At the beginning of July 2018, the Hong Kong Civil Aviation Department (CAD) completed its public consultation on developing the existing legal and regulatory framework to accommodate growing use of Unmanned Aerial Systems (UAS) in Hong Kong. We anticipate that the new framework will be similar to the regulatory approach adopted in other jurisdictions, governing drone registration (250g or more), risk-based classification of operations, enhanced training and licensing, a Hong Kong drone map with
Whilst we await the outcome of the legislative process, we briefly examine the protection of no-fly zones, use of geo-fencing technology and how drones themselves might pose a cyber threat.
In February 2019, Hong Kong International Airport (HKIA) became one of a number of APAC region airports to be mapped out by market-leading Chinese drone maker DJI's Geospatial Environment Online (GEO) 2.0 system. The technicalities of GEO 2.0 are beyond the scope of this article, but broadly speaking improvements have been made to airport no-fly zones to prevent DJI manufactured UAS from operating in restricted areas.
In Hong Kong, restrictions on UAS flight activities within 5 km radius of any aerodrome and the specific Aerodrome Traffic Zone(s) are set out in Schedule 14 of the Air Navigation (Hong Kong) Order 1995 (Cap 448C) ("ANO"). Technical developments, such as GEO 2.0, that might help with ANO compliance, awareness and responsible operations are always welcome.
That said geo-fencing is reliant on unencrypted transmissions and software, both of which are inherently vulnerable to hacking. It therefore raises an interesting legal issue about whether unlawful drone use might be treated as a cybercrime as well as an air safety violation. Drones are thoroughly part of the Internet of Things (IoT) ecosystem. They are remotely controlled through a mini on board computer and its sensors which rely on instructions from the operator, satellite navigational signals (GPS), local radio frequencies and multiple other operational inputs from take-off, during flight to landing. This of course makes UAS vulnerable to:
As a starting point, a person shall not recklessly or negligently "act in a manner likely to endanger an aircraft, or any person therein" (s47 ANO) or "cause or permit an aircraft to endanger any person or property" (s48 ANO). From an aviation law perspective, this makes drone operator legal duties twofold. Their aircraft (UAS are defined as 'aircraft' under the ANO) must a) not endanger any other aircraft operating in the vicinity and b) must also not endanger any other person or property. A breach of those duties could lead to a summary HKD 5,000 fine and/or imprisonment for two years, unless the operator proves that the "contravention occurred without his consent or connivance and that he exercised all due diligence to prevent the contravention" (s91(1) ANO).
As such, it might be reasonably possible for an operator, whose UAS has been 'hacked' to raise a defence against charges of reckless or negligent endangerment contrary to the ANO on the basis of them being an innocent victim of cybercrime.
At present, there is no overarching cyber security law in Hong Kong (unlike Mainland China's Cybersecurity law that entered into force on 1 June 2017). Illicit interception of UAS communications containing personal data will trigger potential liability under the Personal Data (Privacy) Ordinance (Cap 486). However, parking the questions about privacy breaches, we hover over offences of unauthorised access to a computer. This is a criminal offence under s27A of the Telecommunications Ordinance (Cap 106). More broadly, the misuse of a computer program or data and the access to a computer with criminal or dishonest intent are offences contrary to s60 and s161 of the Crimes Ordinance (Cap 200) respectively.
Putting this into context, it could in theory mean that a hapless drone operator might suffer their UAS going 'rogue' either as a result of malware seeping into the drone's operating system or a nefarious third party interferes with the radio frequency to take control. Malware might disengage or bypass the drone's geo-fencing function and enable it to freewheel across the sky and hurtle straight into a no-fly zone to cause mischief. As we have seen at London Gatwick Airport in December 2018, the disruption to airline operations is enormous.
As a victim of a crime under, say, s27 of the Telecommunications Ordinance, s60 or s161 of the Crimes Ordinance, an innocent operator could legitimately argue that what happened to its UAS was neither with their consent nor connivance. However, whether they exercised all due diligence to prevent the contravention is less straight forward. If, for example, the drone operator is a large corporation making use of the UAS for commercial purposes and its cyber security policies are either poor or non-existent then it is questionable whether all due diligence had been undertaken.
It remains to be seen whether such a scenario will arise. As technology outpaces law at a rate of knots, it is within the realms of possibility. The CAD already has enough aviation regulatory oversight work to manage. The focus of the Hong Kong Police Cyber Security and Technology Crime Bureau is fighting ransomware, securities fraud and theft. Nevertheless, the cyber threat of drones to flight operations should not be ignored, whether they are labelled as aircraft, IoT gadgetry or otherwise.