The CHICOMMS Syndrone

I must preface this entry with the disclaimer that most of it is postulating on my part. It is meant as food for thought on possible motives for why a company would voluntarily launch a haphazardly designed and untested system that ultimately serves to limit their product viability. Another notable mention would be that I had started working on this during the “lingering conspiracy theory” lull prior to the U.S. Army FOUO announcement pertaining to DJI products storm.

The Australian Defense Force has issued a statement, and I am sure other countries will follow suit. The awkward public plea made by DJI spokespeople for military officials to contact them with assurances that their classified data is safe is obtuse. Especially since the big ICAO monitoring announcement and with the data that is already available to them. Others in the oil and gas, major league sports, mining and a host of other mega-billion dollar industries apparently don’t want to share their secret sauce either. They have credibility issues that partnering with Mother Teresa couldn’t solve.

*Author’s note: Having spoken to a few folks who’ve read the classified reports, let’s just say that the U.S. Army didn’t tell personnel to “cease all use” because they didn’t like DJI’s new Terms of Use.

First and foremost, I must state for the record that I have no personal knowledge of what exact data DJI drones collect, ancillary equipment or servers. Nor do I profess to know where all of the servers are or what is sent to, or stored, in China or elsewhere. Multiple sources working for government agencies and others have said, “Packets of data are going to China!” I will also state for full disclosure that I have no idea what financial stake the Communist Party of China has in DJI. I have asked in the public forum of Twitter, and am still waiting for a reply.

Okay, Colonel Mustard, what’s the motive?

How many corporate meetings do you suppose are convened to purposely reduce product viability and appeal? (Okay, besides Yahoo.) Imagine after the sales forecast power point you heard, Hey Bob, we are just selling too much product and you had better tell the guys down on the floor to throw the breaks on pronto! Not needed here as the policy mistakes have sales down 10 to 15%.

Imagine if you were on the board of a company that developed a product that could collect new kinds of data. We are not talking about a terrestrial based data collection system like a camera or a cellphone, but the same promise that sold billions of dollars worth of drones all over the world.

What would that data mean to a burgeoning superpower with designs on being the World’s number one economy? Imagine having production information on mining of precious metals and minerals like lithium or uranium. What might that mean for the industry or National defense? How about a competing country’s energy production, exploration and distribution system, manufacturing or Ag and what types of shenanigans that could afford one to play in the futures markets? What about military installations, tactics, procedures, and training? Or homeland security counterterrorism and disaster response drills?

The means –

I’ve asked around if it is possible to have algorithms trigger data collection from areas of interest. Is it possible to then feed commands to the drone without the operator’s knowledge? Well, that all depends, but recent developments confirm the existence of backdoors, the ability to hot patch software without the user being aware and feeding cake as it were to unsuspecting users. Yes, I have been told that it is all well within the realm of possibility.  

Is it too far of a stretch to assume that these types of information are important enough to peak somebody’s interest? Even in a best-case scenario, is it plausible to believe that curiosity would get the best of even those with honest intentions?

The method –

You brought to market a new technology that helps consumers do a cool new style of photography. What if you could incidentally enlist a global cadre of beta testers to pay you for the privilege to reconnoitre a foreign country, entity or government? These have been sold all over the world and with the right combination of vulnerabilities could be used to collect georeferenced data whenever you want it? Shrewder still would be the same company’s representatives and lobbyists influencing the world’s foremost Civil Aviation Authority (FAA) to make this data collection system mandatory under the guise of safety? Just look at the geofencing notion going hand in hand with the global implementation of a UTM for a relatively low number of commercial operators. These guys have themselves lathered up on an Amazon or Google business model. Does it make dollars and sense for the small commercial end-user?

Maybe it is all too far-fetched, and the data collection and software vulnerabilities were just one big coinki-dinki-do, and the stars just randomly aligned under the naïve nose of the regulator and an adoring as well as trusting consumer base. It is just as plausible as anything else mentioned in this article.

Professionals have been vocal with their complaints. Besides the viability blowback, it is also a PR impediment that draws the ire of their new focus on the “enterprise” customer. Nothing says “professional” or “enterprise” like showing up to a job with a $4000 + paperweight. Movie budgets run as high as $90K a minute and calling China for a “pretty please” while the meter is running… well, you get the picture, but not the next job. How will first responders break it to city officials that they have to ask for permission from some guy in China to use taxpayer-funded equipment if a TFR goes up?  How’s that for some socialist realism?

Besides running counter to aviation norms, namely the notion that the Remote Pilot In Command (waivered or not) is supposedly the responsible party, Geofencing serves to cast more doubt on the existing heap of viability, reliability and performance issues. Other manufacturers had signed on to the Geofencing idea but found it difficult to survive in the post-registration task farce environment. Low viability products could have possibly been a contributing factor in nine-digit loses that are plaguing an industry with $82 billion dollars of potential. (Drone algebra??)

So where did the square peg come from? Rumors are that Geofencing was born out of a request by the Communist Party of China to make Tiananmen Square a No Fly Zone (NFZ). Almost 30 years later and they’re still a little touchy about the terrorist with the garbage bag and ensuing live fire crackdown, and I get that. It is hard to put a happy face on the mucky business of suppressing a democracy movement. I could also see where the company coders might say we can spread the joy with a map data scrape and roll it out in the U.S. and beyond. If the PR team spun it right they could say in this instance, let us be seen for our perceived deeds of social responsibilities and not just what is in our disclaimers.

It could be why DJI rolled out an afterthought quality version here in the U.S. I say afterthought only because it was circumvented in basically an afternoon. The latest iteration of Geofencing still lacks a certain free Internet sophistication and was circumvented in two days of pizza-fueled solitude. The first version tucked tail and quietly fell off the radar only to resurface sometime later with new and improved version 1.4 map data as if that was the root of its security and adoption problems.  The bugs were worked out, and unwitting startup partners were enlisted to provide that new and improved sensitive GIS data.

Version 1.4 was only good enough to launch for TSA background checked part 107 holders. ISIS, Al –Qaeda, Hezbollah, Turkestan Islamic Party (PIC) and any other Tom, Dick or Hakem with a credit card, some Reynolds wrap and a little initiative is pretty much all that is needed to drop ordnance with impunity. It looks like social responsibility may have taken a powder.

Fair enough, we’re giving it the old college (roommate’s younger brother) try with some new partners who needed time to come up to speed and some regulator backed education to help put a lid on flights near airports and other sensitive locations. However, if we were to take the drone sightings data at face value, it would appear that the best intentions of the old college try might have fallen short of what was possible.  The reported sightings numbers have gone up despite all of the best efforts of the OEM’s, partners and the FAA. In unison, they have worked together to stave off threats to NAS without following procedure and little in the way of policy enforcement. The whole toy company grade program looks so bad to people in Congress that the lobbyists are starting to wonder just where and when the biscuit wheels came off the gravy train.

Perfunctory solutions section –

Folks get all upset when I write these things and don’t offer up solutions for the selfie-drone crowd to ignore. It is not all wasted breath, it’s just a slow learner thing as the ignorees usually come around in a few years to my way (the right way of course) of thinking.   

The community has had their trust violated, and many believed those denials of data collection, vulnerabilities in the software and other problems perceived or real have damaged DJI’s credibility. Those in professional and government circles wonder why the company hadn’t tried to get in front of the controversy before the dust-up. It wasn’t like this was out of the blue as other agencies had said they couldn’t use Chinese products. Not that backdoors and other vulnerabilities are limited to drones, there have been multiple examples including CCTV cameras, computer chips, etc. that have been used in the past to collect data.    

With the current geopolitical climate is it wise to have a Chinese toy company proposing policy for the U.S. National Airspace System (NAS)? We must be objective about our exposure.  Many believe that the prudent thing to do would be to investigate the system as well as those partners (regardless of investment funds origin) who share and disseminate sensitive GIS data and the interworking of our NAS. This investigation should be done in haste and before widespread adoption by municipalities and local law enforcement agencies.

Previous articleNational Science Foundation Selects NCTC to Lead Large Project Drone Initiative in Education
Next articlePix4D announces a new user certification program
Patrick Egan
Editor in Field, sUAS News Americas Desk | Patrick Egan is the editor of the Americas Desk at sUAS News and host and Executive Producer of the sUAS News Podcast Series, Drone TV and the Small Unmanned Systems Business Exposition. Experience in the field includes assignments with the U.S. Army Space and Missile Defense Command Battle Lab investigating solutions on future warfare research projects. Instructor for LTA (Lighter Than Air) ISR systems deployment teams for an OSD, U.S. Special Operations Command, Special Surveillance Project. Built and operated commercial RPA prior to 2007 FAA policy clarification. On the airspace integration side, he serves as director of special programs for the RCAPA (Remote Control Aerial Photography Association).