Reminder: Aircraft tracking websites still violate your privacy rights

Whenever you fly an aircraft, chances are that you are perfectly identifiable and trackable almost everywhere. Aviation tracking websites like flightradar24 or FlightAware have made identifying, locating, and following an airplane very simple (and fun). Multiple tracking technologies are used to achieve this: ADS-B, MLAT, and FLARM. Flight data is stored in a database and can be recovered by users long after the fact.

This is an example of a private flight:

The General Data Protection Regulation (GDPR, or DS-GVO in German) became active in 2018 in the whole European Union. The law mandates companies to be more diligent in handling their customers’ personal data. Crucially, before any data can be processed or stored, the customers (“data subjects”) have to give their consent.

Back to tracking websites: Locating airliners is not usually a problem since it is hardly possible to relate a flight to a person (unless you are John Travolta). For private and hobby aircraft, however, the interpretation is quite different: Flight data are clearly personalized and should be treated as such, following the rules of the GDPR.

Of the above-mentioned systems for tracking, FLARM is the only one that offers privacy features by default:

  • Tracking can be disabled in the configuration (“No Track”). This information is then transmitted in the tracking data and generally respected by the receiver networks. Rogue receivers may still record the full data.
  • The sender address (the unique number identifying each FLARM sender) can be randomized, completely disguising the identity of the sender. The address will further be updated during the flight, making it increasingly difficult to correlate data, even for non-compliant rogue receivers.

FLARM thus both offers a way to signal consent, as well as technical means to work against non-complying receivers. ADS-B and MLAT do not offer this.

Four years after its introduction, aircraft tracking websites thus still violate the GDPR.

Further reading: GDPR (Wikipedia), AOPA on the same topic (German, 2018)