On Friday I wrote a post entitled “Dept. of Interior Bans use of DJI products due to national security concerns.” DOI did not ban anything, but it is a) clear that DJI can collect sensitive information and b) that it is reasonable to assume that the DOI is unlikely to buy any products that have the ability to send telemetry about their sensitive sites to servers in China.
DJI has completely legitimate reasons for wanting to collect telemetry information from as many of its products as possible for sales, marketing, and most importantly, product support and development reasons. I agree with and support this desire.
Lest you think that DJI does not collect such data, the following is from a DJI legal document that a user must sign to unlock geofences:
The Recipient further understands and agrees that his data including, but not limited to, flight telemetry data and operation records could be uploaded to and maintained on a DJI-designated server under certain circumstances.
Can we agree that DJI would not include such language if they didn’t have the ability to collect the data?
When you choose to self-authorize or “unlock” flight operations on DJI hardware control applications (including DJI Go (the “DJI Go App”)) in locations that are categorized by DJI’s Geospatial Environment Online system as raising safety or security issues, we collect and retain geolocation information relating to your decision.
The two documents appear to be out of sync on what is, or may be, collected. I think it is time for some forensic analysis.
As I mentioned in the earlier post, DJI could add an “opt in” mechanism as many other products do and also fully document what is collected and when. Relatively easy to do, and would set a very good example.
DOE and corporate
DOE, and private companies, have completely legitimate reasons for not wanting telemetry information, particularly around sensitive areas, sent to servers in China owned by a Chinese corporation. China, and many other countries, uses commercial data as part of its intelligence programs. Why hand them such data on a platter?
A partially redacted email message appeared on Twitter supposedly refuting the email message from Dennis Bosak SSA. Here is that message:
So, “banned” was not the correct word. DOI does not ban products.
Please note – in a letter specifically addressing my original post the author ignores the two most important issues – do DJI products collect and send telemetry to China, and is the DOI concerned about the cyber security implications of such practices. The author is strangely silent on these points.
I think it is safe to assume that DOI will not buy products that send potentially sensitive data to servers in China.
If DJI wants to sell to DOI, and other government agencies, they will need to address this issue. Further, they must address this issue for everyone because commercial users certainly would prefer that information about their sensitive sites isn’t shared with potential competitors and intelligence agencies.
DOI didn’t ban DJI products. DJI does have the ability to collect information you might not want to share with them or with intelligence services. This is not unique to DJI by any means and many other firms face similar challenges. Addressing them in the design phase is more expensive up front but in the long run saves money on development, legal, PR, and sales. Bake security into the products, don’t bolt it on later when you have an issue.
In this case, if you want to collect sensitive information, do so via in country servers with appropriate legal protection for the owners of the data. And don’t argue semantics while avoiding the tough questions about cyber security.
For some additional thoughtful insight on the matter, I refer you to Christopher Korody’s reporting on the matter. Very much worth reading, in this specific instance but on UAV matters for many years.
The quoted post, below, appeared on the Facebook group “Commercial sUAS Operators” on July 7th. It was taken down very rapidly and no further discussion on the topic appeared. I spoke with Dennis Bosak SSA this morning and he confirmed the statement as written. Any further details must be requested in writing.
Another story is circulating that the DOI has either retracted the ban or it was never in place. However no copy of that memo can be made available and Mr. Bosak stood by his statement as of 0730 this morning.
To summarize, the Department of the Interior is banning any internal use of DJI products due to concerns about the product’s automatic uploading of telemetry and other information to DJI servers during firmware updates.
Last year I developed a presentation on cyber security and consumer/commercial UAVs. In that presentation I noted that we are self selecting areas of interest – test crops, critical infrastructure, disaster sites, … – and sending highly detailed information about these sites to often poorly understood cloud infrastructure.
Apparently, according to this post, the Department of the Interior has also identified this risk. Worse, it appears that DJI products are automatically sending sensitive telemetry information to their own servers. As the following announcement notes, DJI is a Chinese firm and some conclusions must be considered.
Many applications collect profile and debugging information for legitimate purposes. Most of those applications give the user an opt-in option. DJI could quickly defuse this situation by releasing an update that provides this option while also demonstrating that all such communication has been terminated. Regaining the trust of their clients, and of the U.S. Government, may be more difficult.
DJI is just one vendor. There are many others, hardware, software, and service. What are these vendors doing with the data you are collecting about your potentially sensitive sites?
OAM – Office of Acquisition Management
DOI – Department of the Interior
OAM had a telecom this morning with the aviation manager at DOI.
During that conversation we learned that they have banned the use of DJI products (which include the popular Phantom and Inspire aircraft) as they discovered that their products record telemetry information, to include routes flown, altitudes, etc., and send that recorded information to DJI each time the aircraft is plugged into a computer to perform a software/firmware update. As DJI is a Chinese company the security issue is readily apparent.
OAM highly recommends that, before choosing any particular aircraft, from any manufacturer, especially those that might be used for sensitive purposes, that your technical people fully understand what information may be transmitted, to whom it might be transmitted to, and whether it matters to your program.
Please distribute this information as widely as possible.
Dennis Bosak SSA
Department of the Interior
Office of Law Enforcement and Security
1849 C Street NW
Washington DC 20240