Memo charges Chinese-made drones with snooping
Connecting state and local government leaders
A memo from Immigrations and Customs Enforcement's investigative arm claims small DJI drones were most likely downloading sensitive data they gathered in the U.S. to the Chinese government's cloud.
Unmanned aerial systems built by the Chinese and sold in the U.S. to governments, police and critical infrastructure providers are probably sending the data they collect to the Chinese government, according to an agent in the Immigrations and Customs Enforcement's investigative arm.
In August, an ICE intelligence officer sent a memo to law enforcement agencies across the nation warning that small drones sold by Da Jiang Innovations were most likely downloading sensitive data they gathered in the U.S., including data on critical infrastructure sites, to the Chinese government's cloud.
The memo was first reported by sUAS News on Nov. 18 and posted to the Public Intelligence Web site on Nov. 27.
In its response, DJI complained that the memo was "based on clearly false and misleading claims from an unidentified source."
Also in August, the Defense Department banned the use of DJI drones, citing cyber vulnerabilities, according to a report in DefenseOne. A memo from Lt. Gen. Joseph H. Anderson, the Army’s deputy chief of staff for plans and operations called on the service to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”
Shortly thereafter, DJI announced "a new local data mode that stops internet traffic to and from its flight control apps," to protect the privacy of government and enterprise customers' photos, videos and flight logs.
The ICE memo claims "with high confidence" that DJI is "selectively targeting government and privately owned entities" in the critical infrastructure and law enforcement sectors "to expand its ability to collect and exploit sensitive U.S. data."
The official based the hunch on open source reporting from magazine and newspaper articles, but also on a "reliable" source in the drone industry that has "first and secondhand access" to knowledge of the practice.
The memo said that as of July, at least 10 companies in the railroad, utility, media, farming, education and law enforcement sectors have purchased and are using the company's small drones to collect mapping data, inspect infrastructure, conduct surveillance and monitor hazardous materials.
It noted other Department of Homeland Security memos in its sourcing, including one that said DJI drones were used by the contractor building the agency's National Bio and Agro-Defense Facility in Manhattan, Kan., to help with security on the site, as well as with construction plans.
It said DJI has targeted critical water, electrical, railroad and other infrastructure providers to sell its equipment to, particularly in big metropolitan areas.
Critical infrastructure companies have been among the most vocal organizations clamoring for Federal Aviation Administration waivers to operate all drone types as they consider them as an inexpensive, efficient way to keep an eye on their facilities.
The small drones, said the memo, use two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off and access users' phone data. The apps also can capture personally identifiable data on the operator, as well as video, photos and computer credentials.
DJI strongly disputed these characterizations in an email to FCW, GCN's sibling site. "SkyPixel is not an app -- it's a website we run to spotlight cool drone photos and videos from around the world, shot by drones from any manufacturer. More importantly, neither one of them register facial recognition data (especially when they’re turned off!)," a spokesperson said. Additionally, DJI noted that DJI Go works on Apple iOS as well as Android.
The memo's industry source said DJI automatically uploads data to cloud storage systems in Taiwan and Hong Kong, "to which the Chinese government most likely has access."
According to the memo, a foreign government could "easily coordinate" physical or cyberattacks against crucial sites using the data.
In its response, DJI said that its products don't have facial recognition capability when it comes to tracking individuals and that it was not selling products at a loss to drive competitors out of the U.S. market for small drones. Additionally, DJI stressed that photos, flight logs and videos are only synced with a remote server when the operator selects that option. For U.S. operators, data is stored on Amazon Web Services servers in the U.S., the company said.
This article was first posted to FCW, a sibling site to GCN.