DJI continued its pushback against largely unsupported assertions that its drone fleet may be secretly transmitting information about American infrastructure to China with the release of an independent report on its data collection and storage practices.
Kivu Consulting was hired by the company to make a detailed examination of its drones, mobile apps, servers and data streams. According to Kivu, the study used DJI Spark, DJI Mavic, DJI Phantom 4 Pro and DJI Inspire 2 drones purchased at retail, not provided by the manufacturer. The aim was to determine whether DJI’s drones could surreptitiously transmit sensitive user data, DJI said.
“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit,” wrote Kivu’s Douglas A. Brush in a letter summarizing the findings. “For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server. For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”
DJI has been dogged for years by unsubstantiated rumors that its drones shared customer information, including video footage, with Chinese authorities. The problem reached crisis proportions last summer, when the U.S. Army directed users to stop using the company’s products, citing unspecified “cyber vulnerabilities.” Shortly thereafter, a Los Angeles office of U.S. Immigration and Customs Enforcement released a bulletin claiming that DJI was “likely” providing data about U.S. infrastructure and law enforcement to the Chinese government, citing “open source reporting and a reliable source within the unmanned aerial systems industry with first and secondhand access.” That “reliable source” was not identified.
Subsequently, in October 2017, DJI implemented a new Local Data Mode that cuts off its DJI Pilot application from the Internet. DJI also instituted a “bug bounty” program offering rewards from $100 to $30,000 for those who discover and report security issues with DJI servers, apps or hardware. The company clearly hopes the new security audit will help put to rest rumors of a clandestine overseas connection in its hardware and software.
“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI Managing Director, North America, in a prepared statement. “This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”