DJI to offer data privacy option

DJI’s announcement came less than two weeks after a U.S. Army decision to ground all DJI drones (more than 300) in its inventory. It remains unclear exactly why the Army issued that Aug. 2 memo, a portion of which was published Aug. 4 by sUAS News, though the memo referenced a classified Army Research Laboratory report, “DJI UAS Technology Threat and User Vulnerabilities” dated May 25, along with a May 24 U.S. Navy memo on “operational risks” regarding DJI products.

DJI noted that it makes drones for “peaceful purposes,” and DJI drones are not designed or intended for military missions. The company emphasized that information sharing is voluntary, required only when users select automatic software updates, though it remains unclear exactly what data is transmitted by DJI products, or where it goes. A computer programmer for the National Oceanic and Atmospheric Administration told The Verge that a personal test using that programmer’s own DJI Phantom 3 quadcopter revealed encrypted traffic headed to servers in unknown locations.

In the Aug. 14 press release, DJI noted that the company’s flight control apps (such as DJI GO, which controls several different models including the Phantom, Mavic, and Inspire series drones) “routinely communicate over the internet to ensure a drone has the most relevant local maps and geofencing data, latest app versions, correct radio frequency and power requirements, and other information that enhances flight safety and functionality.”

Starting at the end of September, those DJI apps will be updated to incorporate a “local data mode,” which DJI said will prevent transmission of data from the mobile app controlling the drone to the internet.

“We're still determining which app will get it first. It will work for all drones that can be controlled by that app—in other words, it's app-based, not drone-based,” said DJI spokesman Adam Lisberg, in an email exchange with AOPA. “And it's also too soon to say how this will affect geofencing restrictions.”

DJI created the Geospatial Environment Online system to protect areas like airports, military installations, critical infrastructure, and other sensitive areas from overflight by DJI drones. Most users are prevented from operating in the no-fly zones, though authorized users can “unlock” certain no-fly zones, such as controlled airspace for which the FAA has issued a waiver authorizing a particular drone operation, after submitting proof of authorization to DJI. Flying a drone in such an “unlocked” area requires that the mobile device used to control the drone has an active internet connection. An active internet connection also allows DJI to quickly update the GEO system to include temporary flight restrictions that may be instituted without notice to limit flight near wildfires, as well as in advance of sporting events, or to protect VIP travel.

Halting online communication between flight control apps and DJI servers may complicate the geofencing equation, though the company took pains to make clear its commitment to privacy.

“We are pleased about how rapidly DJI’s customer base has expanded from hobbyists and personal drone pilots to include professional, commercial, government and educational users,” said Victor Wang, DJI director of safety technology, in the Aug. 14 news release. “As more of these customers have asked for additional assurances about how their data is handled, DJI has moved to address their needs by developing local data mode to provide enhanced data management options for customers who want to use them.”

DJI has long sought to assure customers that their privacy is protected, dating to a previous flurry of media attention on the topic that prompted the company to issue a public statement in April 2016 specifically refuting reports suggesting that DJI cameras feed images to the Chinese government in real time.

“When you fly a DJI drone, nobody but you can see the live video feed or the recorded video it generates—unless you decide otherwise,” the company stated then.

DJI noted in the Aug. 14 news release that the company does not collect or have access to user flight records, photos, or video unless the user syncs with DJI servers, uploads photos or video to the DJI Skypixel website, or sends the actual drone to DJI for service. The “local data mode” coming in September will add another layer of privacy protection, according to DJI Vice President of Policy and Legal Affairs Brendan Schulman.

“Local data mode will allow customers to get the most out of their DJI flight control apps while providing added assurance that critical data is not inadvertently transmitted over the internet,” Schulman said in the release. “We are pleased to be able to develop local data mode as part of our drive to serve our customers’ needs as well as advocate for their interests.”