Earlier this month, the U.S. Army discontinued the use of DJI drones due to concerns over cybersecurity.  This follows NASA and the Department of Energy who also prohibit the use of DJI drones for similar reasons.  DJI, a China-based company, is the world’s largest drone manufacturer and has a whopping 70 percent market share.  Under DJI’s privacy policy, users agree that DJI has the right to collect information from flights, including photos, videos, and location information.

It is unclear what DJI does with that information, but presumably, DJI is using it to gain valuable information on its consumer’s habits.  However, because drones are being used more and more for commercial enterprises, such as 3D mapping, inspections, etc., it is plausible that valuable information about U.S. infrastructure could be collected and stored by DJI.  The U.S. Army is not taking any chances that such information could fall into the wrong hands or be susceptible to a cybersecurity attack.

The National Oceanic and Atmospheric Administration (“NOAA”) recently analyzed the cyber threat posed by one of DJI’s higher-end drones, the S-1000.  While the NOAA ultimately found that there was nothing improper about way it handled data, one of the authors tested his DJI Phantom 3 and found that it was sending encrypted data back to DJI to an unknown location.

DJI is, after all, a private corporation.  We have seen in recent months how private corporations can be vulnerable to attack – HBO, for example, is currently dealing with the fallout from a cybersecurity breach.  Here, because the nature and extent of the information collected by DJI is unknown, the resulting impact of a breach could have national security implications.


Jonathan Ash is a partner in the firm’s Labor & Employment Department, resident in its Princeton office.