Privacy SOS

Federal law enforcement mishandles its own drone surveillance data, and now has the power to intercept yours without a warrant.

Over the objections of civil libertarians including the ACLU, President Trump last week signed the Preventing Emerging Threats Act, a dangerous law enabling the federal government to disable and wiretap drones whenever officials deem a device a “credible threat.” The provision on drones was included in the omnibus FAA Reauthorization Act of 2018, and will have a significant impact on drone operators nationwide by unreasonably empowering law enforcement to interfere with private drone use. Under the law, the Attorney General is granted broad powers to direct the warrantless tracking, interception, and destruction of civilian drones—completely independent of judicial oversight.

Despite sky is falling claims from administration officials who pushed for the measure, there is no legitimate basis for the broad power the statute grants to law enforcement. In addition to Fourth Amendment problems related to search and seizure, the law raises serious First Amendment concerns. After all, reporters have used drones to document storms, protests, and agricultural abuses. Under the new law, law enforcement may be emboldened to shoot journalists’ drones out of the sky under flimsy pretexts.

The expansion of federal law enforcement’s powers to seize and disrupt private drone operations comes on the heels of an inspector general report revealing serious problems with the government’s own drone use. In September, the Inspector General for the Department of Homeland Security (DHS) published a report revealing significant issues with Customs and Border Protection (CBP) drone deployments.

CBP’s border drone program operates out of Arizona, Texas, and North Dakota (previously the program also had a unit in Florida). In 2017, the program collected around 5,625 hours of sensitive data, which according to policy the agency will keep for up to five years. Despite this substantial surveillance collection, when queried by the inspector general, CBP was neither able to specify how many resources it has thrown into the program, nor whether the program has helped improve security at the border. Making matters worse, the report shows that CBP failed to get proper authorization for the program before putting it into operation.

The report also reveals that CBP has systematically failed to protect sensitive information it obtains from drone surveillance flights. At the inception of the program, CBP failed to properly classify the drone program and the sensitivity of the data it collected. These failures had a ripple effect, resulting in OIG recommendations that the agency seek proper authorization as a first step to address the agency’s ongoing mismanagement.

Before the OIG audit, CBP misclassified the program as “in development” rather than “operational,” and an earlier iteration of the program was shuttered after the OIG found that the CBP had not developed performance measures to assess program effectiveness, make informed decisions, or properly report expenses. For over a decade, the report shows, CBP executed surveillance missions using drones without adequate safeguards, approval, or oversight.

According to the OIG, CBP failed to issue privacy impact assessments on the impact of the drone program; lacks standard operating procedures; and has allowed unauthorized devices to connect with major information systems containing sensitive information derived from the drone program. The agency has operated these systems using software that had not been updated or patched since 2014 and continues to fail to implement adequate patching processes, the OIG finds.

Worse still, according to the OIG, CBP does not engage in continuous diagnostics or monitoring of the drone system, leaving it vulnerable to attack. Although CBP alleges that drone footage and other data do not identify individuals, the OIG report disagrees, highlighting that it could be used to supplement information collection about an individual – for example in the process of an investigation.

The risk here goes beyond how this data may be used by law enforcement in potentially unconstitutional ways. When CBP fails to protect sensitive data which on its own, in aggregate, or in connection with other information can be used to identify migrants and refugees, it potentially empowers those seeking to harm these vulnerable individuals. Despite this threat, the OIG report indicates that CBP has inadequate controls, untrained staff, outdated technology, insufficient policies and procedures, and no plan for responding to breaches or emergencies.

In addition, the report showed that software vulnerabilities were accompanied by physical vulnerabilities. The OIG reveals that facilities holding sensitive information were physically unprotected by low fences that “[anyone could] easily climb over,” and were subject to inconsistent and undocumented grants of access to the buildings. Finally, the report highlights that CBP staff are not trained for the informational tasks they are expected to complete, and astonishingly, that contractors could not name their government supervisors.

CBP’s unauthorized, poorly planned drone program produced a decade plus of surveillance data governed by insufficient and inconsistent information security controls. It is important to note that this report showed that CBP officials “chose the mission” over ensuring sensitive data was protected in accordance with the law, as if protecting privacy and complying with federal law and agency guidelines are not part of every agency mission. Only now, in 2018—years after the initial testing of the program in 2004—is the agency finally at the beginning stages of acquiring authorizations usually required before the start of a surveillance program run by a federal agency.

Given these failures, it is alarming that a new law gives DHS and the Department of Justice broad power to share information (obtained without warrants from private drone users) with each other and other federal law enforcement agencies. The law claims to empower law enforcement only to the extent that the First and Fourth Amendment permits. But clauses that grant the United States power to take possession of drone enthusiast’s property without due process and allow law enforcement to intercept communications without consent are inconsistent with that claim

Constitutional protections like the First and Fourth Amendment are intended to protect the public from harmful government conduct before it occurs, but the FAA Reauthorization Act’s Preventing Emerging Threats Act grants agencies the power to take action first and answer questions later—not unlike the disaster that is the CBP drone program. Instead of granting DHS and other law enforcement authorities dangerously broad new powers to intercept our drone communications, Congress should take a close look at the recent Inspector General report, and hold the agency accountable for its failures to protect its own sensitive drone surveillance data. Unfortunately, they’ve just given CBP the green light to make the problem worse.

This blog post was written by ACLU of Massachusetts Technology for Liberty intern Siri Nelson.

© 2018 ACLU of Massachusetts.