Confusion over FAA drone registry results in privacy problems

Drone owners' names and addresses are public if they register in the wrong place.

Correction: This story states that the FAA's new drone registry database is searchable and exposes the private data of citizens and hobbyists. Currently, this is incorrect. The drone registry is not searchable at this time, as stated by the FAA's website -- though the agency has also said it will be searchable in the future. What is searchable is the registry for commercial plane operators, which can be easily confused with the new drone database. The results for private citizens that turned up in searches were found due to drone owners mistakenly registering their aircraft in the wrong database -- one intended for tracking commercial craft -- which left their information exposed.

The FAA is delighted that signups for its new drone registry have hit 300,000. But the agency's buoyant mood is destined for a nosedive. The FAA isn't warning drone owners their names and addresses are easily searchable and downloadable (47MB) in the agency's online registry.

The FAA states its UAV (unmanned aerial vehicle) database "is not searchable at this time." But that's simply not true. It is currently searchable by serial number, the FAA's N-number, drone make or model, or a person's name. While drone owners must be 13 years old to register, the privacy threat posed by this registry is particularly concerning for minors -- for obvious reasons.

Entering the name of a common drone model returned a couple hundred results. Narrowed down to one Texas county with four registrations, one was to an LLC, another to a university, and two were private citizens (one female) who probably didn't know their names and addresses were going online.

This registry now is required for "individual recreational or hobby users" of drones. Failure to register is punishable by civil penalties (up to $27,500), and criminal penalties "up to $250,000 and/or imprisonment for up to three years."

Accountability for none

The FAA said in a press release that the registry is for educating drone users about airspace rules and to "understand they are accountable to the public for flying responsibly."

One might think that by "accountable to the public," the FAA is indicating a public registry of who owns and operates a drone would deter operator misdeeds. Like if someone wanted recourse after spotting a drone observing them through a bathroom window, while sunbathing on their porch, or lurking while their kids played in the backyard.

Well, good luck trying to hold malfeasant drone operators accountable with the FAA's registry. A victim would need to down or capture the drone, and then find the FAA registration number (which can be placed within a battery compartment).

The FAA registry requires drone operator's "complete name, physical address, mailing address and an email address."

Typically, wealthy plane owners and operators create LLCs to own their planes, thereby obscuring their identities and addresses in the registry. That appears to be what some drone owners are doing with the new registration requirements as well.

So the FAA's database doesn't really have a path to accountability for spying victims. But it does lend itself easily to other uses. If someone wanted to target registrants with female-sounding names in Alameda County to harass them, market to them, or put them in a database and sell to people-finder sites (like Intelius), or sell on a darknet for any number of things, consider it done. If a violent person knew the first and last name of someone he or she wanted to harm, someone who also owned a drone, that attacker would have little trouble tracking them down.

A game of privacy "Who's on first?"

FAA Administrator Huerta Discusses Federal Drone Registration Process At CES

The FAA refuses to address drones and privacy directly. Meanwhile, the issue has become a problem that must be acknowledged and solved, whether in commercial, consumer or government use. By the time the agency sent out its release, it had already openly dismissed concerns being voiced by operators and privacy organizations, saying privacy "issues are beyond the scope of this rulemaking."

Organizations like the Electronic Privacy Information Center (EPIC) have been trying to get the FAA to establish privacy protections around drones, and in 2015 concluded the agency was purposefully ignoring privacy concerns. In 2012, EPIC joined more than 100 organizations, experts and advocates in petitioning the FAA to address the privacy and surveillance implications of UAVs. The FAA denied EPIC's petition in 2014, saying that drone privacy implications "did not raise an immediate safety concern."

Foreshadowing its registry plans, the FAA stated at the time, "The FAA has begun a rulemaking addressing civil operation of small unmanned aircraft systems in the national airspace system. We will consider your comments and arguments as part of that project."

The FAA decided to apply the word "consider" very loosely when it implemented its drone registry -- in fact, the agency omitted the public comment period prior to the registry's implementation altogether. That little sleight of hand really riled the Washington, D.C.-based Competitive Enterprise Institute, which said the FAA violated federal requirements by not allowing public comments on its drone registration plan.

CEI transportation policy expert Marc Scribner said in a statement, "The FAA's claim that complying with notice and comment requirements for small drone registration regulation is 'impracticable and contrary to the public interest,' so that it can therefore ignore them, is as predictable as it is absurd." He characterized the action as "unlawful" and that by doing this, Transportation Secretary Anthony Foxx and FAA Administrator Michael Huerta "are practically demanding litigation."

Drone operators and privacy organizations have continued to campaign against the registry, objecting to the omission of a comment period, the fees and the privacy implications of the public database.

A registry like no other

The FAA's drone database is dramatically different is from other registries for licenses or property ownership.

For instance, you can use a car to spy on, film, deliver things to or even kill people. You can't search or download vehicle registration databases. Car-registration inquiries vary by state but they all require verification that you're the owner, and even after that none of them display personal information.

The FAA and drone makers like DJI began encouraging people to register their drones beginning Dec. 21, with a deadline of Feb. 19, 2016. Without a doubt, the FAA's database is on course to contain more registrations for drones than full-size planes.

None of these entities warned drone owners about the privacy threats represented by the registry, nor have they taken precautions to prevent unauthorized use of this database. The failure to protect registrants' privacy here, with this database, is truly a nightmare.

[Image credits: FAA press conference, courtesy Getty Images]