I wrote a blog post recently about why drone service providers and others in the drone ecosystem need to have a comprehensive data security and privacy policy. The need to think holistically about drone data security and privacy was made even clearer by a recent incident involving a purported directive from the U.S. Department of the Interior (one of the largest government users of small drones) that allegedly prohibited the purchase and use of DJI Phantom drones. According to the initial reports, the DOI had issued the prohibition because it found that the DJI drones were automatically sending telemetry (and perhaps other) data back to servers in China when they completed flight missions.

The existence of the DOI directive was subsequently denied.  The story died after a few days, but the controversy raised anew the question of data security.  There seems to be no dispute that the DJI software is programmed to send certain data back to company servers in China (see http://www.ibtimes.com/dji-could-hand-over-phantom-drone-flight-data-hong-kong-china-if-requested-2356748). At this point, it is unclear what types of data are automatically sent.  The focus to date has been on DJI and other Chinese companies which may or may not pose a security concern. However, one would expect that American and other drone manufacturers may have created similar protocols for transmission of data to allow them to improve their products and their customer service. While the level of security concerns may be as high with these companies, there still may well be commercial issues that bear investigation.

This type of controversy is not new. Similar questions about data interception and transmission by other types of network equipment have existed for years. Some Western governments have expressed concerns about and even gone so far as to forbid the use of Huaweii equipment by government agencies and contractors (see this report about NSA’s investigation: http://spectrum.ieee.org/tech-talk/computing/hardware/us-suspicions-of-chinas-huawei-based-partly-on-nsas-own-spy-tricks). In other countries, similar concerns have been expressed about the use of Cisco equipment and in some cases formal or informal bans on government purchases of Cisco equipment have been implemented.

Regardless of the DJI action, the controversy over the automatic transmission of data will continue. It illustrates the need for drone services providers and those using their services to ensure that they fully understand – and if necessary control – the transmission of drone-derived data. Customers and service providers who are using an integrate drone application need to stop thinking of drones as flying cameras or radars and view them for what they are (or will be once the FAA regulations permit their use in high-value operations) – data acquisition nodes on a world-wide, interconnected communications network.

That network is comprised of the drone itself, the communications link between the drone and the server (whether on the service provider premises or in the cloud), the software program used to analyze the data, the servers where the data is stored and the transmission links over which the data is distributed. In order to provide the necessary level of security, drone services providers and their customers need to be aware of the terms of use and privacy policies of each entity in the communications, including the platform operators.

The first area of concern for customers ought to be the privacy policies and use data usage policies of their service provider. Does the provider have the right to keep copy of the data and if so what use can the provider make of it?  Similar concerns exist with regard to the platform providers. Most drone services companies will be using one of several platforms to upload store manipulate and obtain actionable information from the data for their customers. .  The risk to service providers and their customers comes not just from potential back doors or malware, but also from the use and distribution of data by others in the network chain. For example, to this point there has been very little thought given by customers or most service providers to the use, storage and distribution of customer data by platforms such as Drone Deploy or Skyward.

There are no hard-and-fast answers for any of these issues at this point. Drone services providers and their customers need to keep these risks in mind as they purchase and provide services and develop the drone ecosystem.