Spies in the Skies

Drones are already enormously controversial gadgets. Sure, we all love seeing videos of time-lapse Burning Man projects or dolphins frolicking with surfers. But drones cause hassles for rescue aircraft, they photograph people without permission, and they’re a noisy nuisance.

But there might be a much bigger problem with drones: A federal agency recently charged that a popular brand of drones is secretly spying on behalf of the Chinese government. The San Francisco Public Utilities Commission took that allegation seriously enough that it’s halting all drone use for now.

The sudden controversy comes from an explosive Nov. 29 New York Times report on Da Jiang Innovations (DJI), the world’s largest drone manufacturer.

“DJI is fighting a claim by one United States government office that its commercial drones and software may be sending sensitive information about American infrastructure back to China,” the Times reported.

In the aftermath of that report, the S.F. Public Utilities Commission (SFPUC) has suspended its use of DJI drones and is conducting an investigation into the devices. The SFPUC started using drones in July to inspect construction sites and wildlife habitats.

“At the time the New York Times article came out, we had completed most of our scheduled drone use,” SFPUC spokesperson Tyler Gamble tells SF Weekly . “Out of an abundance of caution, we’ve taken the opportunity to pause future drone use and make a determination as to whether or not we need to make any changes to our program.”

Gamble stresses the SFPUC is not abandoning the drone program or DJI. “We have not made a policy decision one way or the other at this time,” he says.

The S.F. Fire Department, the Port of San Francisco, and the Recreation and Parks Department are also authorized to use drones. Those departments also have to comply with what sounds like a fairly rigorous set of privacy guidelines.

“Departments must have an authorized purpose to collect information using a drone, or use drone-collected information,” the city notes in its employee drone policy. “Should information be incidentally collected that could be used to identify persons or private information, Departments must remove all personal identifiable information from raw data footage.”

Yet the problem isn’t what’s happening in San Francisco, but on the DJI’s Chinese-owned cloud servers.

The spying charges were reported by The New York Times , but the allegation comes from U.S. Immigration and Customs Enforcement (ICE). In an unclassified letter dated Aug. 9, 2017, ICE warned it “assesses with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government.”  

ICE also said DJI was “selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.”

DJI is a huge drone brand name here in San Francisco. Its North Beach  store is like a Rolls-Royce showroom for drones, with models ranging from $400 to $4,000. The company also has a Westfield Centre location with its own drone flying cage.

These DJI stores don’t specialize in the “enterprise” drones used by big businesses and government institutions, but their consumer drones work similarly. Controlled via smartphone or tablet apps with names like DJI GO and Sky Pixels, they access your camera, your microphone, and your GPS location, just as most apps do — even if you’re a government employee on a government-issued phone.

ICE thinks DJI goes a step too far, claiming they can also “register facial recognition data even when the system is off, and access users’ phone data.” Consider that these drones are used by the highest-level U.S government, communications, and security companies, and that an app’s default data-sharing settings are always most generous to the manufacturer.

ICE argues that “DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access.” They also have “high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.”

We should take into account that ICE has something of an anti-international bent under the Trump administration. We should also note that ICE admits their most explosive allegations come from a “reliable source within the unmanned aerial systems (UAS) industry with first and secondhand access.”

DJI argues that the intelligence assessment comes from an ill-informed competitor.

“The bulletin is based on clearly false and misleading claims from an unidentified source,” the company said in a statement. “DJI further urged ICE to consider whether the source of the allegations may have had a competitive or improper motive to interfere with DJI’s legitimate business by making false allegations about DJI.”

The drone maker argues all of ICE’s claims “can be easily disproven with a basic knowledge of technology and the drone industry, or even a simple internet search.”

That may be. But a simple internet search also shows that DJI accidentally exposed U.S. government and military account drone data in a security breach reported by Ars Technica within the last month. And in August, DJI was unaware that a third-party plug-in called JPush was collecting many of its users’ data — without user permission or even the company’s knowledge.

In other words, the world’s largest surveillance drone company had been hacked by amateurs and app developers twice in the past five months. Is their security any match for the Chinese government, particularly if DJI’s headquarters is in Shenzhen, China?

Even the Pentagon has ordered the entire U.S. military to stop using DJI  drones over these surveillance and espionage concerns. A U.S. Army memo dated Aug. 2, 2017 demands that “due to increased awareness of cyber vulnerabilities associated with DJI products, it is directed that the U.S. Army halt use of all DJI products.”

The Army doesn’t just ask personnel to stop using the drones, they’ve got a pretty hardcore set of instructions for dismantling the drones and swiping any supporting applications off staff devices. The memo instructs members to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on  direction.”

In response to the backlash, DJI rolled out a new Local Data Mode in August that they insist will not upload your footage or tracking information to company servers. The say that a drone in Local Data Mode “will stop sending or receiving any data over the internet, giving customers enhanced assurances about the privacy of data generated during their flights.”

Maybe Local Data Mode will protect drone pilots from any risky forms of surveillance. Maybe the facial recognition features, microphones, and GPS tracking really are turned off when the drone owner doesn’t want them on. But do we know this? Or are we simply taking a multinational corporation’s word for it?

Drones are going to be a very popular holiday gift again this year. But if you’re buying someone a drone, think about its surveillance powers, its monitoring of personal smartphone data, and how this data may be accessible to foreign governments. And then consider to whom you’re giving this gift. [Click for More]