Podcast: How FAA Is Reshaping The Privacy Landscape For Aircraft Owners

Listen in as BCA's Jeremy Kariuki and Bill Carey speak with NBAA's Doug Carr on how the FAA is actively changing how access to personally identifiable information for aircraft owners and operators is moderated.

Subscribe Now​

Don't miss a single episode. Subscribe to Aviation Week's BCA Podcast in Apple Podcasts, Spotify or wherever you get podcasts.

Discover all of our podcasts at aviationweek.com/podcasts.

Transcript

Jeremy Kariuki:

Hello and welcome to the Aviation Week BCA Podcast. I'm your host Jeremy Kariuki, associate editor for Business Aviation. Today we're going to be discussing privacy in the business aviation sector. There's been a lot of shifts going on following the passing of the FAA's Reauthorization Act of 2024. Today to discuss this, I'm joined by my colleague, Bill Carey, senior Editor of Business Aviation, and Doug Carr, the NBAA senior vice president of safety, security, sustainability, and international affairs. Welcome to the show.

Doug Carr:

Glad to be here, Jeremy.

Bill Carey:

Great to be here.

Jeremy Kariuki:

So Doug, if you could, could you give us an overview of what changes have been made from the FAA in terms of privacy and data protections? What's going on now?

Doug Carr:

Sure. This latest FAA reauthorization really marked over 20 years of work by NBAA to bring a higher level of protection of personal information to a lot of the information that the FAA retains on its website and most of that information is, in fact, public. What we have seen over the years with ADS-B being a mandate in 2020 and with the FAA releasing flight data starting in the mid-90 a lot of information and capabilities coming together in a way that allows somebody on the other side of the planet to track an airplane at anytime from anywhere and really know who is on that aircraft. And this latest reauthorization requires the FAA to remove personally identifiable information from their databases that really are the source of a lot of the tracking that's happening today, which leads to really significant security challenges for aircraft operators.

Bill Carey:

Doug, this latest data privacy provision of the FAA Reauthorization Act that was passed in May of 2024, I think that was signed by the president. It adds to some existing protections that have already been implemented that you will know about. You mentioned the ADS-B mandate, which took effect in January of 2020 that all aircraft flying in controlled airspace had to broadcast their position and other information by ADS-B, and I think in the wake of that is when, or sometime in the aftermath of that was when the Privacy ICAO Address program was instituted. And under that program, operators request a temporary international Civil Aviation Organization addressed for broadcast by their ADS-B Mode S transponders, and that's the six-character hexadecimal number, to prevent identification by these third-party hobbyists and others with their own ADS-B receivers.

Now, that was on top of, and I'm not sure chronologically if I'm correct here, the Limiting Aircraft Data Displayed program, and what that does is prevents tracking sites from displaying registration numbers, call signs or flight numbers of aircraft using FAA-sourced data. How does this new data privacy protection build on or complement the privacy protections that were already out there?

Doug Carr:

The questions Bill, the new requirements in the FAA bill, which the FAA is in the middle of implementing, in fact it just started a couple of weeks ago, to implement those provisions of the FAA bill will attempt to disconnect the ability to read an ADS-B's information coming off of the aircraft. Part of that information, as you mentioned, is the ICAO code, the Mode S transponder code, which today is listed as part of an aircraft registration data sheet that can be pulled up on the FAA website along with the aircraft owner information.

The PIA program allows an unpublished ICAO code to be used in place of the published code. You may recall that today the FAA, because it manages roughly 1 million ICAO codes, uses an algorithm to connect the aircraft registration number with the Mode S code. And so it's quite easy to reverse engineer a Mode S code into an aircraft registration number, and from there provide ownership information. What this does is it disconnects that ADS-B code from a published connection with an aircraft registration, and then of course the aircraft ownership information. We believe this is going to help. The PIA program has been around since 2000 and it came into effect along with LADD, the Limiting Aircraft Data Display. Two independent programs. One really is based on data being shared by the FAA and offers protections for that information. The PIA program attempts to address independent non-FAA sourced tracking data by allowing that Mode S code to be disconnected from publicly available information.

Bill Carey:

Okay. You mentioned reverse engineering of that code, and my understanding of one of the weaknesses of the Privacy ICAO Address program was that it would issue a computer-generated six-character hex or temporary code, but I think it started out that was it good for 60 days and then that was changed to 30 days and was it the timeframe that was the issue there and that the ability to reverse engineer that identification, back to it its owner registry information, there wasn't enough or there was too much time allowed for that, and that was kind of the weakness of that program.

Doug Carr:

Well, I think what we have seen as a result of the FAA's implementation of PIA is that first it was a new program. This was something that had never been tried before because it wasn't needed previously. And as a result, 60 days felt like a good starting point to allow operators to implement the change, be issued, the PIA code, follow the process for that code to be installed, test it, and then use it. What we saw over the weeks, months and years since that program was turned on was that the ability for that new code to be identified with an actual aircraft happened very quickly. And so 60 days became 30 days, 30 days became a couple of weeks. And for operators today who can demonstrate that their current PIA code has been compromised, the FAA has worked very hard with the industry to allow a very quick turnaround for new codes to be issued to stay ahead of a very active enthusiast crowd and others who have a keen interest in knowing who's flying and where they're going.

Bill Carey:

Okay. In the date of privacy provision of the Authorization Act, I think it was section 83, the FAA also said that it's going to seek additional public comments to determine if removing information will affect service providers' ability to perform necessary functions. Can you just describe what of the issues are with masking that information and who really needs to see it or should see it versus third parties?

Doug Carr:

We had a great call with, it felt like over about two dozen stakeholders yesterday that I believe did a great job of highlighting all of the work that aviation is engaged in that ties back in some way to the aircraft registry, and I'll share a couple of examples with you. There are a number of regulations, policies, directives, not only from the FAA, but from other parts of the U.S. Government. That require certainty in ownership information and require, for example, aircraft manufacturers to be able to get a hold of aircraft owners for things like airworthiness directives, safety mandates, other change notifications that the OEM would be responsible for. And the aircraft registry has been identified as that source of information. Law enforcement has, I think many of us would agree, a need to be able to get in there and understand whose aircraft any particular tail number belongs to.

There are likely a number of international treaties at some point that perhaps tie into the aircraft registry for certain bilateral agreements that are in place between FAA and other nations. There's significant statistical information that is performed on the aircraft registry that may or may not need that ownership information, but that's also something that we heard yesterday that could be impacted in some way. When we look at aircraft transactions, and in many cases the amount of money involved in a lot of these aircraft owners, lenders, idle insurance, aircraft insurance brokers, anybody who touches an aircraft transaction is going to want to make sure that they are not only dealing with somebody who's authorized to sell the aircraft, but also that the information facilitates due diligence that as a result of other parts of the government and requirements that we have with things like know your customer and limitations on certain foreigners that we're not allowed to do business with, it's important that that portion of the industry also has an ability to know more about whose engaged in these aircraft transactions than perhaps the public.

And so what we're working through in advance of the June 4th deadline for all of these perspectives to be shared with the FAA is what makes sense for what we could call authorized or approved uses of the unfull unredacted FAA Aircraft Registry Database. It's complicated, but I think from NDAA's perspective, we want to and need to ensure that owners who have put their hand up to say, "I want my information to be protected and rely on that assurance regardless of how the information is being used, even through an authorized identified set of other uses."

Bill Carey:

Thanks. That's really helpful. The way that provision works now is that an owner or an operator can request through the FAA Civil Aircraft Registry electronic services website that the agency withhold information such as their names and addresses from public dissemination. Is that kind of the same facility that was discussed perhaps for manufacturers, for lenders, for law enforcement, for other parties to conduct due diligence? I mean, how is that going to be facilitated?

Doug Carr:

Bill, you raise a good question and I would highlight that it is one of many that we just don't have answers for today. I think we appreciate that is probably going to be that front door going forward. It will be that new interface with being able to download, to get access to aircraft records in some way. But how it's going to be implemented or managed when it comes to not only aircraft owners, again today it's aircraft owners' ability to get in there and protect their information. But what about other components of the FAA notice that create additional questions? For example, what is the definition of a private aircraft? I don't believe the FAA regulations identify a private aircraft.

Additionally, some of the language suggests that this is a provision applicable to individuals, and I think we recognize that many of the aircraft concerned about being tracked belong to companies and corporations and businesses. And so there are a number of questions that we are hoping to identify with the FAA as part of our feedback. And we have worked with some really smart people over the last several weeks to suggest potential answers to those questions so that we're hopefully being part of the solution, not just raising problems for the FAA to try and answer in an uninformed way.

Bill Carey:

Right, right. No, that's interesting. For instance, is an aircraft owned and operated by a publicly traded corporation, a Fortune 500 company, is that considered a private aircraft? So that's an interesting consideration.

Jeremy Kariuki:

On that note, Aviation Week data showed that once this program was put into effect where aircraft operators and owners could opt in to have their information redacted, that about 170 aircraft in service had redacted the personal identifiable information that was previously available, and several of those aircraft belonged to Fortune 500 companies. So that actually informs my next question, where right now the FAA is mulling over how we should handle this data moving forward. Is there any benefit to owners or operators to keep their data publicly available? I know the FAA is considering just by default hiding this information and only having access to approved users like we said, or stakeholders if you will. But why wouldn't any owner or operator do it in the first place? Is there any benefit to the publicly available information?

Doug Carr:

Jeremy, I'm going to fall back to perhaps a statement I made earlier, which is that there are definitely more questions than answers that are tied to this effort right now. One of the things that became clear early on after FAA's announcement that operators beginning, I'm going to put that in quotes today could log into CARES and start protecting their information was what are they actually signing up for? What happens if they need to unblock their tail number or their information for a transaction potentially? What happens if they need to share their information with somebody else who's connected with the aircraft? How would that work? And unfortunately, there's no answers to that yet, but I think those are the kinds of situations we're trying to help the FAA understand as they work to build out what we probably are going to need, which is a little bit more of a sophisticated capability to identify who gets access and to what.

It's important that the right people have access to the right information while we protect information that operators and owners have indicated should not be shared publicly, which again, is that source of aircraft tracking that has led to, from NBAA's members perspective, real security concerns due to the ability to track in live time where an aircraft is going and who's on board.

Bill Carey:

So the next milestone here, Doug, would be June 4th, is at the deadline for the comment period?

Doug Carr:

Bill, it's the deadline for the comments. And I'm hoping that it really forms the start of a conversation with the FAA. It's great to see the FAA moving out quickly on this. They've got two years to implement the changes required by the statute and starting early I believe is going to help us in the long run. But I think what we're hearing is that from a number of stakeholders is that this is not just as simple as protecting your ownership information. There's a lot of FAA and other agency required mandate that ties parts of the community directly to having full access to the aircraft registry. And so working through the different components of what access looks like, who gets access to it and why is something I'm hopeful that we will continue to discuss with the agency beyond June 4th.

Bill Carey:

Well, thanks, Doug. I've run through my questions, and again, that's really helpful and it's much more complex than I imagined.

Doug Carr:

It definitely is, and we've had this really great capability with the aircraft registry for decades. We're seeing now the need not only in the U.S. but around the globe, to be much more focused on personally identifiable information that is contained in a variety of places that for years has never been an issue. It is now and we need to take steps to apply some reasonableness to the information that is publicly shared and apply protections to that information, especially now that owners are saying it's creating security vulnerabilities that are difficult to address.

Jeremy Kariuki:

Well, Doug, Bill, thank you so much for coming onto the show to discuss this very important and very much developing topic. I'm sure that we'll be discussing this in the near future after the deadline approaches, and we'll see what happens going forward. But again, thank you so much for joining us today.

Doug Carr:

Great to be here, and thanks for the invitation.

Bill Carey:

Yeah, thanks again, Doug.

Jeremy Kariuki:

Thanks for listening to the BCA Podcast by Aviation Week Network. This week's episode was produced by Jeremy Kariuki. If you enjoyed the show, don't forget to or follow us on your podcast app of choice. If you'd like to support us, please leave a rating wherever you listen. Thanks again, and we'll see you next time.