R.I.D. Spoofing and is it legal?

[msinger]

I cannot imagine the public at large being given access to FAA database

I'm not sure this would matter anyhow since most recreational flyers don't have their drones recorded in that database.

 

[brett8883]

I think that spoofing, as in planting a device that sends signals to intentionally trick people into believing a swarm of drones is flying around, is potentially a serious crime depending on specific facts and circumstances. If such a device can be readily built or bought, then the FAA may have created a worse problem than what they were trying to solve just like the guy in video says.

I 100% believe that if the spoofing actually causes fear or harm then there’s liability maybe even criminal liability. I don’t have any question on that. To me the question is can you be cited for this if you are just found to be doing it for the sake of privacy and security.

There are many things that are legal to use for certain purposes but are serious crimes to use depending on the specific facts. Take a knife for example. Perfectly legal to use one to chop up dinner, perfectly legal to own, but becomes use of a deadly weapon if used in conjunction with crime. However, knife use in and of itself is not unlawful.

There are other things like schedule 1 narcotics that (in federal law at least) are illegal in and of themselves and are illegal no matter how you use them simply for their potential to cause harm. Should RID spoofers fall into this category? Maybe, but I can’t think of something that falls into this group that doesn’t have a law specifically banning them.

What I am unclear on, is whether anyone with access to the FAA drone registration database could quickly verify whether any signal is linked to a real person. My hunch is that a spoofer might fool a cell phone app but not someone with immediate access to registration ID. What do you think on this?

One good thing that came out of RDQ vs FAA is that it legally answers this question. The opinion reads,

“A Remote ID message may only be matched to that nonpublic information and used by the FAA or disclosed to law enforcement outside of the FAA “when necessary and relevant to a[n] FAA enforcement activity,” Privacy Act of 1974; System of Records Notice, 81 Fed. Reg. 54,187, 54,189 (Aug. 15, 2016), and even then it is subject to “all due process and other legal and constitutional requirements,” Final Rule, 86 Fed. Reg. at 4433. The Rule does not otherwise authorize private or public actors access to drone owners’ or pilots’ nonpublic personally dentifying information, id. at 4433-34, nor does it permit or contemplate storage of Remote ID data for subsequent record searches.”….

The Rule authorizes the FAA alone to match the drone’s nonpublic serial number to registration information, which includes the owner’s name and contact information, and to use that personally identifying information only for airspace safety and security purposes relating to the drone’s operation. The Rule’s preamble specifies that “registration data pertaining to individuals is protected in accordance with the requirements of the Privacy Act (5 U.S.C. 552a).” 86 Fed. Reg. at 4433. Any use of Remote ID data, including by law enforcement personnel, “is bound by all Constitutional restrictions and any other applicable legal restrictions.” Id. at 4435; accord id. at 4433.

Consistent with those limitations, the Remote ID Rule does not, without further regulatory action, authorize law enforcement personnel to access drone owners’ personally identifying information separate from the FAA’s involvement.”
​

I read that to mean law enforcement aren’t going to be able to quickly cross reference that information, need a good reason to gain that information, has to be for an FAA violation regarding drone operation (not just general police work) and may even require a warrant but I’d like your take.

​

As far as the First Amendment, I would say that right to spoof is a stretch especially if motive is not to express view or opinion but to cause fear, disturbance, chaos or panic. At a minimum, it could be reckless endangerment. If it disrupts an airport or any commercial flight, I would think potentially very serious.

I don’t believe the first amendment protects speech that causes fear, disturbance, chaos, or panic anyway.

Spoofing being protected under the First amendment may be a stretch but in my opinion not any more than saying receiving RID signals in public is the same thing as viewing a license plate in public.

 

[Chip]

I'm not sure this would matter anyhow since most recreational flyers don't have their drones recorded in that database.

Can you explain what you mean. My understanding is that we must register any drone weighing over 249 grams and it must be equipped with remote ID which will emit a signal which will allow the FAA (or authorized user) to access the database and ID the owner very quickly. I was assuming that large number of owners have 249+ gram drones and thus are supposed to be in the database. What I was theorizing was that spoofing the public may be seen differently if law enforcement can quickly and easily discern real from fake.

 

[msinger]

Can you explain what you mean. My understanding is that we must register any drone weighing over 249 grams and it must be equipped with remote ID which will emit a signal which will allow the FAA (or authorized user) to access the database and ID the owner very quickly.

Recreational pilots are only required to register themselves (not their aircraft serial numbers). And then the FAA provides a single FAA registration ID to be displayed on the exterior of all aircraft owned by each pilot. DJI Fly (etc.) does not have access to that FAA registration ID, so it cannot be included with the RID information that is emitted from the aircraft mid-flight.

 

[brett8883]

Recreational pilots are only required to register themselves (not their aircraft serial numbers). And then the FAA provides a single FAA registration ID to be displayed on the exterior of all aircraft owned by each pilot. DJI Fly (etc.) does not have access to that FAA registration ID, so it cannot be included with the RID information that is emitted from the aircraft mid-flight.

The FAA requires you to enter the serial number of every standard RID drone and/or the serial number of all your RID broadcast modules so either way they have a serial number that can be cross reference with your registration.

 

[Chip]

Recreational pilots are only required to register themselves (not their aircraft serial numbers). And then the FAA provides a single FAA registration ID to be displayed on the exterior of all aircraft owned by each pilot. DJI Fly (etc.) does not have access to that FAA registration ID, so it cannot be included with the RID information that is emitted from the aircraft mid-flight.

In November of 2017, Verge published this video showing how a Ventura, CA airport employee, Nick Martino, used Aeroscope to not only track DJI drones, but to contact their registered owners using email registration data emitted by the drone and recorded by Aeroscope. I thought this was what the FAA's lawyer was partially referring to in the RDQ court hearing when he said that Remote ID will not give us any information we cannot already get with what we have.

So, where does access to or sharing of DJI registration data with US law enforcement fit into all of this?

The relevant exceprt in video begins at 1:30. The first Aersocope "hit" occurs around 2:42.

 

[msinger]

The FAA requires you to enter the serial number of every standard RID drone

Can you deep dive into this a bit more? Where exactly is the FAA requiring recreational pilots to enter their aircraft serial number?

 

[msinger]

So, where does access to or sharing of DJI registration data with US law enforcement fit into all of this?

Not sure. But, it seems the RID data would be useless without DJI's cooperation.

 

[Chip]

Not sure. But, it seems the RID data would be useless without DJI's cooperation.

Exactly, right. Ponder the implications.

 

[brett8883]

Can you deep dive into this a bit more? Where exactly is the FAA requiring recreational pilots to enter their aircraft serial number?

On your recreational dashboard in DroneZone you must add all your devices to your inventory.

Then it asks you to put in your serial number for each of your devices, all of your standard RID drones and all of your Broadcast Modules. You can use the same broadcast module for all of your drones without built in RID but each drone with built in RID has to be added to your inventory. It may not be called a registration but is.

This is only for recreational fliers since part 107 have to Register (big R) all of their drones.

 

[brett8883]

Not sure. But, it seems the RID data would be useless without DJI's cooperation.

Remote ID broadcasts the drone serial number, the serial number is registered with the FAA. Anybody that has the serial number from RID and the FAA database can find out anything they want about you

 

[msinger]

I haven't logged into my FAA dashboard in quite some time. Some more details:




From here https://www.faa.gov/uas/getting_started/remote_id:

 

[msinger]

Remote ID broadcasts the drone serial number, the serial number is registered with the FAA. Anybody that has the serial number from RID and the FAA database can find out anything they want about you

It'll be interesting to see how many people actually log into their FAA dashboard to add those serial numbers. I guess people are just going to know they have to do it?

 

[brett8883]

It'll be interesting to see how many people actually log into their FAA dashboard to add those serial numbers. I guess people are just going to know they have to do it?

When you register or renew your registration it will prompt you for this information and the FAA has been asking for this information on renewals and registrations for some time now. You can’t renew or register without adding at least one device.

So I guess as long you assume people are registering and renewing their registrations every two years like they are suppose to, it won’t be long that you will be able to claim ignorance. Honestly the whole, you only need one registration for all your aircraft was confusing to a lot of new people. It makes more sense logically that you have to register every drone just like any other vehicle. The good thing is you still only have to pay the fee one time.

 

[Chip]

I 100% believe that if the spoofing actually causes fear or harm then there’s liability maybe even criminal liability. I don’t have any question on that. To me the question is can you be cited for this if you are just found to be doing it for the sake of privacy and security.

There are many things that are legal to use for certain purposes but are serious crimes to use depending on the specific facts. Take a knife for example. Perfectly legal to use one to chop up dinner, perfectly legal to own, but becomes use of a deadly weapon if used in conjunction with crime. However, knife use in and of itself is not unlawful.

There are other things like schedule 1 narcotics that (in federal law at least) are illegal in and of themselves and are illegal no matter how you use them simply for their potential to cause harm. Should RID spoofers fall into this category? Maybe, but I can’t think of something that falls into this group that doesn’t have a law specifically banning them.

One good thing that came out of RDQ vs FAA is that it legally answers this question. The opinion reads,

“A Remote ID message may only be matched to that nonpublic information and used by the FAA or disclosed to law enforcement outside of the FAA “when necessary and relevant to a[n] FAA enforcement activity,” Privacy Act of 1974; System of Records Notice, 81 Fed. Reg. 54,187, 54,189 (Aug. 15, 2016), and even then it is subject to “all due process and other legal and constitutional requirements,” Final Rule, 86 Fed. Reg. at 4433. The Rule does not otherwise authorize private or public actors access to drone owners’ or pilots’ nonpublic personally dentifying information, id. at 4433-34, nor does it permit or contemplate storage of Remote ID data for subsequent record searches.”….

The Rule authorizes the FAA alone to match the drone’s nonpublic serial number to registration information, which includes the owner’s name and contact information, and to use that personally identifying information only for airspace safety and security purposes relating to the drone’s operation. The Rule’s preamble specifies that “registration data pertaining to individuals is protected in accordance with the requirements of the Privacy Act (5 U.S.C. 552a).” 86 Fed. Reg. at 4433. Any use of Remote ID data, including by law enforcement personnel, “is bound by all Constitutional restrictions and any other applicable legal restrictions.” Id. at 4435; accord id. at 4433.

Consistent with those limitations, the Remote ID Rule does not, without further regulatory action, authorize law enforcement personnel to access drone owners’ personally identifying information separate from the FAA’s involvement.”
​

I read that to mean law enforcement aren’t going to be able to quickly cross reference that information, need a good reason to gain that information, has to be for an FAA violation regarding drone operation (not just general police work) and may even require a warrant but I’d like your take.

​

I don’t believe the first amendment protects speech that causes fear, disturbance, chaos, or panic anyway.

Good points. Maybe a search warrant would be required to query the drone registration database. But maybe not because its a "voluntary" public broadcast.

---

Spoofing being protected under the First amendment may be a stretch but in my opinion not any more than saying receiving RID signals in public is the same thing as viewing a license plate in public.

Yes, I agree. Here is the 2020 "Advsiory" you found back in the old days (pre-RDQ decision) which made me think the Aeroscopes are illegal because they intercept electronic signals from the drone without permission or authority.

Advisory on the Application of Federal Laws to the Acquisition and Use of Technology to Detect and Mitigate Unmanned Aircraft Systems

https://docs.fcc.gov/public/attachments/DOC-366222A1.pdf

 

[brett8883]

What I am unclear on, is whether anyone with access to the FAA drone registration database could quickly verify whether any signal is linked to a real person. My hunch is that a spoofer might fool a cell phone app but not someone with immediate access to registration ID. What do you think on this?

@Chip I think I thought you were asking if LE would have quick access to this info when I responded above. On further reading, I realize that’s not the case.

To answer your question, the anyone with access to the FAA database will be able to weed out the fakes right away, assuming the real pilot registered. For people without the database it’s almost impossible if the spoofing is done right.

 

[mavic3usa]

It'll be interesting to see how many people actually log into their FAA dashboard to add those serial numbers. I guess people are just going to know they have to do it?

Yeah i didn't find out until later but I knew for quite some time now that this was a change. If you enter the details today (before September), I believe you can still choose NO for RID and therefore recreational pilots will have multiple drones listed on their account. However, my recreational list is empty because I'd rather visit when I have RID numbers to go along with them.

 

[brett8883]

Good points. Maybe a search warrant would be required to query the drone registration database. But maybe not because its a "voluntary" public broadcast.

---

I think RDQ makes it clear that information is protected.

Yes, I agree. Here is the 2020 "Advsiory" you found back in the old days (pre-RDQ decision) which made me think the Aeroscopes are illegal because they intercept electronic signals from the drone without permission or authority.

Advisory on the Application of Federal Laws to the Acquisition and Use of Technology to Detect and Mitigate Unmanned Aircraft Systems

https://docs.fcc.gov/public/attachments/DOC-366222A1.pdf

Dang that was a good find if I don’t say so myself. Looking at this again you can see why they removed the internet connection part from the proposed RID rule in the final rule.

“Are any acquired communications transmitted by a system that affects interstate or foreign commerce (e.g., a system that is connected to the Internet or a mobile network)?”

The internet connection in the proposed rule would have clearly been problematic according to the FAA itself.

This document here highlights exactly what the FAA was looking at when crafting RID. The FAA certainly seems think using RID without a court order very tricky and legally dubious at best.

 

[mavic3usa]

On your recreational dashboard in DroneZone you must add all your devices to your inventory. View attachment 166199
View attachment 166200
Then it asks you to put in your serial number for each of your devices, all of your standard RID drones and all of your Broadcast Modules. You can use the same broadcast module for all of your drones without built in RID but each drone with built in RID has to be added to your inventory. It may not be called a registration but is.

This is only for recreational fliers since part 107 have to Register (big R) all of their drones.

Just to be clear and for others who may be reading this, you only register the drone and you cannot register the module, correct? Meaning if you only owned one module and you didn't own any drones, you cannot make any entries into the database AND there are no entries ultimately in the database that don't have a drone (UAS model) filled in, right? Finally, if you have two drones and one module, you only have 2 entries: you have to enter the first drone plus the module (because the module is required) and then deactivate it (since you cannot have the same remote id serial number against different aircraft serial number) then enter your second valid pairing, correct? I guess I'm asking if this is allowed or not, please correct me. When you want to fly and switch up in the field, technically you have to go into the database?

This only makes sense that you cannot register neither a standard RID serial number nor a broadcast module serial number; these can only be assigned to a valid aircraft serial number. Or does it let you enter the same RID serial number against all of your drones that need a module as long as you are on the same account?

Sorry I have not tinkered with this because I have a lot to enter and I haven't done it yet.

 

[mavic3usa]

I think RDQ makes it clear that information is protected.

Dang that was a good find if I don’t say so myself. Looking at this again you can see why they removed the internet connection part from the proposed RID rule in the final rule.

“Are any acquired communications transmitted by a system that affects interstate or foreign commerce (e.g., a system that is connected to the Internet or a mobile network)?”

The internet connection in the proposed rule would have clearly been problematic according to the FAA itself.

This document here highlights exactly what the FAA was looking at when crafting RID. The FAA certainly seems think using RID without a court order very tricky and legally dubious at best.

It won't be long before law enforcement has an FAA virtual terminal located in the department complete with remote ID details available at your fingertips once you get past the official sign-in (dept credentials) and the court order affidavit screen (which will only take a few minutes to get a "warrant" or simply click on the "exigent circumstances" checkbox and presto!).

Mobile phones details used to be complicated; not anymore.

Thank you, Mr. Patriot Act.