It is unclear what DJI does with that information, but presumably, DJI is using it to gain valuable information on its consumer’s habits. However, because drones are being used more and more for commercial enterprises, such as 3D mapping, inspections, etc., it is plausible that valuable information about U.S. infrastructure could be collected and stored by DJI. The U.S. Army is not taking any chances that such information could fall into the wrong hands or be susceptible to a cybersecurity attack.
The National Oceanic and Atmospheric Administration (“NOAA”) recently analyzed the cyber threat posed by one of DJI’s higher-end drones, the S-1000. While the NOAA ultimately found that there was nothing improper about way it handled data, one of the authors tested his DJI Phantom 3 and found that it was sending encrypted data back to DJI to an unknown location.
DJI is, after all, a private corporation. We have seen in recent months how private corporations can be vulnerable to attack – HBO, for example, is currently dealing with the fallout from a cybersecurity breach. Here, because the nature and extent of the information collected by DJI is unknown, the resulting impact of a breach could have national security implications.
Jonathan Ash is a partner in the firm’s Labor & Employment Department, resident in its Princeton office.