The world’s dominant drone manufacturer says it will make software changes in the near future that will offer additional data security for users. DJI says it will modify the popular DJI GO4 and DJI FLY apps in the coming months. That will allow users to enable Local Data Mode – ensuring no data can be externally shared.
There’s more than a little background here. We’ve written on many occasions about DJI and data security. We won’t recount the history (and there’s a lot of it) here, except to summarize the more recent events briefly. Concerns have been raised, especially by the US Department of Interior, that made-in-China drones (or drones with Chinese-made components) may share some user data with servers and third parties. More concerns were raised by a data security firm (which was perhaps hired by a rival drone company). DJI denied most allegations and said it could not replicate some findings in its own lab.
Other independent tests have examined DJI’s drones and software. Those results did not indicate any significant risk. DJI also produces “Government Editions” of some drones, which means altered software and firmware that allows the systems to operate in a more or less hermetically sealed fashion.
However, the issue has not gone away. In fact, it’s the opposite. And recently other drone manufacturers (notably Parrot) have recently taken potshots at Chinese-made drones in general, and DJI in particular. What started out as an issue of optics has now become a business issue. The perception – even just the perception – of a data security issue has the potential to hurt sales.
Local Data Mode
Today’s announcement is significant, says DJI.
This expansion brings Local Data Mode to operators of all recent DJI drones, allowing commercial and government customers, including public safety agencies and other federal, state and local government users, to confidently choose the best DJI drone for each mission. All DJI drones provide data security protections for their users by empowering them to decide whether and when their drone data is shared externally. Local Data Mode provides government and commercial customers with additional assurance that data generated during drone operations is effectively protected. It is an internet connection “kill switch” feature within DJI’s command and control mobile applications that, when enabled, prevents the app from sending or receiving any data over the internet. With this feature enabled, drone operators can easily and effectively cut off all network connections from DJI’s mobile applications and prevent any data from being transferred to DJI or other parties.DJI News Release
Not just government
Local Data Mode will be offered on the company’s most popular flight control apps: DJI GO4 and DJI FLY. That means the feature will be accessible to anyone using those apps that wants to enable it.
The move comes after DJI says its products were put through an exhaustive cybersecurity audit by FTI Consulting. During that audit, btw, DJI provided FTI Consulting with access to some 20 million lines of application source code. The key findings are directly quoted here from the FTI summary:
- FTI observed a number of instances where DJI employed security best practices.
- FTI found that when DJI’s Local Data Mode (LDM) is enabled, no data that was generated by the application was sent externally to infrastructure operated by any third party, including DJI.
- FTI found that Pilot PE used with FlightHub Enterprise provides an alternative method for operation that provides consumers additional control over the data they generate, as it requires installation on a local or cloud-based server. With this configuration, FTI observed no evidence of data being requested or transmitted externally.
- FTI found some instances of low-risk vulnerabilities in its application source code and website review; FTI assessed that these findings posed minimal risks to consumers.
The DJI news release quotes Brendan Schulman, its most highly visible legal person and the world’s most famous drone lawyer:
For commercial and government customers who generate highly sensitive data and operate with rigorous data security protocols, Local Data Mode provides simple and effective operator-controlled assurance that no data from their flights will be transmitted over the internet. This expanded capability for DJI customers builds on the results of FTI’s independent analysis and demonstrates yet again that DJI empowers its customers to protect their data.Brendan Schulman, Vice President of Policy and Legal Affairs, DJI
Expanding DJI’s existing consumer flight control software – DJI GO4 and DJI FLY – means the option of shutting down data will be available to pretty much anyone flying DJI products. So while this development will likely be of greatest relevance to government agencies or other more ‘official’ clients, the option will be available to even recreational pilots.
DJI’s release, however, concentrates more on the government clients – perhaps because that’s the area where sales are potentially most impacted by perceptions of data security issues.
For commercial and government customers who want advanced drone fleet management capabilities offered by DJI FlightHub software, FTI’s analysis also found no evidence of data being requested or transmitted externally with the combination of FlightHub Enterprise and the DJI Pilot PE application. FlightHub Enterprise is a version of FlightHub that is installed and hosted on a customer’s local IT infrastructure, and the DJI Pilot PE application is a custom version of DJI Pilot for use with FlightHub Enterprise.DJI Release
DJI also continues to offer its Government Edition solution created specifically for use in high-security situations by government agencies. The solution involves custom device firmware and operational software in a unique architecture that supports high data security requirements, including Local Data Mode permanently enabled, to ensure that drone data can never be shared with unauthorized parties including DJI. While not part of the scope of FTI’s analysis, DJI’s Government Edition solution has been independently reviewed by U.S. cybersecurity firm Booz Allen Hamilton, U.S. Department of Interior, and U.S. Department of Homeland Security.DJI Release
It should be noted that DJI’s release does not acknowledge the existence of any problem. The FTI Consulting review did not find anything significant in terms of data privacy, nor did the other independent reviews noted above.
We’d like to think this might put an end to the story. We suspect, however, that concerns over Made-in-China drones, or drones with Made-in-China parts, will continue to be an issue in the US. That might change if the administration does, but there’s truly no way of knowing.