Discussions Over Drone Applications Must Include Security, Privacy

Boulder, Colorado is among the first cities in the U.S. advocating drone usage in semi-public spaces, but policy discussions are happening with little regard for security and privacy.

This Threatpost op-ed is part of a series of guest contributions from computer security research and policy experts. Today, we feature Kaspersky Lab’s Kurt Baumgartner. 

Boulder, Colorado’s Open Space and Mountain Parks winter photo gallery displays parts of the beautiful and productive 45,000-plus “open space” acres that buffer the city from sprawling development. At the same time, more than 30 percent of this acreage is leased out to industrial agriculture operations, and it’s on this land-air space that drone owners and customers want to push the boundaries of drone applications.

kurt_baumgartnerRecently, around 30 people gathered to discuss local regulation of drone use in this space. It seems that Boulder is one of the first cities in the nation pushing commercial- and research-purposed unmanned aerial system use in semi-public space. There are many benefits that Boulder speakers pointed out at the meeting. Speakers included Skip Miller, a man with decades of experience flying these systems and a pile of world championships under his belt, along with Colorado University professor Eric Frew of its UAS research center, and Dr Tom McKinnon of Agribotix, a drone-enabled agricultural company. Clearly, there was no lack of engineering and flying talent and experience in the room, and in the past, their drones have flown throughout the world providing:

  • vaccine drops in remote locations
  • precision agriculture like soil and water condition monitoring
  • fire search and rescue
  • severe weather data collection
  • power line and pipeline inspections
  • crop production forecasting and health monitoring
  • weed mapping
  • bridge and transportation inspections

At the same time, two near and dear topics received very disappointing attention: security and privacy.

They were swept aside by one speaker, who acknowledged that there may be significant issues before moving on to present photos from the open space website that include hikers and people and dogs enjoying the parks. Therefore, he concluded that privacy is something that has already been given up and the discussion doesn’t merit time and attention, like the discussion of drone benefits and how they are going to be used in open space.

But, this is how many of these discussions are going on around the globe. While security and privacy can consume an otherwise productive discussion of beneficial drone applications, dismissing the discussion is not an appropriate approach.

Security and privacy must be a part of any design stage from the start. Public hearings like this one must allocate for these concerns, and any mature design and implementation process involving public security and privacy issues must include an adversarial role that points out some of the potential risks that can arise from a hacker remotely compromising and controlling a drone.

Some of the scenarios include the impact of new drone traffic near the power lines and other infrastructure that cross open space property. Opening up drone flights may generate new risk for both unintentional and potential malicious damage to structure.

Tractors and heavy agricultural equipment may be guided or rely on drone communications. If that drone or those communications were to be disrupted, what impact would that have on heavy machinery running in parkland?

Drone paths may conflict with flying craft such as gliders, and there isn’t a simple way to provide recourse or resolution.

Drone takeovers are documented and feasible. And in many cases, the motivations have run from: “because I can,” to “because I am curious,” to “because I hate you.”

No doubt, personal privacy is at stake here as well.

Important questions need to be asked, and answered, such as:

  • Who may consume and handle drone data with potential monitoring of citizens, their whereabouts and their activities?
  • Can government-contracted identity and activity recorders consume this data?
  • And finally, who will enforce regulations regarding inappropriate drone operators who aren’t fully licensed or inappropriate drone flying activity?

Other scenarios to consider are whether drones are used to transport contraband material in and out of these parks, how are the drones identified and handled, and what happens if a drone is remotely hijacked to perform such activity and captured?

There are many more security and privacy issues that need to be addressed, and maintaining a reasonable, adversarial role in these discussions is a must moving forward.

Kurt Baumgartner is principal security researcher with Kaspersky Lab’s Global Research and Analysis Team.

Suggested articles