Agency Says The Chinese Company's Aircraft  'Likely' To Be Used For Espionage

An unclassified TSA memo leaked to the media indicates that DJI drones may be being used by the Chinese government for espionage against the United States.

According to the August memo, SIP Los Angeles assesses with moderate confidence that Chinese-based company DJI Science and Technology is providing U.S. critical infrastructure and law enforcement data to the Chinese government. SIP Los Angeles further assesses with high confidence the company is selectively targeting government and privately owned entities within these sectors to expand its ability to collect and exploit sensitive U.S. data.

The memo states that DJI sells group one category (under five pounds) UAS intended for consumer and professional use. The UAS operate on two Android smartphone applications called DJI GO and Sky Pixels that automatically tag GPS imagery and locations, register facial recognition data even when the system is off, and access users' phone data. Additionally, the applications capture user identification, e-mail addresses, full names, phone numbers, images, videos, and computer credentials. Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction. According to the source of information (SOI), DJI automatically uploads this information into cloud storage systems located in Taiwan, China, and Hong Kong, to which the Chinese government most likely has access. SIP Los Angeles assesses with high confidence a foreign government with access to this information could easily coordinate physical or cyber attacks against critical sites.

After downloading DJI applications, users are prompted to acknowledge DJI's terms and conditions, which grant DJI permission to own and exploit user data. The agreement reads, "Please note that if you conduct your flight in certain countries, your flight data might be monitored and provided to the government authorities according to local regulatory laws."

In April 2016, a DJI spokesperson announced in a briefing for Chinese and foreign journalists that the company complies with Chinese government requests to hand over data collected in China, according to the New York Times. The same article stated DJI could also give the government data from flights in Hong Kong. The spokesperson revealed for the moment DJI was uncertain what they would decide to do with the data and which government departments they would give it to because it was a continuing discussion.

Homeland Security says that DJI is particularly interested in exploiting data from two critical infrastructure sectors: U.S. railroads and utilities. The further state in the memo that Furthermore, the Chinese government is likely using information acquired from DJI systems as a way to target assets they are planning to purchase. For instance, a large family-owned wine producer in California purchased DJI UAS to survey its vineyards and monitor grape production. Soon afterwards, Chinese companies began purchasing vineyards in the same area. According to the SOI, it appeared the companies were able to use DJI data to their own benefit and profit.

SIP Los Angeles assesses with high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population. Alternatively, China could provide DJI information to terrorist organizations, hostile non-state entities, or state-sponsored groups to coordinate attacks against U.S. critical infrastructure. The UAS capture close-up imagery and GPS information on water systems, rail systems, hazardous material storage systems, first responders' activity, and construction of highways, bridges, and rails.

(Images from file)

FMI: Full Memo