Independent Study Validates DJI Data Security Practices

News2018-04-23

Independent Study Validates DJI Data Security Practices

Report Finds DJI Systems Keep Customer Data Private

DJI, the world’s leader in civilian drones and aerial imaging technology, Monday released the results of an independent report scrutinizing DJI’s data practices that concludes DJI drone users have control over how their data is collected, stored and transmitted.

The report analyzed drones and software independently obtained in the United States late last year, and confirmed DJI did not access photos, videos or flight logs generated by the drones unless drone operators voluntarily chose to share them.

 “This is the first time DJI has allowed outsiders to examine its proprietary computer code, and the result is the first independent verification of what we have said all along: DJI provides robust tools to help our customers keep their data private,” said Michael Perry, DJI Managing Director, North America. “This comprehensive report clearly debunks unsubstantiated rumors about our products and assures our customers that they can continue flying DJI drones with confidence.”

The report by San Francisco-based Kivu Consulting, Inc., was based on a first-of-its-kind detailed examination of DJI drones, mobile apps and servers as well as the data streams they transmit and receive. Kivu’s engineers comprehensively examined the code repositories for DJI’s mobile apps and tested whether DJI’s drones could transmit sensitive user data without connecting to the DJI app. DJI had no input into Kivu’s findings or conclusions.

“Kivu’s analysis of the drones and the flight control system (drone, hardware controller, GO 4 mobile app) concluded that users have control over the types of data DJI drones collect, store, and transmit,” wrote Douglas Brush, Kivu’s Director, Cyber Security Investigations, in a summary available for download here.

“For some types of data, such as media files and flight logs, the drone user must affirmatively initiate transmission to any remote server,” Brush wrote. “For other types, such as initial location checks or diagnostic data, the user may prevent transmission by deactivating settings in the GO 4 application and/or disabling the Internet connection.”

Kivu independently bought DJI drones as well as iOS and Android devices in the United States, and downloaded the DJI GO 4 mobile apps. Kivu set up systems to capture all data transmitted through iOS and Android devices running DJI GO 4, and reviewed source code, application data, server addresses, and data generated during operation.

In recent months, reports have emerged claiming DJI drones can transmit sensitive user data without the user’s knowledge or consent. None of those claims have been supported by evidence beyond speculation. Kivu’s report affirmatively shows DJI enables the protection of personal data, and claims to the contrary are demonstrably false.

DJI continues to emphasize its efforts to resolve concerns about data security, and to assure customers they can continue to rely on DJI products as the most stable, reliable and innovative drone platform.

For additional information, please contact: pr.us@dji.com