The expanding use of drones over U.S. airspace has become a fast-growing national security topic and privacy concern. We asked our colleague Paul Rosenzweig, who co-authored a recent Heritage Foundation paper on drones, to weigh in. 

Flying drones—unmanned aerial vehicles—have been made famous by their use in the war on terrorism, notably through lethal strikes on terrorist targets in Iraq and Afghanistan. Such drones are a small fraction of those used by the United States today. There are thousands of drones, used for a wide variety of purposes, from scientific research to military operations.

Drones, mostly without a weapons capability, are employed by the government and the private sector. Because of the drones’ wide-reaching surveillance capabilities, however, even unarmed drones could threaten personal privacy and civil liberties. As the FAA develops regulations for the operation of drones in domestic skies, it must take into account constitutional concerns and privacy rights.

In a research paper for the Heritage Foundation, (see bottom of story) I and three colleagues gave some thought to what the right set of rules and regulations might look like.  Here, in summary are some thoughts about how drones should be used domestically.

First, we should consider the redlines or limitations:

• The use of drones in a military capacity (while armed) should be severely restricted to situations of actual invasion or insurrection.
• The use of drones for domestic surveillance of First Amendment activity is fundamentally at odds with U.S. constitutional principles.
• Drones equipped with novel sensor arrays ought not to be permitted absent a clearly demonstrated need and a careful consideration of countervailing privacy and civil liberties concerns.
• Drones should not be used as a platform for the collection of massive unstructured data sets that could form the basis for sophisticated tracking and behavioral analytics.
• Drones are unsuitable for use as a routine means of surveillance in non-threatening situations.

One of the unmanned aircraft used by the U.S. Border Patrol.
SOURCE: Inspector general’s report.

On the other hand, there are plenty of situations where domestic drone use is both sensible and practical and where our effort should be to authorize and regulate the use, rather than limit it or restrict it.  For example, consider these uses:

• Border Patrol Security
  • Long-term surveillance of a specified area or route
• Emergency Preparation and Disaster Response
  • Planning routes and anticipating vulnerabilities
  • Catastrophic effects and remediation planning
  • Emergency cell coverage restoration
  • Deterrence of criminal behavior in unpatrolled areas
• Agriculture
  • Crop dusting (pesticides) or infestation eradication
  • Monitoring of crop growth
• Maritime Domain Awareness
  • Long-term surveillance of a specified area or route
• Environmental Monitoring
  • Wildlife tracking
  • Monitoring droughts and flooding
  • Monitoring locks, dams, and levees in remote areas

The list can go on.  And of course in any such listing there will be value judgments and choices that need to be made.  So the fundamental  recommendation that the paper makes is for Congressional engagement.  After all, these are interesting, difficult and indeterminate choices we will be making – isn’t that what our elected representatives are for?

[field name=”drones”]

Good thing then that a new DARPA project has the same name!

DARPA (the Defense Advanced Research Project Administration) recently announced that it would be funding a project known as ADAMS (Anomaly Detection at Multiple Scales).  According the Homeland Security Newswire, “Researchers in a 2-year, $9 million project will create a suite of algorithms that can detect multiple types of insider threats by analyzing massive amounts of data — including email, text messages and file transfers — for unusual activity.”

That sounds a lot like the old Total Information Awareness program, a controversial data analysis program shelved by DARPA at Congressional insistence in 2004.

ADAMS seems like a new form government data mining, that may also be subject to Congressional scrutiny.  To learn more about data mining, visit “The Data Minefield,” Medill’s web-based resource bank for journalists and citizens who want a practical understanding of the issues.

The government says that it didn’t need one.  They argue that a person has no reasonable expectation of privacy in his travel on public roads.  After all, they argue, the police could have tailed Jones in an unmarked vehicle and they wouldn’t have needed a warrant.  Jones argues, however, that GPS tracking devices are uniquely intrusive — that they allow the government to collect a large volume of geo-location tracking data and use it to build a “mosaic” picture of a person, learning, for example, what church he goes to; what bar he drinks at; and whether or not he is a regular gym attendee.

The arguments before the Court reflected the challenge that the Justices will face in drawing lines.  They were concerned, for example, by the government’s acknowledgement that the logic of its argument would place no Constitutional limits on the ability to put a GPS in literally every car in America — including even the cars driven by the Justices.

On the other hand, Jones’ attorney had difficulty in drawing a firm line between visual surveillance and GPS surveillance.  Did the Fourth Amendment require the government to use an inefficient method?, the Justices asked.  Repeatedly the Court returned to the idea that the resolution for the problem might lie in legislation, rather than a constitutional rule.

The government lost the case in the appellate court and the Supreme Court will issue its opinion before June of next year.  Observers in the Court (including me) are deeply uncertain as to the ultimate result.

The Medill National Security Journalism Initiative has recently completed a project to develop resources for journalists on all sorts of issues related to the phenomenon of data mining — we call it “The Data Minefield.”  At the Minefield, reporters can learn the science of data mining; review new technologies; hear from the experts on how to find stories; and browse through a collection of resources about government data  mining projects.  The Jones case is just one example.  If you are interested in the topic, or just curious, The Data Minefield is for you.

My wife and I are on holiday in New Zealand and earlier today we took a domestic flight from Wellington to Nelson.  It was a short commuter hop — 30 minutes, across the strait separating the North and South Islands.  On the whole an utterly unremarkable experience, just like any number of flights we’ve taken before.

Save for one thing — no security.  We arrived for the flights with our e-tickets in hand, scanned them at a kiosk, dropped our bags off on the conveyor and walked to the gate.  No ID check; no metal detector; no X-ray of our carry on bags.  Probably no X-ray of the checked luggage but we couldn’t tell for sure.  We scanned our boarding passes again at the gate, but no ID check.  Nothing. In short, it felt like something from before 9/11 — and possibly even before the 1980s and the advent of hijacking.

It was so remarkable precisely because it was so unusual.  But as I sat thinking about it, I realized that it really was the reflection of a wise policy.  Had we been boarding for an international flight, we’d have gotten the whole 9 yards — ID, bag check, metal detector etc.  But New Zealand has made the risk assessment that their inter-island domestic flights are not realistic targets.  Though in theory just as vulnerable as any other flight, there simply isn’t a real threat of attack on that particular target.

And so they don’t waste time and money protecting something that doesn’t need protecting.  It’s comforting to see that kind of rationality in the world — even if we had to come all the way to New Zealand to see it.

In the end, maybe more than we realize.  Today’s cloud system uses “thin clients” — simple interfaces like Google’s Chrome system — with minimal independent computing power.  All of the data, software, and operating systems, software, and processing resources are stored in the cloud, managed by a cloud system administrator.

If that sounds familiar, it should.  We are, quickly, recapturing the system configuration of the early 1980s, when dumb terminals (little more than a screen and a keyboard) connected to a mainframe maintained by a systems administrator.  The administrator made the resource allocation decisions, prioritized work and controlled access to the processing systems.  So the translation is clear:  thin client = dumb terminal; cloud = mainframe.

That centralized system of control if fundamentally authoritarian.  Today’s internet structure empowers individuals.  On my laptop I have more processing power and data storage capacity than imaginable.  From here I can link to the web and communicate with anyone.  I choose my own software, save my own data, and innovate as and when I please.

In a cloud system or the old mainframe system, I make none of those decisions — my software is provided by the system administrator; who stores my data and controls what new innovations are made available. That’s a fundamentally authoritarian model where I lose much of the independence that has made the web a fountain of innovation and invention.

In a liberal western democracy, perhaps that is not a problem — after all, I don’t have to choose Google as my cloud provider if I don’t want to.  But in more authoritarian states, the trend toward the cloud will make citizens even less able to control their own destiny.  The internet empowered the liberty of dissent; we should be concerned that the cloud may take it away.

But what’s really a mess is how our Representatives (and, sometimes, the press) report these sorts of numbers.  They are always portrayed as absolute values and in that abstract context they seem immense.  Who, after all, could approve of 2,500 mistakes per year?

But the abstract context is just that — abstract.  Numbers have meaning only in a concrete context.  So how about this for context:  Domestically, there are approximately 2 million enplanements (passengers boarding aircraft) every day.   That’s roughly 700 million passengers a year, or 7 billion passengers in the 10 years for which the security breach data are reported (and bear in mind that this is every security breach however minor).  That’s an error rate of less than 0.0001%.  In what human endeavor is that considered a poor performance?

So … absolute numbers mislead.  What we really need to know is what the types of breaches are, how systematic the vulnerabilities are and what, if anything, TSA is doing to fix the issues identified?  Those are interesting questions.  Talking about numbers out of context is not.

When disaster strikes, a large number of resources need to be mobilized.  The larger the disaster, the more resources are needed, and the greater the need for coordination.  But given how infrequent large-scale disasters are (thankfully!) we don’t have a lot of practice with that sort of coordination.

The Federal government runs a robust training and exercise program that models disaster response by having all the players respond to a hypothetical disaster.  They run both small regional programs and, annually, a National Level Exercise that models a major catastrophe.  This year, NLE 2011 is an exercise that asks “what would happen if we had a major earthquake along the New Madrid fault line in the Midwest?”  The three-day exercise is scheduled to begin today.

The exercise is designed to test a range of government and private sector functions including: Communications, Logistics, Mass Care, Medical Surge Capacity, Evacuation, Emergency Public Information and Warning, and the activation of an Emergency Operations Center.  Participants will include the Federal government, eight states, dozens of local governments and the private sector.  When exercises like this are done right, they identify gaps and overlaps, produce operational familiarity and develop useful relationships.

As useful as planning and exercises are, sometimes reality intrudes.   Many States in the Midwest are in the middle of dealing with an historic flood of the Mississippi.  Others are still recovering from recent devastating tornadoes.  So even though “the show must go on” it will have to go on without them.

Instead of joining the national exercise with first responders simulating their activities, Tennessee, Alabama, and Mississippi will have to play the game virtually, sitting around a table making decisions;  they’re busy dealing with real life.

The rest of the states will play the game, responding to a simulated disaster, as if an earthquake had actually occurred.

Meanwhile their colleagues in the South will go about the grim business of responding to the real disasters of tornadoes and flooding — and in their own way, demonstrating why planning and exercises are so vital.

The change was announced in late January and state and local governments, airports and other transportation hubs were given 90 days to make the transition to the new alert system.  On Thursday, the Department of Homeland Security rolled out the system to the general public.

Under the system, an elevated threat “warns of a credible terrorist threat against the United States,” and an imminent threat “warns of a credible, specific, and impending terrorist threat” against the country.  Americans will be able to subscribe to a new National Terrorism Advisory System (NTAS) and follow the government alerts on Facebook, Twitter, or through an email alert system.

So, is the system an improvement?  That remains to be seen.  In one sense, any system that replaces the benighted color coded threat system is an improvement.  And the new NTAS may be little more than a politically expedient way-station for the government as it walks away from an alert system that is no longer sustainable but that cannot be eliminated completely without political fallout.

It is also possible that the NTAS may actually prove useful to the public.  If the new alert system is more specific than the earlier color-coded system in defining the threat it is to be effective.  The system has that promise – DHS says it will try to give threat information that is narrowly targeted at a geographic region or a specific sector of the economy, and that’s a good thing.  It will be of great value to know, for example, that there is an elevated threat to, say, dams in the Rockies.  It’s of far less value to know that the overall threat to the country is elevated.

One other clear improvement is planned.  Each new NTAS alert will come with a built in sunset provision that says how long the alert lasts.  No longer will we have to live with expired alerts that linger simply because nobody has the authority to end them.  So in the end, NTAS will give us something good:  At a minimum we should stop hearing the  incessant announcements at the airport that “DHS has determined that the current threat advisory level is orange.”  What could be bad about that?