Analysis
The relationship DJI Technologies has with data-sharing services in the U.S. is a risk underscoring the inadequacy of wholesale device bans.
The American government moves to push DJI Technologies off the playing board, with a bill that seeks to add DJI and Chinese-crafted drones to covered communications lists. Ban bills are in the works even as DJI spends big-ticket lobby dollars on maintaining its market position. Despite, however, the battle lines for or against DJI’s continued business in the United States, ban motives have run into a cloud-sized inadequacy problem.
DJI at the Center of a Political ‘Protectionist’ Tug of War
The American drone market is caught in a Catch-22. DJI Technologies corners the market in terms of popularity and performance, and yet, the DJI Drone is also the object of heated controversy and select national security ban advisories, already banned in Florida by the Ron DeSantis gubernatorial administration.
The American Drone Industry Responds
The bans come to the ire of the American drone industry, who collectively call out the American government for “protectionism” and efforts to crowd DJI out of the market in favor of American-made drone technology, which has fallen behind in favor of the higher performance of models such as DJI.
“Several lawmakers are proposing a delayed ban of DJI. If DJI is a national security threat, why continue to allow them to operate for 2, 3, or even 6 more years,” Greg Reverdiau, Co-Founder and Lead Instructor of the Drone Pilot School explained to Frontsight Media in an emailed response to questions regarding the ban. Reverdiau warned that a wholesale ban would be “catastrophic” to the American commercial drone industry, separating drone pilots from vital equipment. The Drone Pilot School is working with The Drone Advocacy Alliance to prevent wholesale DJI bans, feeling strongly that they are not in the best interest of the American public.
Motives For the Ban
In contrast, the American government feels that the bans are justified and that they will protect American national interests by preventing Chinese nationals from accessing American commercial and civilian user data. The American government is seeking a drone ban because of a policy within China called the Military-Civilian Fusion Program, which the U.S. State Department describes as an “aggressive national strategy” of the CCP which has the goal of enabling the PRC to build the most technologically advanced military in the world by eliminating barriers between civilian technological research and military application.
The Military-Civilian Fusion Program has seen stronger cooperation between Chinese privately owned companies and the Chinese government, whose policies also allow for broad access to private company data that would violate the laws of a democratic government but are possible under the control of China’s authoritarian government. In the case of DJI inparticular, documents have exposed a direct link between the company and the Chinese government, The Washington Post reported in February 2022.
DJI’s Response
Debates have heated up following the U.S. Congress’s decision to ban TikTok in the U.S., bringing new attention to the eventuality that DJI Will face its ban. DJI has previously weighed in on its potential ban, responding with contempt for criticisms of privacy concerns made by Western cybersecurity agencies, and following up pledges to ensure user privacy with a series of measures. These pledges which, even under renewed scrutiny, the company maintains it upholds and will continue to ensure.
Bans Fail To Address the Problem of Unbanned Entities That DJI Synced Data With
Whatever the motive is for or against DJI drone bans, a closer analysis finds that proposed legislation proves to be inadequate in the face of the real national security issue at play. As China’s commercial sector couples in closer cooperation with the Chinese government, the issue of how Chinese-manufactured devices and software harvest data as a company, share data with legitimate businesses, and then transfer data harvested from legitimate business that will, post DJI Technologies, remain unbanned with members of the Chinese Communist Party is the real issue at the core of the drone ban discussion.
In the specific case of drones, the relationship between data sharing, foreign governments, and drone devices is a security risk to critical infrastructure, observed overtly in the use of DJI drones paired with building inspection software, software that identifies the weaknesses in residential and commercial properties to identify where repairs should be made.
A Use Case: AWS Applies DJI SDK To Building Inspection
At the Amazon Web Services day in Los Angeles, in May 2024, Amazon employees showed Frontsight Media a specific instance where a DJI drone has been paired with Amazon EC2 software and natural language modeling to experiment with operating drones remotely through generative AI. The natural language model processing monitor sent commands to the DJI manual controller through a connection facilitated by a DJI Technologies SDK.
Frontsight Media was allowed to pilot the drone within a net, as a game that was part of the event. The objective of the game was to guide the drone through a smart building inspection process. Typing prompts to a monitor, the observer was allowed to steer the drone between QR codes, which, in the simulation, were prompts for checking a building’s infrastructure for damage and other possible issues that needed updating.
The issue here is that American domestic companies, such as Amazon, proactively sync data with the blacklisted DJI. The potential for data to leak through this interaction between a legitimate company and one government considers banning showcases the problem with simply removing the trouble case device from the equation. In the case of AWS and DJI's interface, data shared between the two entities could have already been harvested by a nation-state actor, which would then in turn find creative ways to make use of it, even if a ban was enacted immediately. As Reverdiau noted, the continued operation of DJI while a ban is deliberated means that these data interactions are continuing to take place, in a framework that operates at a bigger, stickier scale than simply eliminating DJI from the mix.
A Question of Drone Data Sharing Jeopardy
Security complaints against DJI go back at least a few years, to applications traced to the company that western analysis found objectionable.
Data Risk Example: Synacktiv-DJI Controversy 2020
The DJI software has been a subject of controversy itself. In 2020, the French cybersecurity firm Synacktiv released a report warning of software vulnerabilities of the DJI Drone Pilot App, a report that the DJI company itself vehemently decried in a scathing statement that called the review “false claims” and “a poor understanding” of the software, a response that was released on the same day as Synacktiv’s security report.
Synacktiv had released another report in July that had picked apart concerns over DJI’s failure to improve its summer 2020 cybersecurity performance, despite being under global scrutiny to improve its transparency.
“After de-obfuscation, our research located two features of the software that call home and wait for a file that orders the user’s phone to install a forced update or install a new software. This mechanism is very similar to command and control servers encountered with malwares. Given the wide permissions required by DJI GO 4(access contacts, microphone, camera, location, storage, change network connectivity, etc.), the DJI or Weibo Chinese servers have almost full control over the user’s phone,” the Synacktiv report in July 2020 states.
“This way of updating an Android App or pushing a new app completely circumvents Google feature module delivery, or in-app updates. Google is not able then to do any verification on updates and modifications pushed by DJI. According to Google Play, the application has been installed on more than a million personal devices, suggesting any security risks are widespread,” the report continued.
Synacktiv’s full report found additionally that the DJI GO 4 app collected excessive personal data, and had hidden update mechanisms that bypass Google Play protections. These features grant DJI or affiliated servers extensive control over users' devices. Despite previous scrutiny, Synacktiv stated that DJI had not improved transparency or security at that time. Users were then advised to be cautious due to potential data misuse and unauthorized control. This history of personal data use harvesting in aggressive ways has contributed to the growing scrutiny of the company, as data sharing is growing in sophistication, with implications for breaches more advanced in 2024 than in 2020.
In 2024, DJI has stated that it has a continuingly renewed commitment to security concerns and transparency, developing a new “trust center” and releasing a white paper to that end.
The Militarized Nature of DJI Drones
One standout issue of DJI drones in particular is their sudden fusion into combat strategy. Because commercial drones once intended for everything from hobbyist flights to Hollywood film creation have now become machines of war, they must be observed within the architecture of changing warfare dynamics.
DJI As a Direct Combat Tool
DJI's latest drone model, though designed for commercial purposes, has significant implications for military uses. The drone boasts high stability, precision, and long-range operations, making it attractive for surveillance and reconnaissance missions. Despite its non-military design intentions, the drone's potential for altering modern warfare tactics highlights the dual-use nature of advanced drone technology.
Battlefield Drone Operators' Preference For DJI
Ukraine continues to purchase DJI drones for its defense efforts, despite the manufacturer’s prohibition on sales to military entities. Last year, Ukrainian Prime Minister Denys Shmyhal claimed Ukraine acquired 60% of DJI’s Mavic drone production, which DJI denies. The drones, used for surveillance and reconnaissance, highlight the dual-use nature of commercial technology in conflict zones. The situation underscores the complexities of controlling technology exports amid geopolitical tensions.
Use Cases Across the Conflict Zone
The use of drones in the Ukraine conflict has, since last year, been noted as having a significant impact on modern warfare wholesale. Both commercial and military drones are being utilized for reconnaissance, surveillance, and even direct combat roles. The widespread availability and adaptability of drones like the DJI Mavic have allowed Ukrainian forces to employ them effectively against Russian advancements, showcasing the changing dynamics of technological warfare. This development highlights the dual-use nature of drone technology and its profound impact on contemporary military strategies.’’
On the front in the Ukraine-Russia war, drones are used for reconnaissance, targeting, and direct combat. Despite international tensions and restrictions, both Ukrainian and Russian forces have relied heavily on commercially available Chinese drones, The New York Times reported late last year.
AI-Empowered Battlefield Operations
On the contrary, U.S.-made drones have faced significant challenges in the Ukrainian conflict, leading Kyiv to seek Chinese-manufactured alternatives. According to the Wall Street Journal, American UAVs have struggled with issues such as high costs, and technical faults, which are problems they similarly face in the U.S. commercial space, as well as facing additional vulnerability to Russian jamming and GPS blackouts on the battlefield. Drones from companies like Skydio and AeroVironment have been found fragile and ineffective. In contrast, Chinese DJI drones have proven to be more reliable and cost-effective, prompting Ukraine to heavily rely on them despite DJI's sales restrictions to militaries. This shift underscores the limitations of US drone technology in high-intensity conflicts.
Correlation Risks
Natural language processing sync-ups and AI also empower drones to make informed data collection on the commercial front, as observed from the Amazon application of syncing the DJI drone SDK to a generative AI model for building inspection. If the data of drone pilots in Ukraine’s combat zone is exposed to the DJI’s SDK in the same way that Synacktiv discovered commercial drone user data was exposed through applications, then the DJI company, and by proxy, the Chinese government can collect large amounts of data from real-battlefields on how attacks are conducted buildings in urban warfare settings.
Potential Pretext of Would-Be Abuse Case Scenarios
By that same analysis logic, if DJI Technologies could exploit user data in the way that Synacktiv traced through the aggressive behavior of a previous version of a DJI app, then it could potentially do the same to a DJI drone connected to a generative AI building inspection software model. In this case, building inspection software’s purpose is to identify the weaknesses in infrastructure to inform its repair. However, if militarized, this technology could rather be applied to collect data on infrastructural weaknesses in American high rises and identify areas where an attack could lead to a catastrophic failure within a structure, maximizing the impact of an attack on an area. This would be an example of an attack on critical infrastructure, which, in 2023, reportedly rose by 140%, as attacks on OT systems led to real-world consequences such as flight delays, fires, and outages of power resources, Security Intelligence wrote.
Analysis Findings: Ban Measures Not Enough For Data Accountability
A mere ban on DJI Technologies in the United States may not be enough to stall the real threat from Chinese nation-state militarization of its domestic commercial technology in the United States. The true national security issue lies in the way that data is collected, in aggressive misuses of U.S. data privacy laws and protections, including the protections that DJI itself has pledged to add into its software, that, in the wrong hands and for the wrong motivations could pose critical infrastructure and civilian identity risks to the United States.
Critics of the motion to ban the drone have called it out as no more than a political measure, also referring to it as "bad and unnecessary policy", and, whether intended to be pro national security or indeed a political maneuver merely, the ban's impact on national security will be dead on arrival without adequate measures to address what fundamentally is at risk in terms of commercial optic devices shared with China as a near-peer power competitor.
In Conclusion: For or Against Votes For a Drone Ban Limit Drone Data Accountability Discourse
The exploitation of legitimate systems and device syncs to harvest civilian and commercial data for malignant or militarized purposes is the true underlying risk factor to national security from China-linked drones. The means by which such exploits could be carried out are nuanced and varied.
While no succinct definition of a motive to malignantly use legitimate drone industrial services against the American people was observed in gathering this report, the scenarios for how drones are commercial used, when observed against how drones are used in the battlefield, showcase a statuswhere drones could be a convenient asset for gathering prime vulnerable data against the public.
Brief Recap:
Arguments pro a ban in the interest of national security are founded in documented links to the Chinese government, coupled by records of software abuse allegations that makes dismissing the concept behind the legislation more difficult for lawmakers and concerned citizens than a mere write off of bad policy. However, the stakes of any potential DJI ban will be costly for the drone industry, and a wholesale ban may fail to come near satisfying the actual need.
