DJI places the highest priority on data privacy – and puts customers in control of their data's use.
Our rival drone-makers are stirring up xenophobia to eliminate market competition. We ask you to look at the facts: DJI already adopts the standards outlined in the FBI’s recent memo. Indeed, many agencies and enterprises also employ those standards when using DJI drones.
FACT #1: DJI created the market for ready-to-fly civilian and commercial drones almost two decades ago and has invested heavily in robust safety and security protections as well as expanded user privacy controls for our products.
FACT #2: Customers only share flight logs, images or videos with us if they affirmatively choose to do so. Default collection does not exist with us.
FACT #3: Operators of our consumer and enterprise drones can choose to ‘fly offline’ through Local Data Mode, ensuring that no unauthorized parties can get access to their drone data.
FACT #4: Since 2017, we have regularly submitted our products for third-party security audits and certification. These U.S. and European cybersecurity experts buy our products off the shelf and conduct the review independently. Their findings validate that we provide best-in-class data security and privacy protections.
So in spite of our rivals’ geopolitically-disguised ploys to eliminate us from the marketplace, DJI simply does not have the data they say we do.
DID YOU KNOW?
In 2022, the DJI Core Crypto Engine, which serves as the secure engine of DJI drones, obtained NIST FIPS 140-2 certification which was formally validated by the U.S. and Canadian Governments. This certification is widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and is issued to products with a high level of security and complies with industrial and regulatory security standards.
DJI FlightHub 2 also recently received ISO 27001 certification, issued by the British Standards Institution (BSI), which validates its compliance with information security management standards.
Clarifying misconceptions around DJI and foreign data access laws
Like other global technology companies, there may be requirements for DJI to disclose certain information pursuant to local laws and regulations where we operate. For example, DJI may need to disclose information if required to do so in response to a local court order, judicial or other government subpoena, warrant or enforceable request.
Upon receipt of such an order, DJI's policy is to review the request to check if it meets legal requirements for disclosure. Part of that requirement is that the disclosure would only include data that has been shared with DJI within the national jurisdiction of the government agency requesting it.
This only applies to data DJI does have access to - as we have said earlier: DJI does not collect flight logs, photos, or videos by default. Operators who want to take extra precautions can easily choose to activate Local Data Mode (and even switch on their mobile’s ‘airplane mode’) for added peace of mind. This means the drone is completely disconnected from the internet and is similar to an air-gapped computer.
DJI drones align with best practice cybersecurity
DJI is aligned with the US government’s call for drone operators to practice good security hygiene and to perform regular reviews and training to ensure their protocols remain up to date with industry standards.
Below we have provided additional details on how DJI implements - and in some cases even exceeds - the guidance set forth by the government memo:
- Beyond Local Data Mode, enterprise operators have the option to update their DJI drone fleet while remaining offline. This gives operators the option to conduct a security review of the latest drone firmware or map updates before using them to update their drones.
- DJI enterprise operators have the option to bypass DJI’s flight app altogether, and choose from a range of U.S. software providers. Operators can also choose to deploy their own private cloud through DJI’s Cloud API and manage full view over their operations and security.
- DJI already enables robust data-at-rest and data-in-transit procedures for encryption and storage to ensure confidentiality and integrity of data collected by our drones. For example, enterprise operators can encrypt their media data stored on the drone with a secure passcode. This is non-decryptable by any third-party - including DJI.
- Our standard practice remains to protect data transmitted by the drone with the TLS protocol, and any personal data shared by users (i.e. name or email address for account registration) is further secured with AES-256 encryption in storage. Consumer and enterprise drone data shared with DJI outside of China is housed in U.S.-based cloud servers.
- DJI allows for quick and easy deletion of drone data through its Reset All (for consumer drones) or Log One-Click Deletion (for enterprise drones) functions.
These are just some examples of how DJI already practices these cybersecurity recommendations. What is out of our control is country-of-origin-based cybersecurity policies which are problematic to the industry as they are grounded on political and protectionist foundations - instead of technology-based industry standards.
DJI will continue to advocate for the development of a clear technology-based standard for drone security that all drone manufacturers would need to adhere to, regardless of their country-of-origin. This will improve overall drone and data security and benefit the industry and its end user community as a whole.
