Commercial drone use is exploding in the United States, particularly with city, county, and state governments. These systems offer shorter response times, greater utility, and markedly lower costs to acquire and operate than manned helicopters. Moreover, the technology and associated capabilities are advancing so rapidly that even facial recognition is now included in many off-the-shelf systems. With miniaturization, those systems may soon have the ability to instantly determine the identity of people in crowds using a database of billions of social media images currently found on sites like Facebook and YouTube. The potential to exploit that data goes well beyond marketing and, in the wrong hands, could harm national security. The United States government needs to address and stop the collection and transfer of data by drones to any foreign-based corporation before this incredible capability is turned against us.
Drone Types and Capabilities
Unmanned aircraft systems (UAS) or “drones” come in four weight-based sizes with capabilities that increase with each increment of scale.
- Small drones are the most common and weigh less than 20 pounds. The vast majority of drones employed by civilian and government users at and below the state level fall into this category.
- Medium drones weigh less than 55 pounds and are limited to an altitude of 3,500 feet above the ground.
- Large drones (up to 1,320 pounds) and very large drones (greater than 1,320 pounds) are almost exclusively used by the federal government and U.S. military.
While the technology embedded in the latter two may seem excessive to state and local governments and private users, miniaturization will undoubtedly allow many of their capabilities to migrate into the medium and small drones over the decade ahead.
In commercial drones, the video cameras, the images they collect, and the data they produce are the value center of the devices, and full-motion video (FMV) is the most widely available sensor on drones of all sizes. These video surveillance systems generally have telescopic/zoom-in features with small drone daylight cameras that currently offer up to 30x optical and an additional 6x digital zoom for a total magnification of 180x. Nighttime options are equally impressive and include thermal imaging and low-light cameras with 20x zoom and 1080-pixel high definition. These off-the-shelf, commercially available drones have the ability to collect surprisingly detailed information on surveilled areas and subjects of interest, and they can transmit that real-time video feed directly to the Internet through a 4G connection or through base stations that are connected to the Internet.
To complement those capabilities, facial recognition and artificial intelligence (AI) software are now available in drones priced as low as $600. While those capabilities are relatively rudimentary and limited in function, the technology surrounding facial recognition has exploded over the past several years. Clearview AI, a U.S. start-up company, introduced technology in 2019 that uses artificial intelligence to compare an uploaded photo against a database of billions of images compiled from social media sites, like Facebook and YouTube, to find a match, often in milliseconds. It has since been used by the U.S. Departments of Defense (DOD) and Homeland Security (DHS), the FBI, and hundreds of state and local police agencies, and the entire process can be accomplished on a smartphone.
With a connection to the Web, commercial drones will soon be able to exploit the kind of AI now being developed for government agencies, and with miniaturization, the collection capabilities currently found on larger drones will likely migrate to the small-drone market over the next decade. As such, it is useful to briefly explore the open-source capabilities now being fielded on large UAS platforms.
Finding points or subjects of interest in the field-of-view (or “soda straw”) coverage offered by FMV cameras significantly limits the surveillance capability of any drone. In an effort to expand both the field of view and operator situational awareness, the military developed and acquired wide-area surveillance capabilities and wide-area motion imagery (WAMI) sensors.
WAMI systems are very large video cameras capable of recording the activities and movements within city-sized areas in high resolution. The Air Force’s Gorgon Stare carried by MQ-9 Reapers is one such system. It can track thousands of targets simultaneously and conduct several surveillance operations on separate targets concurrently. This system allows analysts to play back the video of a person of interest (POI) to see where he lives, who his friends are, and then, in turn, who those friends associate with—a feature similar to a modern digital video recorder found in most homes. This high definition monitoring is streamed in real time to analysts and systems that can process the images of the POI for identification.
The weight of Gorgon Stare and similar state-of-the-art surveillance systems is significant, but technological advances continue apace, and their weight and size are dropping rapidly. For example, CorvusEye 1500 is a relatively new WAMI system that provides surveillance over an area three kilometers in diameter—and it weighs just 83 pounds. This year, Logos Technologies introduced a new system called Redkite that quadruples CorvusEye 1500’s surveilled area to 12 kilometers and, at 30 pounds, can now be carried on medium-sized drones. With the number of companies working to take the lead in this growing business area, there is little doubt that efforts to miniaturize that technology will continue and, if it follows the path of cell phones, the weight will drop to allow small drones to readily carry and employ WAMI systems.
The capabilities associated with Clearview, WAMI, and Gorgon Stare are not currently known to be available in small drones. However, with Internet connectivity and advances in miniaturization, the potential benefits these systems will bring to state, city, and county agencies are significant—as are the potential negative impacts.
State and Local Government Agencies’ Drone Use
The use of commercial drones in the United States is exploding. According to the Federal Aviation Administration (FAA), which registers drones in the U.S., there were fewer than 50,000 commercial drones in operation at the end of 2016. Today, there are more than 385,000. The FAA forecasts the commercial UAS fleet to grow to over 835,000 by 2023, an average annual growth rate of 25 percent.
Companies have started using drones to cut costs and increase operational efficiency in a variety of industries, including insurance, construction, and agriculture. One of the most important sectors of growth in drone employment is for law enforcement and first responders at the state and local levels. As of March 2020, 1,578 state and local police, sheriff, fire, and emergency services agencies in the U.S. have acquired drones, an increase of 500 agencies since May 2018. Just over 70 percent of those agencies are law enforcement, 20 percent are fire and rescue, and 10 percent are emergency management organizations. Some possess a single drone, while others operate fleets of 10 or more, and their capabilities are having an extraordinary impact.
Police use drones to map cities, search for suspects or victims, investigate crime scenes, and monitor traffic. Fire and rescue agencies use drones as intelligence, surveillance, and reconnaissance tools “to provide command officers and emergency operations centers information that was previously either unavailable or extremely difficult to obtain in a safe and timely manner.” If the technology now resident in large military drones continues to migrate into smaller systems, their capabilities will substantially advance police, fire, and rescue efforts and operations.
However, the data those drones collect while flying over metropolitan areas would hold the precise location of critical infrastructure and sensitive information, such as the locations of civic leaders, their movements, and interactions. If that data fell into the wrong hands—or was even collected by an entity with hostile intent—it could be used against individuals, officials, and agencies in ways that far exceed the benefits of those systems.
Compounding this concern is the fact that the vast majority of drones used by law enforcement and first responder agencies, more than 970, are manufactured in China, and the way many of those systems were “introduced” to U.S. law enforcement agencies is troubling. The leading Chinese drone manufacturer of small drones, D-Mada Jiang Innovations (DJI), donated 100 drones to 45 law enforcement and first responder organizations across 22 states in a good will “disaster relief program” to combat the COVID-19 crisis on April 1, 2020. Those “gifts” are now being used in major metropolitan areas to monitor social distancing, fevers, and coughs among the public—as well as broadcasting messages to homeless encampments and to enforce stay-at-home orders.
While this type of surveillance is common in China, it has rightfully raised privacy and civil liberties concerns in the U.S. Drones have the technology to collect terabytes of data in a single flight while surveilling American citizens, cities, and infrastructure. Furthermore, this sensitive data collected by the Chinese-donated drones can be accessed by the drone manufacturer—and, thereby, the Chinese government. Beijing has a history of imbedding surreptitious endeavors into seemingly good-natured or even charitable transactions by its government and/or Chinese corporations. Before we explore those details, it is important to know just how big a foothold Chinese corporations have in the U.S. commercial drone industry.
China Dominates the U.S. Drone Market
In 2019, $1.2 billion were invested in the global drone industry. That year, a single, privately owned Chinese drone manufacturer, DJI, held approximately 70 percent of the global consumer drone market. That market is expected to be worth $43.1 billion by 2024.
North America has the largest market for commercial drones, where DJI dominates as well. Of the top 10 drone manufacturers that supply the U.S. market, DJI towers over the others with nearly 77 percent of market share. The next closest company is Intel (Santa Clara, California) with a mere 3.7 percent of the market. The remaining manufacturers are:
- Yuneec (Hong Kong, China): 3.1 percent market share;
- Parrot (Paris, France): 2.2 percent market share;
- GoPro (San Mateo, California): 1.8 percent market share;
- 3DR (Berkeley, California): 1.5 percent market share;
- Holy Stone (Taipei, Taiwan): 0.8 percent market share;
- Autel (Bothell, Washington): 0.8 percent market share;
- SenseFly (Lausanne, Switzerland): 0.3 percent market share; and
- Kespry (Menlo Park, California): 0.3 percent market share.
Western-based companies have not been able to compete with DJI’s complete supply-chain integration, user-friendly software design, and Chinese manufacturers’ incredibly low pricing.
While the user interface and technology associated with Chinese drones are attractive features, perhaps the biggest factor in Chinese drone manufacturers gaining control of the global market is pricing. A 2017 investigation by Homeland Security found that DJI had aggressively dropped its prices 70 percent in 2015, effectively pushing many competitors out of the U.S. market. Those dumping techniques have allowed DJI and Yuneec to capture a total of 80 percent of the U.S. commercial drone market. Consumers, both private and public, have moved to buy their advanced, easy-to-use and markedly less expensive technology over other global competitor products without fully understanding just how much data these drones collect, where the data goes, and how it can be used.
The Road to Beijing
In early July of 2020, a security firm called Synacktiv reverse-engineered an Android application (app) called DJI GO 4 that allows owners to control drones—and what they discovered was more than troubling. They found the app was collecting sensitive user data and that its coding enabled the app’s developer to download and execute code whenever it chose. The amount and type of user information collected meant that DJI could readily identify specific targets of interest, access their contacts and Internet networks, and ultimately compromise the user’s phone. Once a device has been exploited, the developer (DJI) can track the owner—and use the phone to attack other users through WiFi networks. But it is not just the drone software that puts users at risk.
A cybersecurity research and engineering firm, River Loop Security, recently analyzed an editing tool for videos and photographs taken on DJI action cameras known as the DJI’s Mimo mobile app. River Loop observed the network traffic between the Internet and mobile devices via the app, and they found the DJI Mimo app:
- Uses libraries that request personal data about users’ religious and political affiliation, as well as security settings from connected social network application programming interfaces;
- Sends that data without user consent via unsecured means to third-party servers leading to potential disclosure or modification while in transit;
- Sends data to servers behind the Great Firewall of China; and the
Those findings should worry any company or government agency using DJI technology, as well as policymakers working to secure critical infrastructure.
The Chinese Communist Party: A Bad Actor
The Chinese government has a history of pilfering intellectual property and technology, as well as hacking data, from U.S. companies, military, and government agencies. Collecting data from users via technology, applications, and devices is one of the Chinese Communist Party’s (CCP) many tactics.
As a current example, TikTok is a free app owned by ByteDance, a Beijing-based tech company that offers users the ability to create novel, 15-second videos to share through social media. ByteDance is now being sued for harvesting personal user data and sending it to China without the consent—or even knowledge—of those users. The lawsuit also accuses TikTok and ByteDance of taking user content, such as draft videos, without their consent and of having “ambiguous” privacy policies.
While many believe the data is used to simply better profile users and target advertising, there have been several instances in which users’ videos have been censored or accounts deleted because they criticized the CCP. Although this is a relatively mild action, it shows the CCP’s ability to trace an individual’s behavior and penalize him or her. When one criticizes or goes against the CCP’s narrative, the repercussions can be severe.
We have seen Beijing influence leaders on the global stage with the World Health Organization’s President Tedros Ghebreyesus and his backing of the CCP’s response to the COVID-19 crisis. We have likewise seen Beijing’s influence affect U.S. corporations, including Nike and the National Basketball Association, whose overt support of China in the face of known human rights violations and its poor global pandemic response is beyond naïve. As such, it is not a stretch to envision Beijing using collected data to influence U.S. leaders at the federal, state, and local levels.
Similarly, Beijing has compiled recent images of U.S. protests and manipulated them to portray America as chaotic, unruly, and a society in decline. The CCP uses such manipulation to advance its narrative that China’s authoritarian leadership is superior to democracy. Apply those same tactics to the opportunities presented with the data captured by a police drone monitoring the movements of a crowd during a demonstration in a densely populated area, and it is not hard to imagine the associated images being captured, manipulated, and disseminated through the Internet in targeted campaigns to cause those civil demonstrations to spiral out of control.
Like any other form of data collection, the information collected by drones can be shared between organizations and used to support efforts over which the drone operators may have no knowledge or direct control. For many city, county, and state government organizations, exchange of that data can seem innocuous or even entirely beneficial for coordinating emergency services between fire and/or police departments. Unfortunately, the hidden data transfer capabilities of these systems can be much more nefarious.
FBI Director Christopher Wray stated in a July 2020 speech on the Chinese government and CCP’s threat to our economy and national security:
[T]here is perhaps no more ominous prospect than a hostile foreign government’s ability to compromise our country’s infrastructure and devices. If Chinese companies like Huawei are given unfettered access to our telecommunications infrastructure, they could collect any of your information that traverses their devices or networks. Worse still: They’d have no choice but to hand it over to the Chinese government if asked—the privacy and due process protections that are sacrosanct in the United States are simply non-existent in China.
Federal Government Prepared; State and Local Governments Unprepared
The U.S. government now recognizes the threat of using Chinese-manufactured drones and has issued multiple warnings and bans. In August 2017, the U.S. Army prohibited troops from using DJI drones due to cybersecurity concerns. Also in August 2017, Homeland Security Investigations issued an intelligence bulletin, warning that DJI was providing critical infrastructure and law enforcement data to the Chinese government. The bulletin stated that the most frequent uses for the DJI drones included mapping land, inspecting infrastructure, conducting surveillance, and monitoring hazardous materials.
In May 2018, then-Acting Secretary of Defense Patrick Shanahan issued a ban on the DOD’s purchase and use of all commercial off-the-shelf drones until the department could devise a plan to address cybersecurity vulnerabilities.
On September 5, 2018, the Secretary of the Department of Homeland Security warned that “[t]errorists are using drones on the battlefield to surveil and to destroy…. [C]riminals are using them to spy on sensitive facilities. Drones can also be used to disrupt communications or to steal data on nearby Wi-Fi.”
In May 2019, the Department of Homeland Security (DHS) issued an alert to U.S. companies about the risk of Chinese-manufactured drones sending American data to China, where intelligence services have unlimited access to the data. And in June 2019, President Donald Trump extended the Defense Production Act to small UAS, stating “the domestic production capability for small unmanned aerial systems is essential to the national defense.”
The Entities List
The Department of Commerce’s Bureau of Industry and Security publishes the names of certain foreign individuals or business entities that, because of their unscrupulous or nefarious actions, are subject to specific license requirements and policies for the export, re-export, and/or transfer (in-country) of specified items. These people and entities comprise what is known as the “Entity List,” which is part of the Export Administration Regulations. Huawei has been placed on the Entities List because of its coercive and surreptitious efforts to field 5G network technology—and while DJI is not yet on the list, events during the past three years highlight the need to consider the corporation for inclusion therein.
DJI has had a direct role in supporting China’s mass internment and suppression of the Uyghur people in Xinjiang. In 2017, the privately held company signed an agreement of cooperation with the Xinjiang Autonomous Region Public Security Department (XARPSD), which includes the deployment of DJI drones and a strategic-cooperation agreement on police drones for “stability maintenance” and “counter-terrorism.”
In mid-July, shocking drone footage reminiscent of the Nazi Holocaust of Jews was posted on Twitter that showed a DJI drone monitoring Chinese paramilitary police escorting Uighurs who were shackled and blindfolded at a train station in Xinjiang in the fall of 2019. Analysis reveals the video was taken using a DJI M-series drone, and its operators are within 40 meters of the drone, imbedded within the paramilitary police. With that, it became clear that “stability maintenance” and “counter-terrorism” are euphemistic terms for the abuse of the Uyghur people.
In October 2019, the U.S. Department of Commerce placed the XARPSD on the Entity List and, because it is providing material assistance to the XARPSD, DJI should also be placed on that list. Congress has likewise started to legislate against government procurement of Chinese manufactured drones in the U.S. The American Security Drone Act of 2019 was introduced in both chambers of Congress with bipartisan support. The bill would generally:
- Ban federal procurement of commercial off-the-shelf drones or unmanned aircraft systems manufactured or assembled by a covered foreign entity, as determined by the Departments of Commerce, Homeland Security, State, or the Director of National Intelligence; or an entity subject to the influence or control by the government of the People’s Republic of China or the Chinese Communist Party;
- Prohibit federal operation of foreign commercial off-the-shelf drones and small unmanned aircraft systems; and
- Prohibit the use of federal funds awarded through contract, grant, or cooperative agreement to purchase commercial off-the-shelf drones or UAS manufactured or assembled by a covered foreign entity.
In January of 2020, the Department of the Interior grounded all Chinese-made drones (approximately 800) in its fleet due to cybersecurity concerns with drones manufactured in China or made from Chinese parts.
More recently, the Inspector General for DHS reported that drones present an emerging threat to the nation as their popularity grows, stating that “[t]errorists, criminal organizations, and lone actors have used UAS for malicious purposes.” The report identified drone-related threats facing DHS, including transporting contraband, chemical, or other explosive/weaponized payloads; silently monitoring a large area from the sky for nefarious purposes; performing cybercrimes involving theft of sensitive information; and disrupting and invading the privacy of individuals.
The Inspector General reminded Americans in its report of the drone that crashed on the White House lawn in January 2015, “illustrating a drone’s ability to evade detection and create challenges for secure facilities.” He concluded in its report that the “DHS will remain vulnerable to increased security risks and emerging threats from unmanned aircraft until it expands its capability to counter illicit UAS activity.”
In July 2020, the Defense Department awarded five small companies a total of $13.4 million in contracts. This will eventually help jump-start the U.S commercial industrial base capabilities and defense-critical workforce. However, the bureaucratic hurdles associated with the contracting process could take months, if not years, to boost the domestic drone industry because it has been suppressed by the predatory business practices of the Chinese government, which has employed underhanded financial and business practices to drive competitors out of business.
In his July 2020 speech, FBI Director Wray stated bluntly, “China, as led by the Chinese Communist Party, is going to continue to try to misappropriate our ideas, influence our policymakers, manipulate our public opinion, and steal our data. They will use an all-tools and all-sectors approach—and that demands our own all-tools and all-sectors approach in response.” The federal government recognizes the threat China poses with small drones, and it is taking steps to counter it; however, the threat’s potential has not registered below the federal level.
Unfortunately, state and local law enforcement and first responder agencies do not appear to recognize the threat that Chinese drones can pose. Cities are acquiring or willingly accepting drones from China without considering the repercussions, and the employment of those systems is growing unabated. Heeding Director Wray’s advice, state and local law enforcement agencies, first responders, critical infrastructure industries, and others should steer clear of Chinese-manufactured drones. To protect our homeland, national security, and economic interests, government consumers of commercial drones in the U.S. should procure technology that minimizes such risks.
To counter the risks of Chinese-made drones or those using Chinese-made parts, the U.S. should enact the following recommendations.
- The Administration should place DJI on the Entity List. This is particularly crucial in light of the Homeland Security Investigation’s findings, River Loop Security’s findings, and DJI’s assistance in the monitoring and facilitation of the appalling persecution of Uyghurs inside China.
- The Administration should work with Congress to pass legislation that will stop the unauthorized collection and transfer of data by a Chinese drone company or subsidiary. This should occur regardless of whether such collection is in or beyond the shores of the United States, as that company is likely to move or store that data in China.
- The DOJ and the DHS, using their state and local committees, should engage state, city, and county agencies. They should inform them of the threat and the potential repercussions from employing Chinese drones, including the evidence of, and repercussions for, employing this inexpensive technology in their communities.
- The Departments of Commerce, Treasury, Defense, and Homeland Security should leverage the Defense Production Act authorities that President Trump has invoked. This should be done to encourage technological growth and price-point reduction in the U.S. market for government use.
- The DOJ, DHS, and the DOD should use and/or expand their grant programs to accelerate competition among U.S. manufacturers. They should also encourage state and local agencies to procure drones that are not manufactured or assembled by an entity subject to the influence or control of the Chinese Communist Party.
The U.S. faces a growing national threat from Chinese drones. The vast majority of commercial drones used in the U.S. are manufactured in China, and their operating systems are impressive and worrisome. The technology is advancing rapidly, and the capabilities currently found in large drones is now being miniaturized and will likely migrate to smaller drones in the near term, which will significantly broaden the threat. The federal government has recognized the threat and put the brakes on procuring or using such risky technology—but the understanding of the risk and/or the willingness of state and local agencies to thwart those drones from collecting sensitive data is limited at best. It is time for state and local agencies to be informed of, and recognize, the threats involved in using Chinese-manufactured drones and immediately move to mitigate them.
John Venable is Senior Research Fellow for Defense Policy in the Center for National Defense, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy. Lora Ries is Senior Research Fellow for Homeland Security in the Center for Technology Policy of the Davis Institute.