DJI’s (umpteenth) clarification on data security concerns

You feel this is a story that will never go away.

Which we sadly admit is a tacit acknowledgement of our bleak outlook on the possibility of a future where the world is at peace with no threat of conflict anywhere.

But we do understand if DJI are getting tired of having to respond to questions about the integrity of their data security infrastructures, which have surfaced at frequently random times since 2017.

In our unqualified opinion, we suppose it comes with the territory of leading a whole market with game-changing products that have defined a new technology’s era.

Competitors will obviously do anything within their power to rise to the levels of leading market leaders; or to drag them down to their levels so they can claim their own share of the said market.

Perhaps there is a time in the future where DJI will be the one making these allegations against a market leader because they are looking for a chink to exploit int he race to the top of the market share pie.

And in DJI’s case, their kryptonite has been their Chinese origins, which have given the company endless grief in the USA, the largest commercial drone market in the world.

We have documented these to ad nauseum levels on this platform – there have been bans, injunctions, black lists, and – lately – bills passed into law.

Then there was that memo that the Federal Bureau of Investigation (FBI) released in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) last week.

The long and short of it is that Washington does not like the People’s Republic of China at all; and has never made secret of its suspicion of China as “the most advanced, active, and persistent cyber threat to the United States”.

The US office of the Director of Intelligence alleges that China has expanded cyber operations to challenge the global order and US interests – and central to this strategy is the acquisition and collection of data – which China allegedly views as a strategic resource and growing arena of geopolitical competition.

One way to collect that data can be through the use of drones; and has it happens, DJI – a Chinese company – is the biggest commercial drone maker in the world.

Which brings us to the FBI’s memo last week.

“Chinese-manufactured unmanned aircraft systems (UAS), more commonly referred to as drones, continue to pose a significant risk to critical infrastructure and U.S. national security,” the memo read.

“While any UAS could have vulnerabilities that enable data theft or facilitate network compromises, the People’s Republic of China (PRC) has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China.

“The use of Chinese-manufactured UAS requires careful consideration and potential mitigation to reduce risk to networks and sensitive information. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) encourage U.S. critical infrastructure owners and operators to procure UAS that follow secure-bydesign principles, including those manufactured by U.S. companies.”

DJI might not have been mentioned by name, but they have sold a lot more drones to individuals and organisations than any competing drone maker anywhere can ever dream of.

And we also suppose they were triggered by the FBI’s encouragement to procure drone products manufactured in the US.

So DJI produced their response to this memo, which we publish in full below.

DJI places the highest priority on data privacy – and puts customers in control of their data’s use.

Our rival drone-makers are stirring up xenophobia to eliminate market competition. We ask you to look at the facts: DJI already adopts the standards outlined in the FBI’s recent memo. Indeed, many agencies and enterprises also employ those standards when using DJI drones.

  • FACT #1:DJI created the market for ready-to-fly civilian and commercial drones almost two decades ago and has invested heavily in robust safety and security protections as well as expanded user privacy controls for our products.
  • FACT #2: Customers only share flight logs, images or videos with us if they affirmatively choose to do so. Default collection does not exist with us.
  • FACT #3: Operators of our consumer and enterprise drones can choose to ‘fly offline’ through Local Data Mode, ensuring that no unauthorized parties can get access to their drone data.
  • FACT #4:Since 2017, we have regularly submitted our products for third-party security audits and certification. These U.S. and European cybersecurity experts buy our products off the shelf and conduct the review independently. Their findings validate that we provide best-in-class data security and privacy protections.

So in spite of our rivals’ geopolitically-disguised ploys to eliminate us from the marketplace, DJI simply does not have the data they say we do.

Did you know?

In 2022, the DJI Core Crypto Engine, which serves as the secure engine of DJI drones, obtained NIST FIPS 140-2 certification which was formally validated by the U.S. and Canadian Governments. This certification is widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and is issued to products with a high level of security and complies with industrial and regulatory security standards.

DJI FlightHub 2 also recently received ISO 27001 certificationissued by the British Standards Institution (BSI), which validates its compliance with information security management standards.

Clarifying misconceptions around DJI and foreign data access laws

Like other global technology companies, there may be requirements for DJI to disclose certain information pursuant to local laws and regulations where we operate. For example, DJI may need to disclose information if required to do so in response to a local court order, judicial or other government subpoena, warrant or enforceable request.

Upon receipt of such an order, DJI’s policy is to review the request to check if it meets legal requirements for disclosure. Part of that requirement is that the disclosure would only include data that has been shared with DJI within the national jurisdiction of the government agency requesting it.

This only applies to data DJI does have access to – as we have said earlier: DJI does not collect flight logs, photos, or videos by default. Operators who want to take extra precautions can easily choose to activate Local Data Mode (and even switch on their mobile’s ‘airplane mode’) for added peace of mind. This means the drone is completely disconnected from the internet and is similar to an air-gapped computer.

DJI drones align with best practice cybersecurity

DJI is aligned with the US government’s call for drone operators to practice good security hygiene and to perform regular reviews and training to ensure their protocols remain up to date with industry standards.

Below we have provided additional details on how DJI implements – and in some cases even exceeds – the guidance set forth by the government memo:

  • Beyond Local Data Mode, enterprise operators have the option to update their DJI drone fleet while remaining offline. This gives operators the option to conduct a security review of the latest drone firmware or map updates before using them to update their drones.
  • DJI enterprise operators have the option to bypass DJI’s flight app altogether, and choose from a range of U.S. software providers. Operators can also choose to deploy their own private cloud through DJI’s Cloud API and manage full view over their operations and security.
  • DJI already enables robust data-at-rest and data-in-transit procedures for encryption and storage to ensure confidentiality and integrity of data collected by our drones. For example, enterprise operators can encrypt their media data stored on the drone with a secure passcode. This is non-decryptable by any third-party – including DJI.
  • Our standard practice remains to protect any data transmitted by the drone with AES-256 encryption, and if shared proactively by users with DJI, is stored on U.S. servers.
  • DJI allows for quick and easy deletion of drone data through its Reset All (for consumer drones) or Log One-Click Deletion (for enterprise drones) functions.

These are just some examples of how DJI already practices these cybersecurity recommendations. What is out of our control is country-of-origin-based cybersecurity policies which are problematic to the industry as they are grounded on political and protectionist foundations – instead of technology-based industry standards.

DJI will continue to advocate for the development of a clear technology-based standard for drone security that all drone manufacturers would need to adhere to, regardless of their country-of-origin. This will improve overall drone and data security and benefit the industry and its end user community as a whole.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Lost Password