Independent study shows that DJI security and privacy practices are sound

Pilots, companies, and governments have all wondered how DJI's apps collect and share data, and now an independent study paid for by DJI Research LLC shows that the company's practices are quite sound. Users have complete control over the types of data collected, stored and transmitted by the drone, remote controller, and GO 4 mobile app, according to research done by Kivu Consulting of Denver, Colorado (PDF file download). 

 Image via DJI

Image via DJI

Kivu's report shows that for media files and flight logs, the drone pilot must initiate transmission of that data to a remote server. Other data, such as initial location checks and diagnostic data, can be disabled by deactivation of settings in the GO 4 app or by disabling the internet connection.

Kivu purchased DJI Spark, Mavic, Phantom 4 Pro and Inspire 2 drones for testing, and installed the GO 4 mobile apps on independently acquired Apple iOS and Android devices. The consultant capture all network data to collect data transmitted by GO 4 to the internet, and also analyzed DJI's servers that store data transmitted by the user. Kivu Consulting looked at different areas and determined DJI's practices in each case...

Data Storage and Transmission: Kivu showed that although the drones and flight control system can collect video, photos, and flight logs, the capture of the multimedia files must be started by the user. None of those multimedia files are automatically uploaded to any server; the user may decide to upload video or images to DJI's SkyPixel platform, but it cannot be done without the user's consent and full knowledge.

Audio: DJI's drones cannot record audio, and although the user can choose to record audio using the microphone on his or her mobile device, that option is turned off by default and the recorded audio can only uploaded from GO 4 to remote servers if the user chooses to do so.

Flight Logs:  The flight logs are recorded and stored on the drones and in the GO 4 application, consisting of GPS location, gimbal information, photo and video capture time, thumbnails of images or video taken during flight, aircraft data, flight time and battery info. Once again, the data is not uploaded to any remote server unless the users chooses to sync flight logs with DJI or other companies. 

Diagnostic and No Fly Zone Data: DJI automatically transmits diagnostic information on app performance and user experience to its servers, including an initial location check. That info is randomized before transmission, showing an approximate location within 10 km of the actual operating locations. It's transmitted to DJI to read NFZ data, but users can deactivate them in the DJI GO 4 app or disable the internet connection. 

Personally Identifiable Information: When DJI owners register and activate a drone, they're asked to give DJI info including an email address and/or a phone number. DJI doesn't validate the info, so it's possible for users to remain anonymous by entering invalid information.  

DJI Servers: Kivu notes that any data transmitted by GO 4 is sent to secure DJI servers, and in the US, these are hosted by Amazon Web Services except for multimedia files, which are hosted on Alibaba Cloud servers in the US. Kivu checked the security policies for the various servers and "confirmed that DJI's network access controls are in order and designed to prevent unauthorized access to information."

Facial Recognition: Worried about FaceAware and Gesture Control identifying a specific user? Those features don't identify individual faces or distinguish between them, and facial recognition software is not in use. 

The end of the document notes that Kivu performed audits to ensure that DJI's cloud server access is now secure, and that the company was notified of some potential vulnerabilities that it then fixed. It's a very good report that should let DJI pilots breathe a sigh of relief when it comes to personal data security and privacy.