A Comprehensive Approach to
Countering Unmanned Aircraft Systems
Part IV – Legal Perspectives
Regulatory Frameworks in Support of Counter-UAS
By Dr iur. Ulrich Dieckert, GE, Dieckert Recht und Steuern GbR
Translated by Benjamin Sauer, GE, German Federal Office of Languages
Effective Defence against threats by Unmanned Aircraft Systems (UAS) requires timely detection and ranging. The determination of intended threats and unintended violations of rules and regulations is of significant importance. The technology available is prevalently more developed than the legal framework. Hence, detection and defence systems need adequate legal consideration: it has to be checked, whether the system is admissible from a legal point of view and/or whether new regulations need to be created or existing ones need to be amended.
This article will therefore mainly focus on discussing the above-mentioned questions. This chapter will first consider the current legal framework and then move on to discuss possible future legal solutions to the questions at hand.
To avoid a detailed discussion of the respective regulations in national laws, we will focus mainly on European law, and only touch upon national law where necessary.
Subsequently a special focus beside the European legal framework will be put on those legal principles which are implemented in all democratic systems, e.g. self-defence and the legal doctrine of self-help, protection of personality rights and personal data as well as guaranteeing physical integrity and the protection of property.
Existing Legal Framework
Defence of common security and order against threats is subject to the state monopoly on the use of force and predominantly attended by (national) police organizations with support of military forces in special situations. The prerequisites for military activities for homeland security are a matter for national determination. Since this topic is discussed in another article in this book, the legal privileges and competencies will not be a subject of this article.
In exceptional cases, the citizen can also use force if he/she finds him-/herself in a self-defence situation. Such a situation is only, if a present unlawful attack against a legally protected right of the citizen cannot be averted in any other way.
The law recognizes various reasons for justified self-defence. These can be violations, among others, against the honour of a person, against the general personality right, or trying to commit trespassing or criminal damage.
Especially attacks with UAS or drones deliver many threats and violations against common and individual rights, e.g. integrity of the home by unauthorized overflights or landings as well as filming or taking photos without permission. These activities can affect secrecy, economic issues as well as health and life and violate personal rights. A further example of a threat would be preparing or setting off an explosion.
Self-defence is also allowed in cases of threats against third persons‘ rights. This principle is called necessity as justification.
If a drone is approaching and justifying reasons can be excluded (e.g. inspection flight), as a general rule, one has to assume that a present illegal attack is underway. This is, because it has to be assumed that a violation of rights is immediately impending. A defence is justified, if it is suited to defeat the attack and it represents the least restrictive means available in the present situation. The attacked person, however, does not need to use a means he/she deems insufficient to achieve success, i.e. to defeat the attack. Because informing the respective authorities whilst a drone is approaching and asking for help will normally not work out time-wise, the attacked person will regularly be allowed to use robust defences up to shooting down the drone (if he/she cannot find cover). In this situation, neither criminal damages (against the alien drone) nor tort damages are given. This is even the case, if the attacked party overreacts in his/her defence out of confusion or fear or if he/she imagines a situation that would justify a defence, but it is not proven to be the reality (legally considered a mistake in fact). Here, the behaviour cannot be justified, but is excused under the law. Seeing that targeted drone attacks are a new threat, and further considering the speed with which they happen, misjudgements and irrational reactions are to be expected.
Nevertheless, self-defence is not a sufficient legal framework, especially for enterprises, when trying to establish regular drone defence systems. That is, because the burden of proof (i.e., that a self-defence situation existed and that the act of self-defence can be excused) lies with the attacked. Further, there is a real danger that the rights of third parties might be infringed or violated – be it due to the inexperience of the company’s personnel or simply their personnel overreacting. In any case, this cannot be in the interest of the enterprise, namely for publicity reasons. Therefore, as long as there is no legal framework that expressly allows companies the operation of drone defence systems, companies should refrain from using robust defences.
This is currently also true for the use of jammers, with which the radio contact between drone and pilot is blocked, disrupted or heterodyned to put the drone into ‘fail-safe-mode’, which in turn initiates an automated landing. Currently, only authorities have the right to jam radio traffic under national law, and only in very narrowly defined exceptions; certainly, citizens or companies are not allowed to do so. This ‘destructive use’ of radio frequencies would run counter to the general principles of telecommunication law. Furthermore, such a usage would also run counter to the basic principles of the European Radio Equipment Directive 2014/53/EU as well as the Directive on the Harmonization of the Laws of the Member States relating to Electromagnetic Compatibility 2014/30/EU. These regulations demand that electrical means of production have to be designed in a way that guarantees that its electromagnetic interference does not reach a level where the normal use of other means of production is not possible anymore. Furthermore, radio installations must not represent a danger to the health and safety of its users and third parties. Unsurprisingly, no case has come to light in Europe yet, where the use of a jammer in a civilian, private environment as a protection against drones has been permitted by the respective authorities. Additionally, a basic problem of all jamming techniques is, that its use is only effective if the drone is in remote or GPS navigation mode. In such a case, the radio signal between pilot and drone respectively the data synchronization between GPS and the drone can be detected and then jammed. If the drone, on the other hand, is used to execute a pre-programmed attack, it cannot be diverted from its pre-programmed flight path.
On the other hand, the civil usage of preventive systems, that serve to detect, verify or identify drones, is legal. Most of the models available on the market use so-called multisensor-datafusion: this system analyzes the data collected (images, audio, radio frequencies) by running it through its internal software to compare it with technical data about UASs available from a database. Only in this way it is possible, to not only detect the approaching UAS, but also to allow to separate it from other flight objects that are not considered dangerous. As well, the so-called „drone DNA’ can be identified (information regarding type, weight, possibly technical outfit and the load it is carrying).
Nevertheless, the devil is in the (legal!) details here as well. For one, preventive systems are also radio systems under European law, insofar as these devices can receive and analyze radio frequencies respectively Wi-Fi signals. Under the respective legal requirements set by the EU, such devices can only be put on the market and be operated if a conformity assessment test was conducted and the devices received the respective CE-label. This is true for most of the systems available on the market. Because these systems do not send their own radio signals, but just receive Wi-Fi and radio signals (namely drones and their control units), they are generally in line with national rules on the allocation and use of radio frequencies.
On the other hand, when operating such devices personality rights and data protection laws have to be considered as well, if audio and video data are collected that allow conclusions as to the identity and behaviour/movements of natural persons (so-called personalized data). It should be avoided, e.g., that a drone operator enters the coverage area of a CCTV camera respectively that conversations of personnel or third parties are recorded by the device. In the latter case, there might even be legal consequences in criminal law, since it is generally prohibited by law to record or wiretap the spoken words of other persons (violation on the confidentiality of conversations). However, such potential violations of the law can easily be prevented, because video cameras as well as audio recording devices are directed toward the airspace so that the recording of personalized video images or audio material is effectively nearly impossible.
Localization and Capture of the Drone Pilot
Finally, one part of the preventive measures also is the immediate access to the drone pilot once his/her position has been localized via RF sensors (which can be done via the radio contact of the drone with said sensors). Given the relatively short-range of multi-copters, the range is probably limited to a radius of a few kilometres around the attacked object/premises. If, plant security is well-trained, and is able to move quickly, the localization and securing of the drone should only be a matter of minutes. In this way, an ongoing attack can probably be interrupted and – in any case – future attacks by the same drone pilot, using the same drone, can be prevented.
Such infringements on individual rights are justified in most legal systems through the institute of self-help/self-defence. If an attacker is caught red-handed, every citizen is allowed to arrest the attacker for the time being -without a warrant- if the attacker could otherwise flee or prevent his identification. Furthermore, the attacked person(s) is justified in taking away an object (which could be a drone for our purposes) or in destroying or damaging the object, hence using robust force, if the following condition is met: the police or other authorities will probably not make it to the scene in time to prevent further damage or infringements to the attacked person and/or his/her property and rights. This includes the right to use direct force (physical violence) against the attacker him-/herself, if said person resisted the arrest; and the right to damage or destroy the drone or its control unit, if the risk of repeating is given. Of course, self-defence is not limitless: it is only allowed to end the immediate threat. Following this, the respective authorities have to be notified to allow them to initiate the necessary measures.
As presented supra, even under the current law a number of countermeasures against drone attacks are permitted for use by not only state actors, but also by citizens and institutions. Nevertheless, there is a need for further regulations, for one in the field of detecting dangerous attacks, but also in relation to possible defences against them, seeing the steadily increasing number of drones and its potential for dangerous situations. Concerning this field, the new European drone law offers a range of regulations which could improve the detection and drone defence against uncooperative drones in the member states if the regulations are correctly implemented.
The New European Drone Law
The EU passed two new regulations in 2019, both of which are to regulate the future operation and the technical configuration of UAS in the European member states. These regulations are based on Section VII of the EU Regulation on common rules in the field of civil aviation and established a European Union Aviation Safety Agency ((EU) 2018/1139, 4 July 2018), in which -for the first time- basic rules for UASs are identified including the authorization to pass further regulations on this basis. This refers to the Commission Implementing Regulation on the rules and procedures for the operation of unmanned aircraft ((EU) 2019/947, 24 May 2019), which defines UAS categories of operation, creates rules as to the operation of UASs, names rules and procedures for the competency of remote pilots, illustrates the allocation of operational risk and the process to receive a drone operation license and sets conditions concerning the registration of operators and flight devices, the definition of UAS geographical zones, the tasks assigned to the responsible authorities, the exchange of security information and the adjustments of approvals, declarations and certificates, which have to be met by the member states.
Concerning the definition of categories of operation and the operations allowed in these categories (open, specific and certified), the Commission Implementing Regulation on the one hand refers to an annex which contains further specifications and rules. On the other hand, this regulation refers to Commission Delegated Regulation 2019/945 on unmanned aircraft systems and on third-country operators of unmanned aircraft systems (12 March 2019), which deals with the technical qualities of UAS and specifications as to the equipment standards of UAS which have to be met in the respective category of operation.
Both regulations are binding in all of their parts and are directly applicable in all member states; however, for the Commission Implementing Regulation (EU) 2019/947 it was ordered that the member states be given sufficient time to establish the structures and processes prescribed in the regulation. The end of this transitional period will most likely be moved to 1 January 2021, due to the Coronavirus pandemic. This time is also necessary to allow the member states to complete the mandated tasks, amongst them the future registration duty as well as the obligatory configuration of most UASs with remote identification systems and geo-awareness – both of which are important when it comes to drone defence.
Registration of UAS-Operators and UAS Requiring a Certificate
Pursuant to Article 14 of the Commission Implementing Regulation 2019/947 all member states have to create and maintain systems for the exact registration of UAS-owners and UAS subject to authorization, whose operation can create a risk to public safety, air space security, the right to privacy, personal data or the environment. They have to make sure that the systems are digital and interoperable and are enabled to allow mutual access to its respective data and its exchange via a central database. To allow for individual identification, only one distinct registration number will be handed out for each operator and each UAS that is subject to authorization.
Registration is mandatory for all citizens and legal entities that operate or intend to operate one or multiple UAS if it has a MTOM of 250 g or more, or, in the case of an impact can transfer to a human an amount of kinetic energy above 80 Joules and/or their operation poses a risk to the right to privacy or personal data (especially if they are equipped with a sensor to capture personal data) or poses risks to state security or the environment. In the future, we estimate that more than 90% of all commercial drone operators will fall into the aforementioned categories. These drone operators have to provide the following data when registering: their full name, date of birth, identification number (legal entities only), address, email, telephone number, insurance policy number and a confirmation on the competence of the drone pilot to operate the drone. Furthermore, existing operating licenses have to be provided. The unique registration number, following successful registration, is to be placed on the drone.
Owners of aircraft which fall under Article 14 (7) of the Commission Implementation Regulation in conjunction with Article 40 of the Commission Delegated Regulation (EU) 2019/945 (12 March 2019), i.e., one, aircraft designed to transport human beings and hazardous goods, and two, aircraft with measurements (wingspan) larger than three meters that were constructed to be used in the sky above gatherings of humans and three, those falling into a special category, where the licensing process is necessary to mitigate certain risks, have to be registered by the operator by providing the producer’s name, the product name, the UA serial number as well as information about the identity of the operator.
Because of this duty to register the identification of drone operators that do not stick to the rules will be easier in the near future. By using the drone registration, which must be placed on the drone (see above), deductions can be drawn as to the responsible operator respectively owner – e.g., if a damaged drone or one used in an attack is captured. However, a precondition to this is, that all states adopt suitable measures to guarantee a complete registration of all potential operators/owners respectively all UASs subject to authorization. Furthermore, this process must be safeguarded against outside manipulation, because criminals want to avoid registering their aircraft in the first place respectively will try to achieve a registration by making false claims.
Therefore, it should be mandatory that buyers have to register digitally at the point in time when they purchase the drone, via a digital means provided by the seller. Alternatively, or additionally, producers could be forced to program the drone software in such a way that initial operation of the drone is only possible if the buyer registers with the responsible authorities first. Furthermore, it should be confirmed via a data comparison process that no cheating takes place. Finally, ignoring this ‘duty to register’ must result in severe penalties, starting with fines and leading up to the confiscation of the aircraft and the imposition of operational prohibitions for the future.
If we, however, allow the buyer or drone ‘tinkerer’, who builds his own drone, to register at will and without the option of sanctions, and if the information provided by said persons is not compared within the EU, then the logical consequence will be a registry/database that is incomplete and, simply put: wrong, since especially those operators that want to use their aircraft to cause harm or damage, will not have been registered.
Another feature which could facilitate drone detection and drone defence is the so-called ‘remote identification method’. The Commission Delegated Regulation makes it mandatory in its annex that UASs (classes C1 to C4) will have to have a direct remote identification feature which allows the uploading of the UAS-operator identification number (Article 14 of the Commission Implementation Regulation) and the exclusive compliance of the process prescribed with the registration system. It has to be especially guaranteed that during flight a series of UAS data can be transmitted directly and regularly by using an open and documented transmission protocol, which mobile phones must be able to receive. Finally, it must be guaranteed that no recipient can manipulate these data.
The data transmitted contains the following, extremely illuminating information:
- the UAS operator registration number;
- the unique physical serial number of the UA compliant with standard ANSI/CTA-2063;
- the geographical position of the UA and its height above the surface or take-off point;
- the route course measured clockwise from true north and ground speed of the UA; and
- the geographical position of the remote pilot or, if not available, the take-off point.
These data about approaching UASs, which right now can only be identified by detection systems with the right sensors by comparing databases, will be easily available in the future. This concerns most of the devices available on the market, because only those UAS that weigh less than 250 grams, including payload (compare Commission Delegated Regulation) do not have a duty to allow for remote identification.
In the future, the person responsible for drone defence at a company can retrieve a lot of useful information out of the data transmitted. He/she can calculate the position of the UAS, its previous flight path and the speed with which it is approaching – and therewith calculate when the UAS will enter protected air space. The geographical position of the drone pilot is of importance to plant security to catch him/her red-handed, arrest him and secure the drone and/or to hinder the continuation of the attack. Furthermore, the UAS identification number allows the identification of the responsible operator/owner, against whom tort claims might be brought.
All of this is of course based on the assumption that the drone used for an attack really uses the technology prescribed by law and does not send incorrect information, e.g., because the software was manipulated. Concerning this, it is the duty of producers in the first place to equip their devices with the respective hard- and software that cannot be manipulated by the operator/pilot. It also seems possible to install detection systems within the software that send a signal to the producer once manipulation takes place (or at the latest the next time the drone is operated). Such precautions are of course useless, if the criminal drone operator uses a drone that he/ she has built – without a remote identification system (for good reason from the criminal’s point of view).
In this last case, the drone provides a clear sign of its illegality simply by not sending a signal; it will therefore be recognized as a threat. Once such an illegal drone approaches an air space protection zone, it is probably sufficient from a legal point of view to assume that the conditions for self-defence are given.
Pursuant to Article 15 of the Commission Implementation Regulation, every member state has the right to limit or prohibit the operation of drones above certain areas of its territory due to public and air space safety reasons, hazard prevention, to protect the right to privacy or the environment. Alternatively, the state can allow operation if certain conditions or requirements are met. If the member states identify such a ‘UAS geographical zone’ they shall ensure that the information on the UAS geographical zones, including their period of validity, is made publicly available in a common unique digital format. Inversely, the annex to the Commission Delegated Regulation states that all UAS in classes C1 to C4 have to be equipped with a geo-awareness system, which has to have an interface through which all information on air space limitations can be uploaded and updated and depending on the geographical zone, be compared to the position and altitude of the UAS. If the system recognizes a possible airspace limitation violation, a warning notice is supposed to go out to the pilot; this is also true, if the positioning or GPS system of the UAS cannot guarantee the proper functioning of the system.
This technical feature, now incorporated into EU law and soon to be implemented by the member states, will contribute to making drone operations safer. Oftentimes even law-abiding pilots steer their drone astray and pose a risk for geographically protected legal assets. In such a case, the warning notice will lead the pilot back onto a legal flight path. If an operator or pilot, however, aims to intentionally enter a geographically protected zone, he/she will not likely be stopped by such a warning notice (if the warning notice was not already disabled). Therefore, it should be discussed whether it is possible to program virtual fences into the drone software in such a way that the aircraft is technically prohibited from entering restricted zones. Such a geo-awareness is envisioned in the annex of the Commission Delegated Regulation (concerning obligatory geo-awareness systems): If the UAS is equipped with a function that limits its access to certain airspace and frequencies, this function has to interact seamlessly with the command module of the UAS without impairing its flight safety. Furthermore, the drone pilot has to receive clear instructions as soon as this function hinders the UAS to enter certain air spaces and frequencies.
It remains to be seen, whether the EU will come up with further mandatory provisions, or if the member states will mandate that with regard to certain areas geo-awareness systems will have to have integrated virtual fences. One will have to differentiate between permanent lines/borders (e.g., around airports or penitentiaries) and flexible lines/borders (e.g., national parks during breeding seasons). Whether or not the latter can be achieved by uploading the respective orders to the software, would have to be tested by software experts. As could be read in the press, the German federal state of North Rhine-Westphalia plans a legislative initiative to anchor geo-awareness in European law, especially for sensitive areas like penitentiaries and airports. A letter suggesting such a law has already been sent to Brussels.
Cooperation (Aiming at Increased Security) Between Operators of Critical Infrastructures with Law Enforcement Agencies
The current legal situation allows private parties/enterprises in most member states to operate drone detection systems, yet because of the state monopoly on the use of force, they are not allowed to defend themselves using effectors or jamming. Self-defence, as it is an exception to the rule, is not suited to justify the systematic operation of a drone defence system– apart from the fact that private enterprises would not be willing to buy such cost-intense defence system given the unclear legal situation.
On the other hand, law enforcement agencies, seeing their insufficient equipment, are currently hardly able to effectively protect all properties/institutions that are potentially endangered. This concerns especially those considered critical infrastructure, such as energy, water and heat supply, telecommunications, or transportation infrastructure. If such institutions are attacked, it would not only have a tangible impact on the operator of the attacked plant, but could also present severe consequences for the general public (e.g., power plant accident). It is therefore in the interest of the state to protect such critical infrastructure.
Especially large passenger airports have moved to the fore. The incidents at London-Gatwick in December 2018 and Frankfurt in May 2019 showed how vulnerable air traffic is to uncontrolled drone traffic. It is just sheer luck that up to now no collisions between airplanes and drones have happened, and that no airplane has been brought down yet by such an incident. However, even the temporary suspension of flight operations has grave consequences; not only in economic terms for airlines and airport operators, but also for passengers whose flights are postponed or cancelled. Because of this situation, solutions must be found to deal with such problems in the future – technically and legally.
A feasible solution might be the amending of existing rules and laws to allow for an explicit conferral of responsibility for safety to the responsible bodies/institutions. For airports, this might mean that air traffic management, a state actor, would be entrusted with the task of drone detection. Since it is costly, the equipment necessary to fulfil this task should be financed by the state and/or the airport operator – both do have an interest, especially an economic one, in undisturbed flight operations. In that case, it must be mandated that findings gained by such detection operations are provided to the respective police forces, which in turn will coordinate drone defence measures with air traffic control and the airport operator. To avoid interface problems here, it would be ideal if the drone defence systems contained a subsystem that could only be operated by airport police. Otherwise, the law enforcement agencies would need to procure their own systems, which might not be compatible with the systems bought by the airport operators. Such cooperation is of course only possible, if all participating parties agree to a financing concept – this might well be a problem in states with a federal structure.
Concerning the protection of other properties/installations of critical infrastructure, for which law enforcement cannot always be present (e.g., power plants), a so-called ‘security partnership’ between the operator of the plant and the responsible government agency should be installed. Most likely, plant operators will only show an interest in procuring such costly systems if comprehensive drone defence measures are possible. In such constellations, a security partnership could be organized in the following way: the operator receives a permit issued to be the responsible state agency to conduct certain, defined, active drone defence measures by him-/ herself if a certain, well defined threat scenario is met. Allowing this could be achieved by transferring certain duties to the operator, if he/she is considered reliable and their personnel are trained for these situations. The state monopoly on the use of force would have to be broken, but drone defence is not about the defence against another human being, but about possible damage to an object, namely the attacking drone – which seems acceptable considering the severe consequences a successful attack could cause.
The current civil law allows certain protective measures and defines the requirements to gain the approval for extended counter-measures against threats delivered by UAS. It was the intention of the author to show opportunities for the cooperation of stakeholders in two areas: one, detection and two, defence in certain scenarios as described above.
There is legal leeway for effective drone detection and defence, yet on the state side there needs to be determination to develop the law further and use the leeway available. This is especially true with regard to the new legal requirements of the EU drone regulations. The registration obligation in this new regulation, as well as the mandatory remote identification and the rule to respect certain geographical zones are well suited to separate the wheat from the chaff, i.e. to separate cooperative, legally operated drones from uncooperative, illegally operated drones. The latter group generally poses a threat to air space safety and in most cases also for public safety on the ground, especially when committed with criminal intent. In such cases, robust defences are justified, because it cannot be expected that the attacked party can question the reason for the irregular operation of a drone approaching with high speed. Furthermore, the operator/owner of the drone who does not stick to the law has to expect defensive measures by potentially endangered third parties. Whether the operation of defensive measures should remain exclusively with the governmental agencies responsible for the safety and security or whether it should be opened up to private parties via special permits (security partnership) is up for discussion.
Dr iur. Ulrich Dieckert
Dr Ulrich Dieckert is a Berlin-based lawyer, who runs his own law firm (www.dieckert.de) and has specialized in his legal work – amongst other fields – on the law of drones. He also published a guide on ‘Drones – Technology and Law in Commercial and Governmental Operation’ (in German); additionally, he is the chair of the expert group ‘Legal Questions of Drone Operations’ of UAV DACH e.V. and a member of the Advisory Council on Drones headed by the German Federal Ministry of Transportation and Digital Infrastructure.