To provide context to the FISA, one must have at least a wavetop understanding of Constitutional Law (CONLAW). The Fourth Amendment to the U.S. federal Constitution provides for, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,” absent a particularized warrant based on probable cause (PC). There are judicial exceptions to the warrant requirement. These include exigent circumstances (imminent danger to life, fleeing felon or imminent destruction of evidence), consent searches, search incident to arrest, stop and frisk, plain view, and the automobile exception.
Several Supreme Court of the U.S. (SCOTUS) cases involving 4th Amendment privacy law, in the areas of “Notice and consent? and persistent tracking, are relevant to this discussion. In U.S. v. Miller and Smith v. Maryland, SCOTUS upheld the idea that voluntarily consenting to provide information to third party providers (in Miller, a bank and Smith, a cell phone company) obliterates one’s reasonable expectation of privacy. U.S. v. Jones, which held that police use of a GPS tracking device required a warrant, raised the specter that persistent geolocation tracking could constitute an invasion of privacy.
In the recent case of Carpenter v. U.S., SCOTUS found that the police must obtain a warrant to access cell site location (geolocation) information (CSLI). CLSI is created both actively and passively every time a phone communicates with a cell tower. The case addressed the Electronic Communications Privacy Act (ECPA), not the FISA. The ECPA’s protections for the privacy of stored communications? content and related non-content information are triggered under a standard lower than the PC required for the FISA (discussed more below). Writing for the majority, Justice Roberts keyed on the fact that privacy must be guarded even more so in the face of new technologies. Backing away from the “Notice and consent? line of reasoning, he specifically stated, “An individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI.” Specifically, he found that “Time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his “Familial, political, professional, religious, and sexual associations.”? Thus, the location information obtained from the defendants? wireless carriers constituted a search requiring a warrant.
The FISA authorizes foreign intelligence collection. It enables the Intelligence Community (IC) to conduct electronic surveillance or other authorized activities targeting foreign powers and/or their agents, operating both inside and (by amendment) outside the U.S., using a special court called the Foreign Intelligence Surveillance Court (FISC). Those agents could be U.S. persons (USPER). USPER are defined as U.S. citizens or lawful permanent residents, as well as U.S. corporations and unincorporated associations where a substantial number of members are USPER.
To understand the FISA and how it does or does not interact with the NPRM, one must understand the definition of electronic surveillance in 50 U.S. Code ??1801. At the expense of oversimplifying things, in short, in part, it involves the acquisition by an electronic or other, device of wire (or radio communications) involving USPER in the U.S. (and by amendment, outside of the U.S.), where the person would have a reasonable expectation of privacy and a warrant would be required for law enforcement purposes. Thus, those 4th Amendment cases above are key.
Traditional FISA (Titles I and III) allows the IC to request the FISC to grant an individualized judicial order allowing for electronic surveillance of persons, facilities, or property and physical searches inside the U.S. for foreign intelligence or counter-intelligence (FI/CI) purposes. Under both titles, the government has to make a detailed showing of PC (for TI, reason to believe that target is a foreign power/agent and that location or property is to be used by that power/agent; for TIII, that location is about to be owned, used, possessed by, or in transit to or from a foreign power/agent). The government must also show that steps are being taken to minimize collecting USPER information.
The FISA Amendments Act of 2008, Section 702 et.al. is in Title VII of the statute. It permits the government to surveil foreign persons located outside the U.S. to acquire FI information, with the “Compelled assistance of electronic communication service providers.” Importantly, Section 703 permits the IC to target a USPER who is located outside the U.S. but where the collection is conducted inside the U.S. This could come into play if the USPER is able to fly a drone in U.S. airspace, but he/she physically remains outside the U.S. On January 19, 2018, in the FISA Amendments Reauthorization Act of 2017, Congress reauthorized the FISA Amendments for six more years.
The RID Information Target
Most of us know by now that the NPRM creates three types of UAS based on RID: Standard RID, Limited RID, and No RID. RID requires transmitting “Message elements? via a third-party UAS Service Supplier (USS) – similar to a cell phone service provider – using either broadcast and the internet (Standard) or only the internet (Limited) These requirements apply to USPER and foreign-registered (typically foreign-owned) aircraft. Message elements which would be stored with USS? include:
- UAS identity – manufacturer-assigned serial number or USS-assigned Session ID (randomly-generated alphanumeric code assigned on a per-flight basis)
- Control station latitude and longitude
- AGL UAS latitude and longitude (Standard RID only)
- Control station and UAS barometric pressure altitude
- Coordinated Universal Time (UTC) time mark
- Emergency status indicator
With regard to these message elements, the FAA’s draft Privacy Impact Assessment states that “Prior to collection of any information on individuals, it will provide notice to individuals about its practices for the collection, use, and dissemination of an individual’s PII on any information collection instrument. It will do so either by revising an existing SORN or creating a new SORN to cover the collection of this information.”
A SORN is a System of Records Notice, which the Privacy Act, 5 U.S.C. 552a, requires each agency to publish notice of in the Federal Register, relating to any system of records under agency control from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual. Agencies may specifically permit disclosure of certain records or information, under the Privacy Act, outside of the agency as a routine use pursuant to 5 U.S.C. 552a(b)(3). Thus, the release of message element info to law enforcement (and, by extension, to the IC) will be covered by a SORN as a routine use, if it’s not already covered under an existing one.
The NPRM also contains requirements for registration information the IC could cross-reference with message elements “In near real-time.” USPER / aircraft registration information, under Part 89, includes:
- Aircraft manufacturer model number
- Aircraft serial number
- Registration number (U.S.)
- Applicant mailing address
- Applicant physical address
- Applicant telephone number
- Applicant email address
Under the Privacy Act, the FAA has already codified a SORNin the Federal Register that providing UAS registration information to law enforcement is a legitimate “Routine use,” if “Necessary and relevant to a FAA enforcement activity.”
Under the NPRM, those operating foreign civil UAS would need to submit a “Notice of identification? to the FAA Administrator (? 89.130(a)) that includes all the same information as required under Part 89 for USPER plus local US physical address and telephone, country of registration and related registration information.
Also as proposed by the NPRM, the public would have access to all message element information. Additionally, the IC and law enforcement would have access to triangulate message elements and the registration info (U.S.) or notice of ID information (foreign) through an App or some electronic means (which may not yet exist).
Finally, because the NPRM requires USS to publicly post message elements, it is a safe assumption that the terms to access USS services will include consent to release information to security agencies and law enforcement.
Spooks and RID
The point of the FISA is to protect folks in accordance with the 4th Amendment. So, is the NPRM illegal under the FISA, as some commenters have posited?
On the one hand, the public nature of the message elements, the likely USS “Consent to release? and the SORNs arguably combine to significantly reduce, if not eviscerate, the reasonable expectation of privacy in the information. If there’s no reasonable expectation of privacy, a warrant is not required for law enforcement. This is key to the definition of electronic surveillance and also to triggering the FISA warrant requirement.
In Miller and Smith v. Maryland, providing consent to a third party, who could release your information, was sufficient to dissipate one’s reasonable expectation of privacy. However, both Jones and more recently, Carpenter, point to increased privacy protections in scenarios involving advanced tech and geolocation. Carpenter, in particular, involved cell tower data, which seems pretty on point with regard to both RID message elements being stored by USS and registration data being stored by the FAA, which under the NPRM includes an operator’s cell phone. Important to note that the SCOTUS struck down law enforcement’s search in Carpenter under the ECPA, which has a lower standard of proof (reasonable suspicion) than under the FISA (PC). This means that in a similar situation, the argument for a warrant under the FISA would be even more compelling.
As with any case to be decided under the law, facts matter, as those facts will drive how the law applies in the specific situation. If there were a known and imminent terror attack, and this constituted exigent circumstances, then under the 4th Amendment, a warrant would not be required for law enforcement. Under the FISA, then, neither would one be required for the IC. Contrast this with a non-urgent, “Case-building? scenario, where the security community has the time and space to gather evidence, watch and wait. In this scenario, the persistent nature of the tracking would lead one to believe that a warrant would be required for law enforcement and also for the IC under the FISA.
Only Time Will Tell
The bottom line, in my view, is that on its face, the NPRM does not “Violate the FISA,” as some have claimed. However, how the IC executes its mission with respect to the information accessible through the RID Rule (message elements + registration) will be the determining factor. While the Rule purports to give the IC unfettered access to information, it does not dictate the procedural path by which they would obtain it. A regulation cannot override the Constitution or a statute (the FISA). The Constitution stands above statutes, which, in turn, supersede agency regulations. A regulation that violates the Constitution or statute(s) is invalid. Merely because the NPRM would provide the IC access in “Near real-time? to RID message elements and registration data does not mean that the IC could so so illegally without a FISC warrant, in the appropriate circumstances. If, however, the IC uses the RID Rule to obtain unfettered access to USPER information and conducts persistent surveillance in a manner that appears to circumvent the FISA, litigation will surely ensue. It remains to be seen if that day will come.
It is worth footstomping that the IC exists to protect us from terrorists. The FISA was written to protect Constitutional rights in the context of FI/CI activities. If foreign powers or their agents (who could be USPER) are using drones as a means to threaten our national security, then surely we want the IC to have access to the aircraft registration data, a notice of identification information (for foreign aircraft) or message elements to properly address that threat. The IC would just need to do this correctly. Presumably, the professionals in that community, many of whom I’ve personally worked with and respect, would do just that.
About the Author
Dawn M.K. Zoldi (Colonel, USAF, Retired) is a licensed attorney, a 25-year Air Force veteran and the founder and CEO of P3 Tech Consulting, connecting people and their advanced tech platforms with full-spectrum policy-relevant information. She is an internationally recognized expert on unmanned aircraft system law and policy, and a recipient of the Woman to Watch in UAS (Leadership) Award 2019.
Mandatory Disclaimer: *The views and opinions in this article are those of the author and do not reflect those of the DOD, do not constitute an endorsement of any organization mentioned herein and are not intended to influence the action of federal agencies or their employees.