Commercial Drone Alliance Asks Congress to Repeal Section 336

The Commercial Drone Alliance (the Alliance) has asked Congress to repeal Section 336 of the Federal Aviation Administration (FAA) Modernization and Reform Act (FMRA) of 2012. The Alliance believes that differentiating model aircraft users, including unmanned aerial systems (UAS or drone) pilots,  from commercial drone pilots poses a safety risk in the national airspace. The Alliance insists that all UAS pilots should abide by the same ‘rules of the road.’

Currently, Section 336 prohibits the FAA from regulating qualifying model aircraft. The Alliance asserts that this exemption has been misinterpreted and abused, giving all model aircraft users, including those not participating in a Community Based Organization as required under the law, the impression that they are operating their drones in accordance with the law. Co-executive Director of the Alliance, Lisa Ellman, said, “We understand why model aircraft proponents want to remain exempt, as they have been flying safely for decades. However, times, have changed, and hobbyists are no longer flying alone.”

The Alliance requests that Congress include new language in the 2018 FAA Reauthorization Act to enable the FAA to regulate drones and the national airspace in a common sense way.

The Academy of Model Aeronautics (AMA) responded to the Alliance’s plea to Congress, stating, “AMA’s No. 1 priority is the safety of our nation’s skies. Through Section 336, AMA safely manages 200,000 members –as the organization has done for more than eighty years –freeing up scarce FAA resources to advance commercial drone regulations and other priorities.” Further, the AMA said, “We also recognize that remote identification requirements make sense at an appropriate threshold of weight and capability, such as for more sophisticated drones. That’s why we are actively working with Congress, the manned aviation community and the UAS industry on policy solutions to these challenges within the framework of Section 336.”

An extension to the reauthorization act had been scheduled to expire, but Congress included a new extension in the latest spending bill, which moved the deadline to September.

Privacy Tip #134 – Question: How are Online Quizzes Beneficial to Me?

Many readers know that it would be a cold day in H-E-Double Hockey Sticks (Go Bruins!) that I have in the past or ever in the future will take an online quiz. Why on earth would anyone do that? What is the benefit to you of participating in a seemingly innocuous quiz about yourself and your past?

This week, Facebook, still reeling from the Cambridge Analytica scandal, suspended data analytics firm CubeYou from its platform after CNBC notified it that CubeYou was collecting information about users through quizzes.

CubeYou says its quizzes are for “non-profit academic research,” but is reportedly selling the information gathered from the quizzes with marketers. Gee, sounds just like the Cambridge Analytica mess. According to the CubeYou website, it says it has access to personally identifiable information of individuals, including first and last names, email addresses, phone numbers, IP addresses, mobile IDs, browser fingerprints, age, gender, location, work and education, family and relationship information. It uses this information, taken from Facebook and Twitter ,to contract with advertising agencies to target you. It is concerning that they have all of this information for advertising, and my question is: who else are they disclosing your information to and how long are they keeping it? Forever? That is disconcerting.

Having control of your information and determining who can have access to it is a fundamental right to privacy. When you agree to take these online quizzes asking personal questions about you, are you aware that the sole purpose is to gain more information about you for advertising purposes? What is in it for you?

Not only that, there are scammers who are targeting individuals to get answers to questions that may be used for authentication purposes, like the name of your first pet, what was your first car, your favorite movie and how long you have been married. Any of the answers to these questions could be clues or the key to authentication questions for your bank account, used in obtaining a loan, or on another online platform that seeks authentication.

The privacy tip of the week is to consider whether taking these online quizzes and giving your information to advertisers and fraudster is beneficial to you. Before you agree to take one, think about why you want to share this information, how it could be used with the thousands of other data points about you that are on the Internet and why you are allowing others to monetize your information. It’s your information. Take control of it.

Developing Crypto’s Regulatory Landscape: A Survey of Recent Actions by Federal Regulators to Fence Off Jurisdiction Over Virtual Currencies

In the decades that followed the enactment of the Homestead Act of 1862, more than 1.6 million U.S. citizens and intended citizens filed applications with the U.S. government to lay claim to 160 acres of land guaranteed to each applicant willing to settle, farm and improve the lands.

Settlers quickly encountered a major problem. The land was fertile, but virtually tree-less, and farmers needed fences to contain the boundless plains over which cowboys shepherded their cattle. Farmers tried growing thorn bush hedges, but they were impractical because they were slow-growing and too rigid to manipulate along a property line. Smooth wire fences were equally unworkable because cattle could simply push through them. Lacking a solution, many settlers abandoned their homesteads.

By 1871, the U.S. Department of Agriculture concluded that, despite its immense fertility, the vast and uncharted expanse of plains west of the Mississippi would not be cultivated —and therefore the American West would not be “settled” (at least as that term was understood within the concept of “manifest destiny” then sweeping the nation)— until farmers had a fencing that worked. The technology that emerged to solve this problem was barbed wire. With barbed wire, homesteaders fenced off their tracts, allowing them to effectively control and develop their lands, and the “Wild West” transformed into the “American West.” For better or for worse, the development of barbed wire and the legal landscape that followed in its wake transformed the concept of land ownership in much of America, and revolutionized what the Homestead Act could not: private ownership of land in the West. With it, the law of possession (nine-tenths of which is control) rapidly transformed from theory to practice.

Fast forward to present day and a similar, but more modern transformation is underway. Blockchain technology is being developed to revolutionize what the internet could not: trust in, and reliance upon, third parties (i.e., banks, governments and corporations) in commercial transactions. As the Illinois General Assembly Blockchain and Distributed Ledger Task Force recently summarized:

“While intermediaries fill a vital role in transacting value, relying too heavily on them often comes at the expense of inclusive prosperity. Intermediaries add costs and frictions to our economy for both businesses and consumers. They monetize vast amounts of data privacy and leave over a quarter of the world’s population out of the global economy.”

The solution is a peer-to-peer digital economy that can securely exchange, store and manage anything of value, including virtual currencies, or “cryptocurrencies” (e.g., bitcoin), in a time-stamped, non-repudiable database that chronologically and publicly records each transaction in real-time (i.e., a blockchain).

But who controls, or regulates, the conduct of parties surrounding transactions of virtual currencies? In recent years, and particularly with bitcoin’s extreme pricing surge in the latter half of 2017, federal regulators have increasingly focused their attention on this question.

Last month, in CFTC v. McDonnell, 2018 U.S. Dist. LEXIS 36854 (E.D.N.Y. Mar. 6, 2018), the U.S. District Court for the Eastern District of New York became the first federal court to address and adopt the CFTC’s determination that virtual currencies are commodities, as defined by the Commodities Exchange Act (CEA), and thus subject to CFTC’s anti-fraud and anti-manipulation enforcement authority. In McDonnell, the CFTC alleged that the defendants violated the CEA by operating a fraudulent scheme in connection with trading and investment services offered relative to virtual currencies. The CFTC sought a preliminary injunction against the defendants, while the defendants argued that the action should be dismissed for lack of jurisdiction. The Court denied defendants’ motion to dismiss and granted the CFTC’s application for a preliminary injunction, holding that: (1) virtual currency may be regulated by the CFTC as a commodity; and (2) the CEA permits the CFTC to exercise its jurisdiction over fraud that does not directly involve the sale of futures or derivative contracts. In so holding, the Court stated that “[v]irtual currencies are ‘goods’ exchanged in a market for a uniform quality and value,” and thus “fall well within” both “the common definition of ‘commodity’” and “the CEA’s definition of ‘commodities.’” The Court continued to explain that the CEA, as amended by the Dodd-Frank Act, provides the CFTC the authority to exercise enforcement over fraud or manipulation in not only futures and derivatives markets, but also over fraud or manipulation in underlying spot markets. While McDonnell is notable as the first federal decision to address and apply the CFTC’s determination that virtual currencies are commodities under the CEA, it is also the first federal decision to clarify that “jurisdictional authority of the CFTC to regulate virtual currencies as commodities does not preclude other agencies from exercising their regulatory power when virtual currencies function differently than derivative commodities.” Accordingly, the Court noted that that “[u]ntil Congress clarifies the matter, the CFTC has concurrent authority along with other state and federal administrative agencies, and civil and criminal courts, over transactions in virtual currency.”

To this end, the SEC has asserted jurisdiction over the “crypto” market, opining that: (1) “products linked to the value of underlying digital assets, including bitcoin and other cryptocurrencies, may be structured as securities products subject to registration under the Securities Act of 1933 or the Investment Company Act of 1940”; and (2) many virtual currency trading platforms “give the impression that they perform exchange-like functions” and may, in fact, “operate[] as an ‘exchange’ as defined by federal securities laws,” thereby requiring registration with the SEC.  The SEC has begun taking action consistent with these statements. See, e.g., SEC v. Plexcorps, 17-CV-7007 (E.D.N.Y.) SEC Compl., ECF No. 1 (“This is an emergency action to stop Lacroix, a recidivist securities law violator in Canada, and his partner Paradis-Royer, from further misappropriating investor funds illegally raised through the fraudulent and unregistered offer and sale of securities called ‘PlexCoin’ or ‘PlexCoin Tokens’ in a purported ‘Initial Coin Offering.’”).

Similarly, the IRS has declared that “virtual currencies that can be converted into traditional currency are property for tax purposes, and a taxpayer can have a gain or loss on the sale or exchange of a virtual currency, depending on the taxpayer’s cost to purchase the virtual currency.” Under this authority, the IRS has sought and obtained trading records from virtual currency exchanges concerning transactions by U.S. citizens. See, e.g., United States v. Coinbase, Inc., 2017 U.S. Dist. LEXIS 111756 (N.D. Cal. July 18, 2017). According to one recent estimate by a former J.P. Morgan Chase strategist and current Managing Partner and Head of Research at Fundstrat Global Advisors, U.S. households may owe approximately $25 billion in capital gains tax for their virtual currency holdings this year.

In addition, the U.S. Treasury Department, U.S. Department of Justice, and New York Department of Financial Services have begun pursuing regulatory and/or enforcement efforts relative to virtual currencies.  CFTC v. McDonnell, 2018 U.S. Dist. LEXIS 36854, at *14-16 (E.D.N.Y. Mar. 6, 2018).

The regulatory landscape surrounding virtual currencies, much like the technology underlying virtual currencies, is in its infancy. Nonetheless, cryptocurrencies and the blockchain technology on which they are based may prove to be both disruptive and transformative to the formation and distribution of capital in years to come. The success of virtual currencies, however, may be more firmly linked to the establishment and maintenance of a reliable regulatory regime than many “crypto” purists want to believe.

Just as the fecundity of America’s heartland could not be optimized without the development of technology that transformed an abstract theory of ownership into a practical exercise of control, so, too, may the promise of virtual currencies and blockchain technology be impaired by uncertainty surrounding the establishment and maintenance of a reliable regulatory regime under which virtual currencies are transacted. As the McDonnell Court aptly noted, state and federal regulators will continue to have “concurrent authority… over transactions in virtual currency” unless and until Congress determines a more tailored regulatory scheme is warranted. Accordingly, these recent actions by the CFTC, SEC, and IRS remain important building blocks in creating and defining a regulatory landscape to govern the virtual currency space.

Announcement of New Alliance for Drone Innovation

This week, a new group of unmanned aerial system (UAS or drone) industry leaders announced the creation of the Alliance for Drone Innovation (ADI),  a policy-oriented coalition of manufacturers, suppliers, and software developers of hobbyist and commercial drones meant to help represent the interests of individuals, businesses, governments, scientists, academics and others who fly drones in the U.S. national airspace. The Executive Director of the ADI is Jenny Rosenberg, former U.S. Department of Transportation acting assistant secretary for aviation and international affairs.

ADI succeeds the Drone Manufacturers Alliance, which was formed in 2016; the ADI seeks to expand the prior Alliance’s mission and reach to reflect the growing number of stakeholders working to develop new technological capabilities of drones, as well as the increased legislative and regulatory activity. The ADI hopes to promote awareness and understanding of the UAS industry among policymakers, media and the general public, as well as help the Federal Aviation Administration (FAA) and Congress in regulating the national airspace for drones, creating a practical regulatory framework, and supporting new, technological solutions that eliminate the need for static technology mandates. To learn more about the alliance, click here.

“NYC Secure” Gives New Yorkers Tool to Protect Their Smartphones

On the heels of the ransomware that had the City of Atlanta scrambling last week, Mayor Bill de Blasio announced the launch of “NYC Secure,” a free mobile app that will alert New York City residents of suspicious activity detected on their smartphones.

According to the Mayor, “New Yorkers aren’t safe online. We can’t wait around for other levels of government to do something about it or the private sector…. It’s our job in government to make sure that people are safe online. It’s a new reality.”

NYC will spend $5 million a year for the tool, Quad9, which routes a user’s web traffic through its servers and identify and block malicious sites and email. The app is free to New Yorkers and will be overseen by the NYC Cyber Command, which leads NYC’s city wide cyber defense and incident response. It will be available this summer.

The mayor also announced new protections for the city’s public Wi-Fi networks. He claimsNew York is the first city in the world to provide such services to all residents and visitors, free of charge. Good for Mayor de Blasio for helping residents protect themselves online. We need all the help we can get.

South Dakota Beats Alabama in Passage of Data Breach Notification Law

We previously noted last month that only two states had not enacted a data breach notification law to date—South Dakota and Alabama [see related post].

South Dakota passed the finish line right before Alabama, but both states have now joined the rest of the nation in enacting data breach notification laws for their citizens.  Last month, South Dakota Governor Dennis Daugaard signed South Dakota § 22-40-19 et. seq., the South Dakota Data Breach Notification Law,  into effect. Alabama Governor Kay Ivey’s signature on April 3, 2018, inked the final state data breach law into effect. The Alabama law goes into effect on May 1, 2018, the highlights of which we noted during our previous post.

The South Dakota new breach notification law is applicable to electronic records only. It defines “personal information” in a conservative manner, including a person’s name in combination with a Social Security number, driver’s license number or unique number issued by the government, account, credit card, or debit card with security, PIN or passcode, routing number or any other information that would allow someone to access a person’s account, health information or an identification number assigned by an employer including a security code, access code, password or biometric data. It is interesting to note that the protection of biometric data is protected only as it is associated with authentication of an employee by an employer.

It also defines “protected information” as a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account; and account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account, (which is duplicative of the definition of “personal information”).

Notification of a breach must be made to individuals within 60 days of discovery unless law enforcement requests a delay. If law enforcement requests a delay, notification must be made within 30 days after law enforcement notifies the holder that notification will not compromise a criminal investigation. Notification is not required if the holder of the information, following an investigation and notice to the attorney general believes the breach will not likely result in harm to the affected person. If that determination is made, the holder of the information must document its findings and maintain the documentation for at least three years.

If notification is provided, the Attorney General is also to be notified if more than 250 residents are affected. All reportable breaches, no matter how many South Dakota residents are affected, must be reported to the credit reporting agencies.

The Attorney General is authorized by the statute to prosecute failures to disclose data breaches and can recover civil penalties of up to $10,000 per day per violation, along with attorney’s fees and costs.

Improper Data Sharing With Cambridge Analytica May Affect 87 Million Facebook Users

Facebook reports that the personal data of 87 million Facebook users, mostly located in the United States, “may have been improperly shared” with British data analytics firm Cambridge Analytica. Previous estimates put the possible scope of improper sharing at about 50 million users. The increased number was calculated by Facebook by totaling the friends of the 270,000 Facebook users who permitted a researcher’s personality quiz app “thisisyourdigitallife” to collect and share personal data about the users and their Facebook friends for research purposes. The researcher allegedly shared the data with Cambridge Analytica, allegedly in violation of Facebook’s rules. See [view related post] for more details.

In addition to Facebook reporting a significantly higher number of potentially affected Facebook users, Facebook also announced a number of measures it states are designed to restrict access to data across its social media platform. Additionally, beginning on April 9, Facebook will also inform individual Facebook users whether their data may have been improperly shared with Cambridge Analytica, by a notice at the top of their news feeds [See complete notice –].

This news comes after Facebook CEO Mark Zuckerberg agreed to appear before a Congressional committee investigating the company’s practices. Zuckerberg’s scheduled April 11 testimony before the House Energy and Commerce Committee will focus on the Facebook’s “use and protection of user data.” Zuckerberg has also been requested to testify before the Senate Commerce and Judiciary committees, although no dates have been announced. In addition, the company faces an investigation by the Federal Trade Commission, as well as several state investigations.

Meanwhile, Cambridge Analytica suspended its CEO Alexander Nix as the Facebook scandal broke open two weeks ago, together with videos showing him talking with an undercover reporter about potential bribery and entrapment. The British firm has also been engulfed in a number of inquiries by Parliament and the British data protection watchdog, the Information Commissioner’s Office.

FAA’s Tips for Applying as a Service Supplier to LAANC

The Federal Aviation Administration (FAA) recently announced its nationwide expansion of its automated airspace approval system, the Low Altitude Authorization and Notification Capability (LAANC), and that it will be taking applications for new unmanned aerial systems service suppliers (USS) to provide LAANC services to the public. Last week, the FAA issued a notice of “important information for applicants,” including information about what data streams applicants must use (available here) and advising that applicants should sign up for LAANC-related updates because LAANC is in its test phase, meaning prospective applicants should expect changes to the application process and requirements.

The FAA advises that potential USS candidates should have a mature product, or at least the capability to develop one, before LAANC onboarding, and should carefully review other application requirements such as providing information about how their system will accurately process airspace requests and correctly reflect regulatory and airspace requirements. Applications are due by May 6, 2018.

FAA Grants PACI Beyond Visual Line of Sight Part 107 Waiver

Praxis Aerospace Concepts International (PACI) announced this week that it has been granted a Part 107 waiver under the Federal Aviation Administration’s (FAA) small unmanned aircraft systems (UAS) regulations to fly drones beyond visual line of sight (BVLOS). PACI, a Nevada-based company, is now one of the very few companies in the United States permitted to fly its drones BVLOS for professional aerial work. PACI CEO, Jonathan Daniels, said, “We are absolutely thrilled to be the first Nevada company to receive permission to fly commercial BVLOS. This is a major step over the hurdle for the commercial UAS industry. This will open up many opportunities for businesses already anchored here and those corporation who want to start-up here at our Searchlight Airpark facility.” To view PACI’s Part 107 wavier, click here. PACI has also received waivers for drone operation 400 feet above ground level and operations at night.

DJI Brings Blockchain to Drones

DJI, one of the world’s leading drone manufacturers, and ShareRing, an Australian-based blockchain startup, have partnered to make sharing and renting drone easy and efficient. DJI plans to use ShareRing’s token, a secure digital placeholder for real-world monetary assets, to loan their drones to governments, corporations, and trade events. While the exact details of this initiative are yet to be determined, there will be a test roll-out of this program in Australia beginning on August 18, 2018. Of course, whether DJI plans to jump into the drone rental business remains unknown. According to ShareRing’s co-founder and CEO, Tim Bos, “DJI and their distributors will help influence the structure of our APIs and functionality of the apps that we are creating. This is essentially a pilot partnership to provide an online service with DJI in Australia only before discussing further implementations elsewhere.”