The DOI (Department of the Interior) agrees to buy UAVs from 3DR, a U.S. firm. No similar announcement from DJI, lending credence to my earlier reporting (here and here) on an apparent decision not to buy DOI products, possibly due to cyber security concerns.
On Friday I wrote a post entitled “Dept. of Interior Bans use of DJI products due to national security concerns.” DOI did not ban anything, but it is a) clear that DJI can collect sensitive information and b) that it is reasonable to assume that the DOI is unlikely to buy any products that have the ability to send telemetry about their sensitive sites to servers in China.
DJI has completely legitimate reasons for wanting to collect telemetry information from as many of its products as possible for sales, marketing, and most importantly, product support and development reasons. I agree with and support this desire.
Lest you think that DJI does not collect such data, the following is from a DJI legal document that a user must sign to unlock geofences:
The Recipient further understands and agrees that his data including, but not limited to, flight telemetry data and operation records could be uploaded to and maintained on a DJI-designated server under certain circumstances.
Can we agree that DJI would not include such language if they didn’t have the ability to collect the data?
When you choose to self-authorize or “unlock” flight operations on DJI hardware control applications (including DJI Go (the “DJI Go App”)) in locations that are categorized by DJI’s Geospatial Environment Online system as raising safety or security issues, we collect and retain geolocation information relating to your decision.
The two documents appear to be out of sync on what is, or may be, collected. I think it is time for some forensic analysis.
As I mentioned in the earlier post, DJI could add an “opt in” mechanism as many other products do and also fully document what is collected and when. Relatively easy to do, and would set a very good example.
DOE and corporate
DOE, and private companies, have completely legitimate reasons for not wanting telemetry information, particularly around sensitive areas, sent to servers in China owned by a Chinese corporation. China, and many other countries, uses commercial data as part of its intelligence programs. Why hand them such data on a platter?
A partially redacted email message appeared on Twitter supposedly refuting the email message from Dennis Bosak SSA. Here is that message:
So, “banned” was not the correct word. DOI does not ban products.
Please note – in a letter specifically addressing my original post the author ignores the two most important issues – do DJI products collect and send telemetry to China, and is the DOI concerned about the cyber security implications of such practices. The author is strangely silent on these points.
I think it is safe to assume that DOI will not buy products that send potentially sensitive data to servers in China.
If DJI wants to sell to DOI, and other government agencies, they will need to address this issue. Further, they must address this issue for everyone because commercial users certainly would prefer that information about their sensitive sites isn’t shared with potential competitors and intelligence agencies.
DOI didn’t ban DJI products. DJI does have the ability to collect information you might not want to share with them or with intelligence services. This is not unique to DJI by any means and many other firms face similar challenges. Addressing them in the design phase is more expensive up front but in the long run saves money on development, legal, PR, and sales. Bake security into the products, don’t bolt it on later when you have an issue.
In this case, if you want to collect sensitive information, do so via in country servers with appropriate legal protection for the owners of the data. And don’t argue semantics while avoiding the tough questions about cyber security.
For some additional thoughtful insight on the matter, I refer you to Christopher Korody’s reporting on the matter. Very much worth reading, in this specific instance but on UAV matters for many years.
The quoted post, below, appeared on the Facebook group “Commercial sUAS Operators” on July 7th. It was taken down very rapidly and no further discussion on the topic appeared. I spoke with Dennis Bosak SSA this morning and he confirmed the statement as written. Any further details must be requested in writing.
Another story is circulating that the DOI has either retracted the ban or it was never in place. However no copy of that memo can be made available and Mr. Bosak stood by his statement as of 0730 this morning.
To summarize, the Department of the Interior is banning any internal use of DJI products due to concerns about the product’s automatic uploading of telemetry and other information to DJI servers during firmware updates.
Last year I developed a presentation on cyber security and consumer/commercial UAVs. In that presentation I noted that we are self selecting areas of interest – test crops, critical infrastructure, disaster sites, … – and sending highly detailed information about these sites to often poorly understood cloud infrastructure.
Apparently, according to this post, the Department of the Interior has also identified this risk. Worse, it appears that DJI products are automatically sending sensitive telemetry information to their own servers. As the following announcement notes, DJI is a Chinese firm and some conclusions must be considered.
Many applications collect profile and debugging information for legitimate purposes. Most of those applications give the user an opt-in option. DJI could quickly defuse this situation by releasing an update that provides this option while also demonstrating that all such communication has been terminated. Regaining the trust of their clients, and of the U.S. Government, may be more difficult.
DJI is just one vendor. There are many others, hardware, software, and service. What are these vendors doing with the data you are collecting about your potentially sensitive sites?
OAM – Office of Acquisition Management
DOI – Department of the Interior
OAM had a telecom this morning with the aviation manager at DOI.
During that conversation we learned that they have banned the use of DJI products (which include the popular Phantom and Inspire aircraft) as they discovered that their products record telemetry information, to include routes flown, altitudes, etc., and send that recorded information to DJI each time the aircraft is plugged into a computer to perform a software/firmware update. As DJI is a Chinese company the security issue is readily apparent.
OAM highly recommends that, before choosing any particular aircraft, from any manufacturer, especially those that might be used for sensitive purposes, that your technical people fully understand what information may be transmitted, to whom it might be transmitted to, and whether it matters to your program.
Please distribute this information as widely as possible.
Dennis Bosak SSA
Department of the Interior
Office of Law Enforcement and Security
1849 C Street NW
Washington DC 20240
Working with Greg Dominguez and Cindy Murphy, we updated my UAV Forensics presentation from last year to address the Phantom P3, it’s additional data sources, some new tools for analyzing data, and our first pass at JTAG analysis.
Greg and I gave the presentation at Techno Security in June and a PDF version is attached here: UAV Forensics -TS16-final distribution
After consulting with a UAV lawyer and an FAA representative, I believe that:
- Public Agencies (PAs) still have to operate under a COA
- PAs can also operate non-Public Agency Operations (PAOs) under Part 107.
See pages 61-68 of the Rule for details
If a PA wishes to examine the roof of the court house for hail damage, a Part 107 operator working for the PA can perform the task.
If a PA wishes to conduct a SAR mission, or fly a UAV in support of fire fighting operations, they need a COA or to contract with a 333 exempt operator with the appropriate COA.
[The following was written in my role as the Advocacy Director for the National Association of Search and Rescue. A PDF version is available here – Public Agency SUAS-final.]
This is an interpretation of information in the Advisory Circular 00-1.1A “Public Aircraft Operations” and refers to Title 14 of the Code of Federal Regulations (14 CFR); and Title 49 U.S.C. §§ 40102(a)(41) and 40125.
Public agencies and civil operators are encouraged to retain their own attorney to review this interpretation.
After consultation with a UAV lawyer and their FAA consultant, we believe that civil aircraft operators may fly UAVs in support of government entities (public agencies) if the following conditions are met:
- The public agency has a COA
- A contract exists between the public agency and the civil aircraft operator
- A one time declaration is filed with the FAA by the public agency
- The mission(s) flown are purely public service
- The public agency makes a determination before each mission that the mission is public serving
If these conditions are met, any civil operator regardless of certifications may operate a UAV in support of the public entity under the requirements set forth by the public entity and its COA.
CAUTIONARY NOTE: The civil operator is not required to have a 333, or to have passed the certification described in (proposed) Part 107 in these circumstances. However, the agency can and should require a 333 or the certification described in Part 107, as a requirement of the contract with the civil operator.”
It is extremely important to note that:
- The public agency must have a COA.
- This is transferring almost all risk, responsibility, and liability for certification, experience, training, etc. from the FAA to the public agency.
- There must be a contract in place between the public agency and the civil operator (it is recommended that the contract include a requirement for the civil operator to hold a 333 or part 107)
- The declaration names a specific government official and contract that covers the relationship
It is of vital importance that the public agency maintains control of the operator of the UAV and of the missions. The liability completely falls on the public agency. There is great risk if an agency enters into this relationship without a complete understanding of the risks associated with it.
This is spelled out in more detail in Advisory Circular 00-1.1A “Public Aircraft Operations” and refers to Title 14 of the Code of Federal Regulations (14 CFR); and Title 49 U.S.C. §§ 40102(a)(41) and 40125.
[An FAA presentation on this topic is available here – FAA Public Aircraft Presentation.]
Quoting from a widely distributed email. I work on one UAS ASTM effort to type Small UAS. Here are their other efforts. Of particular interest is F2908 “Specification for Aircraft Flight Manual (AFM) for a Small Unmanned Aircraft System (sUAS).”
Small UAS Operations
ASTM International Committee F38 on Unmanned Aircraft Systems has recently approved seven new standards that cover all major facets of small unmanned aircraft systems operations, including design, construction, operation and maintenance requirements.
The following seven new ASTM standards, written for all sUAS that are permitted to operate over a defined area and in airspace defined by a nation’s governing aviation authority, have now been approved by F38:
F2908, Specification for Aircraft Flight Manual (AFM) for a Small Unmanned Aircraft System (sUAS). F2908 defines minimum requirements for the aircraft flight manual, which provides guidance to owners, mechanics, pilots, crew members, airports, regulatory officials and aircraft and component manufacturers who perform or provide oversight of sUAS flight operations.
F2909, Practice for Maintenance and Continued Airworthiness of Small Unmanned Aircraft Systems (sUAS). F2909 establishes a practice for the maintenance and continued airworthiness of sUAS. Requirements for continued airworthiness, inspections, maintenance and repairs/alterations are included.
F2910, Specification for Design and Construction of a Small Unmanned Aircraft System (sUAS). F2910 defines the design, construction and test requirements for sUAS. In addition to general requirements, F2910 covers requirements for structure, propulsion, propellers, fuel and oil systems, cooling, documentation and other key areas.
F2911, Practice for Production Acceptance of Small Unmanned Aircraft System (sUAS). F2911 defines production acceptance requirements for sUAS. Requirements covered include several aspects of production, system level production acceptance, quality assurance and documentation.
F3002, Specification for Design of the Command and Control System for Small Unmanned Aircraft Systems (sUAS). F3002 provides a consensus standard in support of an application to a nation’s governing aviation authority to operate an sUAS for commercial or public use. The standard focuses on command and control (C2) links, including a diagram of a C2 system and general requirements for C2 system components.
F3003, Specification for Quality Assurance of a Small Unmanned Aircraft System (sUAS). F3003 defines quality assurance requirements for design, manufacture and production of small unmanned aircraft systems. Guidance is given to sUAS manufacturers for the development of a quality assurance program.
F3005, Specification for Batteries for Use in Small Unmanned Aircraft Systems (sUAS). F3005 defines requirements for battery cells used in sUAS. Mechanical design and safety, and electrical design battery maintenance are primary battery-related areas that are covered.
“The introduction of these standards developed by F38 will help to provide a safe and appropriate path for near-term routine sUAS operations in airspace systems of the United States and other countries,” says Theodore Wierzbanowski, chairman F38.
Committee F38 encourages participation in its standards developing activities. “The user community for these standards is vast,” says Wierzbanowski. “Feedback on what works and what doesn’t during these early stages of sUAS operation is critical.”
F2908 is under the jurisdiction of F38.03 on Personnel Training, Qualification and Certification, and F2909 was developed by F38.02 on Flight Operations. The other five new standards are under the jurisdiction of F38.01 on Airworthiness.