By Jon Hegranes, founder and CEO of Kittyhawk
This commentary was first published on the Kittyhawk website https://kittyhawk.io/blog/data-security-the-critical-foundation-for-remote-id/ on 29 January 2020 and is being reproduced with kind permission of its author
There’s a lot to unpack from the FAA’s NPRM on Remote ID, from the basics to the misconceptions , but arguably the most important piece of Remote ID will be data security and how your data will be handled — both as a drone operator and as a user of Remote ID apps for identification use cases. These are details yet to be worked out and finalized, so you won’t find many specific references in the NPRM. The important piece to note from the beginning is that we already have a foundation for data security in LAANC and the role of a UAS Service Supplier (USS) to be a steward of public data while also being a proxy for the FAA and Air Traffic Control.
LAANC has been a game-changing technology for the industry to safely and efficiently gain access to controlled airspace at scale. Users love the clarity and peace of mind getting an authorization provides. At the same time, they want clarity that helps them understand what mobile apps can do with your data, how that data can be accessed, and where that data is stored.
This data security and ownership element, perhaps more important than things like price or usability and design, will be a growing consideration for how users choose their Remote ID partners. Just as some people favor Firefox over Chrome (or vice versa), users will look to data security and related privacy policies in the context of broader service features to choose the ideal Remote ID USS for their operations. With LAANC there are already a number of different models from free to paid to private, and there is a lot of room for further innovation and differentiation as new Remote ID solutions emerge.
Since the NPRM was published, we’ve been engaging with our customers and community to gather your feedback and input. If you haven’t already, please take a few minutes to fill out our survey as these results will be incorporated and inform our public comments on the NRPM:
Below are a few topics I wanted to highlight to aid in the continuing conversation of not only this NRPM, but how Remote ID will look like in practice.
Remote ID data is not ephemeral
All Remote ID data, including both broadcast and networked, has the potential to be seen and thus stored. Some very astute and security-conscious customers have been spot on to bring this point up in our conversations. It’s easy to assume that this data is ephemeral and washes away, but there will certainly be the ability to store and aggregate Remote ID data. This makes the role of the USS central in ensuring a) that no PII is broadcast or transmitted and b) that users can choose what data they broadcast.
Only regulators and law enforcement officials should be able to put the pieces together in an investigation. Private companies, including Remote ID USSs, do not need to have all the information, and the public should have enough information to make the information they want to report to law enforcement actionable.
Users need control of data anonymity settings
Early indications of our survey show a strong preference towards using an anonymized Session ID as opposed to an aircraft’s serial number, for example. Because all Remote ID data (network and broadcast) can be aggregated by different users and apps, it’s imperative that users have the ability to select what data they share and to what audiences.
In our work with the ASTM (standards body) and InterUSS (open source UTM initiative), we’ve heard over and over again that customers are willing to share more information with law enforcement than with the general public. When CNN used the Kittyhawk Remote ID platform in last fall’s InterUSS demonstration, for example, we spent a lot of time working out the scenarios and what type of data a news organization would want to share with first responders versus what was seen or communicated to the public.
Clear privacy policies
In the NPRM, there are mentions of the potential for Remote ID apps for law enforcement and the general public. These applications will be critical to complete the loop of Remote ID and provide useful information to all stakeholders of the National Airspace System (NAS). However, because these applications will be in the pockets of police officers and used by the masses, the data that these apps collect, track, and store need to be clearly spelled out for users. Of note is not only the data these apps can track as it relates to drone and aircraft activity, but also the tracking of data by the users themselves.
These apps are going to require location information and access to key functionality of mobile devices. All users of these Remote ID apps, especially law enforcement focused, need to understand what the mobile app is tracking of your behavior, not just the drones. Theoretically, a Remote ID app could have total visibility of a police force and where officers are located. Care and attention need to be paid to the rights and permissions, whether app users are tracking package deliveries or monitoring non-compliant drone flights.
Remote ID is ultimately about expanding trust in the national airspace. Clarity and control around identity, integrated into seamless user experiences are what will help it get there.