A leaked ICE bulletin warns of possible spying by drone maker DJI on behalf of the Chinese government, raising new concerns about security and privacy. The memo warns that DJI is very likely targeting certain government and private entities “to collect and exploit sensitive U.S. data.” That is just a sliver of the long report, though, which warns that DJI’s mobile apps are allegedly sending a bunch of data back to systems in Hong Kong and Taiwan.
According to the memo, US officials have “high confidence” that a government with access to the data DJI is allegedly automatically uploading to cloud systems could use that data to “easily coordinate” both cyber and physical attacks against some of the nation’s most critical sites. The bulletin accuses DJI’s mobile apps of collecting facial recognition data regardless of whether the feature is on.
The accusations in the leaked documents are the most severe lobbed at DJI thus far, greatly exceeding the leaked US Army memo earlier this year that commanded troops to stop using the company’s hardware and software. ICE paints a picture in which DJI is allegedly focusing its attention on critical infrastructure throughout the US, using its drones and apps to gather GPS data, images, and more of these sites.
The memo claims that DJI is especially targeting certain major utility companies and railways systems in the US, as well as a major ammunition plant in Kansas. The document also states that DJI is targeting law enforcement agencies throughout the US down to the local level with its products.
One example given is the LA Sheriff’s Department’s announcement earlier this year that it will use DJI Inspire drones, giving DJI access to vital law enforcement data on one of the US’s largest cities, assuming the accusations are true. This selective targeting is said to have resulted in DJI garnering some major customers involved with critical infrastructure, including American Electric Power and American Water.
In addition, ICE’s document claims that DJI is “likely” using data from its products to target areas the Chinese government may be considering buying. One example given was a California vineyard’s use of DJI products to survey its production; soon after, Chinese companies reportedly starting buying vineyards nearby.
As if all of that weren’t frightening enough, the memo also claims that DJI employed a “dumping technique” — that is, greatly decreasing its prices in a single year — that effectively flooded the market with its products while squeezing out pricier competition. Doing so resulted in many companies and agencies choosing DJI’s drone products, which if this report is accurate, was a way to gather larger amounts of data.
DJI, not surprisingly, has entirely dismissed the claims.
EDIT: DJI provided us with the following statement, arguing that the leak “is based on clearly false and misleading claims from an unidentified source.” In addition, the company has laid out specific rebuttals point by point, and it makes for interesting reading.
DJI Statement On ICE Bulletin
DJI is aware of a bulletin about DJI issued in August by an agent in the Los Angeles office of U.S. Immigration and Customs Enforcement (ICE). The bulletin is based on clearly false and misleading claims from an unidentified source. Through the law firm of McDermott Will & Emery, DJI provided ICE a detailed rebuttal of the report, explaining why the data behind its conclusions is deeply flawed.
As DJI explained to ICE, the allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions. DJI further urged ICE to consider whether the source of the allegations may have had a competitive or improper motive to interfere with DJI’s legitimate business by making false allegations about DJI.
Many of the allegations in the ICE report are obviously false. The claims that DJI systems can register facial recognition data even while powered off, that Parrot and Yuneec have stopped manufacturing competitive products, and that DJI products have substantial price differentials between the U.S. and China can be easily disproven with a basic knowledge of technology and the drone industry, or even a simple internet search.
Other allegations in the report are similarly unsupported by facts or technical analysis. For example, DJI does not access its customers’ flight logs, photos or videos unless customers actively upload and share them with us. Further, DJI’s new Local Data Mode stops all internet traffic to and from the DJI Pilot flight control app to provide enhanced data privacy assurance for customers flying sensitive missions.
DJI has built its reputation on developing the best products for consumer and professional drone users across a wide variety of fields, including those who fly sensitive missions and need strong data security. We are committed to helping our customers keep their private data private, and we have expressly advocated for our customers’ right to privacy in their drone operations, even where others in the industry have taken the opposite position. We will continue working to provide our customers the security they require.
SOURCE: Public Intelligence