ICE memo says Chinese-made drones are snoops
- By Mark Rockwell
- Nov 27, 2017
Chinese-built drones sold in the U.S. to federal and local governments, law enforcement and critical infrastructure providers are probably downloading critical data to the Chinese government, an agent in the Immigrations and Customs Enforcement's investigative arm has warned.
A memo sent in Aug. 2017 from an ICE intelligence office in Los Angeles to law enforcement across the nation in August warned that the small drones sold in the U.S. by Chinese drone maker Da Jiang Innovations were most likely downloading sensitive data gathered in the U.S., including data on critical infrastructure sites, to the Chinese government's cloud.
The ICE memo states that DJI is "dumping" the product on the U.S. market, dramatically reducing prices to freeze out competition.
The August SIP memo was first reported by SUASNews on Nov. 18 and posted to the Public Intelligence Web site on Nov. 27.
ICE and the Department of Homeland Security declined to comment on the memo.
DJI complained that the memo was "based on clearly false and misleading claims from an unidentified source," in a response posted on its corporate website on Nov 25.
The ICE memo claims "with high confidence" that DJI is "selectively targeting government and privately owned entities" in the critical infrastructure and law enforcement sectors "to expand its ability to collect and exploit sensitive U.S. data."
The official based the hunch on open source reporting from magazine and newspaper articles, but also on a "reliable" source in the drone industry that has "first and secondhand access" to knowledge of the practice.
The memo said that as of July, at least 10 companies in the railroad, utility, media, farming, education and law enforcement sectors have purchased and are using the company's small drones to collect mapping data, inspect infrastructure, conduct surveillance and monitor hazardous materials.
It noted other DHS memos in its sourcing, including one that said DJI drones were used by the contractor building the agency's National Bio and Agro-Defense Facility in Manhattan, Kan., to help with security on the site, as well as with construction plans.
It said DJI has targeted critical water, electrical, railroad and other infrastructure providers to sell its equipment to, particularly in big metropolitan areas.
Critical infrastructure companies have been among the most vocal organizations clamoring Federal Aviation Administration waivers to operate all drone types as they use them as an inexpensive, efficient method to keep an eye on their facilities.
The small drones, said the memo, use two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access users' phone data. The apps also can capture personally identifiable data on the operator, as well as video, photos and computer credentials.
DJI strongly disputed these characterizations in an email to FCW. "SkyPixel is not an app – it's a website we run to spotlight cool drone photos and videos from around the world, shot by drones from any manufacturer. More importantly, neither one of them register facial recognition data (especially when they’re turned off!)," a spokesperson said. Additionally, DJI noted that DJI Go works on Apple iOS as well as Android.
The memo's industry source said DJI automatically uploads data to cloud storage systems in Taiwan and Hong Kong, "to which the Chinese government most likely has access."
The SIP said it was highly confident a foreign government could "easily coordinate" physical or cyberattacks against crucial sites using the data.
In its response, DJI said its products don't have facial recognition capability when it comes to tracking individuals, and that it was not selling products at a loss to drive competitors out of the U.S. market for small drones. Additionally, DJI stressed that photos, flight logs and videos are only synced with a remote server when the operator selects that option. For U.S. operators, data is stored on Amazon Web Services servers in the U.S., the company said.
This story was updated on Nov. 29 to include additional comment from DJI.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.