2017 was something of a rough year for DJI, at least politically. In August, the U.S. Army banned their drones, citing security concerns. In November, the LA Division of the U.S Immigrations and Custom Enforcement Agency released a report alleging that the Chinese-based drone company was using its product to spy on U.S. infrastructure and other critical sites.
DJI denied the claims at the time and to buttress its case, it hired the consulting firm Kivu to evaluate how it collects drone data and what it does with said data. While the full text of the report isn’t available, DJI claims it exonerates the company’s claim that it is not sending user data, images or other information back to China. A summary of Kivu’s findings can be found here.
In a statement released to announced the findings, DJI said the report “confirmed DJI did not access photos, videos or flight logs generated by the drones unless drone operators voluntarily chose to share them.”
“This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI Managing Director, North America in the company statement. “This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”
Analysts at Kivu independently purchased the DJI Spark, Mavic, Phantom 4 Pro, and Inspire 2 drones for their test and ran the DJI Go 4 app off of both an Apple and Android phone. According Kivu, the company “then employed various forensic analysis techniques to view and analyze the data collected on the drones as well as the GO 4 application. While operating the drones, Kivu captured all network data to collect any data transmitted by the GO 4 application to the Internet.”
Kivu also analyzed the servers utilized by DJI to store transmitted user data, including those from Amazon and Alibaba, and spoke with company engineers based in the U.S. and China to learn about product, software and information security practices. They were given access to DJI’s iOS and Android GO 4 code repositories as well.
Long story short, as far as Kivu could determine, DJI was not sending information to Chinese servers and the company’s security management practices on its servers were up to snuff.
Haye Kesteloo at DroneDJ has had a closer look at the full report and while stating the obvious caveat (DJI paid Kivu for its work), says that it looks like DJI is indeed a good steward of user data and there’s no obvious siphoning off of information for China’s security services. Of course, a careful Chinese cyber-espionage campaign using DJI products or software may be too hard for a private analytical firm to detect, especially one being paid by the allegedly offending party. On the other hand, DJI seems to have been genuinely open and transparent with Kivu. Given the size of the U.S. market, they have an obvious incentive to play it straight.