposes. An issue that has been highlighted by the FBI-Apple debate.
When addressing encryption, the working group should accept the following parameters:
Encryption technology is evolving.
Encryption technology is a necessity for businesses since companies of all sizes will become suspect to hackers.
The procedures to request encryption data must consist of vetting. This will require trust, a perception that many believe the Federal government is unworthy of.
Encryption technology is and continues to evolve. The rapid innovation in the technology sector is blatant. Any legislation that fails to take this into account will make the legislation obsolete, because the technology would have outpaced what the legislation intended to address. Instead of creating regulations based on current technology, Congress should take the regulatory humility approach . For more on regulatory humility see here.
Encryption is a business necessity. As we become more dependent on technology, we increase availability of potential targets for hackers. The encryption of personal information is one defense that an individual would have against hackers. The ability to protect private information will become necessary for average consumers forcing encryption software and technology to provide affordable options for the general public. Cybersecurity will no longer be considered a luxury. Any pending legislation that does not accept this fact will thwart the availability of defense against hackers to the general population.
The procedures for obtaining encrypted data requires trust. This is the proverbial elephant in the room. Here the Congress needs to address two issues; accountability and consequences. Despite the National Security Agency’s assurances that they are not monitoring US citizens, there is still a lingering doubt stemming from the Snowden disclosures. Any federal legislation that allows an agent of the US Government to have access to a persons encrypted texts or emails without proper vetting is highly suspicious. By proper vetting, I am referring to a strong legal standard that a government agency would need to show to the court in order to decrypt information. Obviously, a warrant is necessary. This vetting standard must take into account the balance of the two interests-privacy and national security.
The second issue of equal importance regards accountability. What would happen to an agent or agency that abuses power by accessing information without viable reason? History tells us that Presidents have used government agencies to go after enemies of the State. Acceptable encryption legislation that can be trusted by the public must include actual and tangible consequences for those who abuse such privileges.
