|Drone Maker D.J.I. May Be Sending Data to China, U.S. Officials Say|
By PAUL MOZUR
New York Times
NOV. 29, 2017
A drone made by D.J.I. in a demonstration at the company’s headquarters in Shenzhen, China, last year. The company said accusations by the Immigration and Customs Enforcement agency that it shares sensitive information on American infrastructure with the Chinese government were false. Credit Qilai Shen/Bloomberg
SHANGHAI — D.J.I., the popular drone maker, stands as a symbol of China’s growing technology prowess. Its propeller-powered machines dominate global markets and buzz regularly over beaches, cityscapes at sunset and increasingly, power plants and government installations.
Now D.J.I. is fighting a claim by one United States government office that its commercial drones and software may be sending sensitive information about American infrastructure back to China, in the latest clash over the power of data in the growing technological rivalry between the two countries. It also shows how consumer technology companies have become increasingly central to debates about national security.
The company, formally named Da Jiang Innovations Science and Technology Company, put out a statement this month contesting the allegations made in a dispatch from United States customs officials. The memo, from the Los Angeles office of the Immigration and Customs Enforcement bureau, was dated in August but had begun to circulate online more recently.
It said officials had “moderate confidence” that the D.J.I.’s commercial drones and software are “providing U.S. critical infrastructure and law enforcement data to the Chinese government.” It cited what it called a reliable source, who it did not identify, in the drone industry “with first and secondhand access.”
In a statement, D.J.I. said the report was “based on clearly false and misleading claims.”
“The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions,” the company said.
The I.C.E. memo focused on the drones used by companies and institutions, not the drones flown by hobbyists in the United States and elsewhere. D.J.I. dominates the overall drone market, with a nearly two-thirds share in the United States and Canada, according to Skylogic Research, a drone research firm. To grow beyond hobbyists, the company has been targeting commercial customers, like utilities, law enforcement and property developers.
The allegations could not be independently confirmed, and a spokeswoman for I.C.E. declined to comment. In a statement to The New York Times, a D.J.I. spokesman said that users can control how much access the company can have to their data and that it shares data only “pursuant to appropriate legal process.”
The accusations point to a broadening debate in both the United States and China over how to secure vast data reserves that are being vacuumed up by commercial technology companies. Likened by metaphor-minded tech types to gold or oil, data has become a hugely valuable way to suss out market trends and target ads.
Now equipped with remote sensing technology to monitor crops, infrared scanners to scrutinize power lines, cameras and tracking systems, drones — much like smartphones — are the stuff of espionage dreams. Customers often have little knowledge of where their data might end up, experts said, while D.J.I. and others give themselves considerable leeway in the fine print of their user agreements to transfer data across borders.
American intelligence and political circles are beginning to consider how companies and governments manage the data they collect. Given that major Chinese companies must maintain close ties to the government, new China tech players like D.J.I. have raised particular concerns.
This summer, the United States Army issued guidance calling for forces to stop using D.J.I. drones because of unspecified security vulnerabilities.
Yet those worries have not spread widely to customers, according to Colin Snow, chief executive of Skylogic.
D.J.I. has said that consumers have total control over whether to upload data, such as flight plans and video, to the company’s servers. Credit Kin Cheung/Associated Press
“Only those few who use drones around critical infrastructure are concerned and chose not to use D.J.I.,” Mr. Snow said in an email. “The rest don’t care because of the price/benefit of D.J.I. aircraft.”
Chinese officials expressed similar concerns in the wake of Edward J. Snowden’s disclosures that American companies aid in Washington’s electronic espionage efforts. A recent cybersecurity law calls for companies like Microsoft and Apple to store data within China’s borders. Earlier this year Apple said it would build a new data center in China to meet that requirement.
The I.C.E. memo listed what it said were a number of examples of D.J.I. drones used in potentially sensitive areas. It said that a Department of Homeland Security facility built to study diseases that threaten American agriculture and public health used D.J.I. drones to assist with construction layout and security. The agency did not respond to a request for comment.
Newsletter Sign Up Continue reading the main story Interested in All Things Tech?The daily Bits newsletter will keep you updated on the latest from Silicon Valley and the technology industry, plus exclusive analysis from our reporters and editors.
The memo said in other cases, water reserves, power plants, rail hubs and other large-scale infrastructure were often monitored by Chinese-made drones.
“Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction,” the memo said.
D.J.I. said that consumers have total control over whether to upload data, such as flight plans and video, to the company’s servers. Yet like many apps, the company’s software encourages such uploads. D.J.I.’s app offers an automatic function to store user flight logs periodically, though it can be turned off. Out of concerns about data protection, the company added a feature last year that allows a drone pilot to cut off any connection to the outside internet while flying.
A new D.J.I. product set up to help large companies, government agencies, farms and law enforcement manage drones, uploads a large amount of critical data — like flight plans, video and location — to servers. D.J.I. said it was working out the terms of service for the product, and will likely include an option to allow companies to store data to their own servers.
Similar concerns have emerged in China over Apple’s products. In particular, state-run media have showed how the iPhone keeps track of a user’s commonly visited locations. Turning off the function requires a journey deep into the phone’s settings. Apple has said it has strong data privacy and security protections in place in China.
For D.J.I., questions about its data storage practices are not new. Last year company officials told The New York Times that it complied with Chinese government requests to hand over data it collects in China and Hong Kong.
More recently, one security expert recently outlined how D.J.I. left key digital information accessible to the public that could allow someone to look at customer data on its servers, including military and government flight logs. In a statement, D.J.I. said it hired an independent cybersecurity firm to investigate the report and the impact of any unauthorized access to consumer data.
Dan Tentler, founder of Phobos Group, a computer-security company, said such weaknesses were often a bad sign.
“In my experience doing security assessments I’ve never found a massive pile of egregiously staggering security problems somewhere to then find a shining, palace of hardened impenetrable security elsewhere in the org,” he wrote in a Twitter message.
In terms of companies with major security vulnerabilities in one part of the company, he added, “it’ll be a Dumpster fire the whole way through.”
Correction: November 29, 2017
An earlier version of this article gave the wrong surname for the chief executive of Skylogic, a drone research firm. He is Colin Snow, not Pine.
Follow Paul Mozur on Twitter: @paulmozur
A version of this article appears in print on November 30, 2017, on Page B1 of the New York edition with the headline: Drone Maker From China Clashes With U.S. Over Data.