[dji4321234]

> It can only be side-loaded on Android, because their app breaks a number of policies on privacy and data gathering.

I don't think this is the reason, I think it's more that they're just too lazy to jump through the approval and maintenance hoops that come with an app store, especially because their home market (China) doesn't even use the Play Store.

The iOS version of their app is Apple-approved and present in the App Store.

I do research in this space.

Their consumer apps are loaded to the gills with product-manager telemetry (tap/action tracing, etc., think Firebase/Flurry/whatever), and until recently they had a "sync flight logs" feature that would do what it said: give your detailed flight logs to DJI. It was opt-in, but it was easy to do by accident and many years ago there were bugs in the opt-in toggle.

They just removed this feature from US apps this week (too little too late, and too attached to reality and not attached enough to political pandering).

DJI also have a terrible track record with data security, with their entire AWS account getting ripped in 2017.

I don't think they're explicitly a CCP data-collection front, but sufficient product telemetry is indistinguishable from surveillance malware (this applies to US-based companies and US intelligence, too, of course).

However, their apps run on their own controllers are generally alright, and their enterprise apps run on their enterprise controllers in Local Data Mode are legitimately clean, barring a few versions with small bugs.

I fly DJI drones all the time using DJI RCs with network credentials forgotten, and I wouldn't hesitate to use one of these for consumer use. For the truly paranoid, use a burner email and a VPN to activate the drone.

I also wouldn't worry about using DJI Enterprise drones with the pro controllers in Local Data Mode for even moderately sensitive applications (infrastructure, law enforcement, etc.).

Of course I wouldn't use one for US military applications, insofar as it would be foolish to use any non-allied electronic device in this way.

ps - note that the analysis in the sibling comments are of older apps, DJI Go 4 and Pilot 1, not the newer flagship apps DJI Fly and DJI Pilot 2. The general theme (tons of dirty analytics platforms) remains the same, but the newer apps use more American platforms (Firebase, AWS-hosted proprietary stuff) rather than Chinese, and the "disable telemetry" and "disable data sync" options generally have fewer bugs now.

[consumer451]

> I don't think this is the reason, I think it's more that they're just too lazy to jump through the approval and maintenance hoops that come with an app store

If that was the case, then why jump through all the hoops of extensive code obfuscation for the Android app? [0]

> DJI also have a terrible track record with data security, with their entire AWS account getting ripped in 2017.

Leaving the door propped open for everyone is also plausible deniability for doing bad things.

[0] https://news.ycombinator.com/item?id=39438842

[dji4321234]

Anti-reversing. Obfuscation and packers are dominant in Chinese applications. If something isn't obfuscated, it's free reign for competitors.

> Leaving the door propped open for everyone is also plausible deniability for doing bad things.

We completely agree here, see "sufficient product telemetry is indistinguishable from surveillance malware." I personally don't think this justifies a blanket ban on a technology; if it did, the world would need to be a very different place.

[jiggawatts]

> there were bugs in the opt-in toggle.

> clean, barring a few versions with small bugs.

Juniper also had a “small bug” in their implementation of the NSA-mandated Dual Elliptic Curve Deterministic Random Bit Generator algorithm that just so happened to leak the exact number of state bits onto the wire required to hack any VPN connection.

I don’t know if you’re an optimist or just a kind soul, but the rest of us are jaded for good reasons.

A drone company has ZERO business collecting flight log information, in the same way my car manufacturer has no business knowing where I drive.

That their “finger slipped” and they “accidentally” made opting out harder should tell you something.

[snypher]

I fly over 55lbs drones for a living and they all have manufacturer black boxes, mandated by regulation, to say "A drone company has ZERO business collecting flight log information" is wrong.

[jiggawatts]

I've never heard of such a law or regulation. Which country? Can you link directly to the government site where this is posted?

[derefr]

I feel like you're underestimating the average large state actor's ability to employ subtlety when they really care about a long-term foreign intelligence operation.

For example, it doesn't have to be the case that DJI has ever been told to collect data for the CCP. That would be a big OPSEC violation — as soon as anyone in the foreign media learned of it, DJI would be as dead as Huawei or Tiktok.

Instead, it could just as well be that the CCP have left DJI themselves untouched, but have instead manipulated market conditions around them: arranging it so that DJI "just seems to never be able to" hire any security experts; and so that DJI (and everyone else) hire product managers from a pool trained on CCP-sponsored university programs and industry media sources, that have those product managers parroting "useful" beliefs like "more analytics is always better."

[dji4321234]

> arranging it so that DJI "just seems to never be able to" hire any security experts

They're foot-nuking themselves this way, as well. Due to their poor security, DJI are also easily compromised by Western interests and collect a ton of data about Chinese drone operations. I suppose someone could argue they decided that this is worth the cost of the operation, etc., but it seems... odd.

> hire product managers from a pool trained on CCP-sponsored university programs and industry media sources, that have those product managers parroting "useful" beliefs like "more analytics is always better."

The CCP don't need to do any work to make this happen. I totally agree that they benefit, thus my "indistinguishable from malware" comment. But this is how product management works worldwide. Maybe the modern obsession with product telemetry has been a years-long deep intelligence op, but I think it's easier to attribute to standard corporate behavior.

[kelnos]

Your post convinced me of the opposite of what you were going for; after reading it, I get even more of a feeling that DJI does shady things.

[dji4321234]

I wasn't exactly going for "DJI is great" - it's kind of funny that's how it came off.

My points were:

* DJI's use of Secneo on Android isn't hiding a "sendAllYourPhotosToTheCCPServerNow" function. This seems obvious but I've seen this take everywhere.

* However, DJI's apps are loaded with telemetry that's indistinguishable from malware. They ARE full of shady things.

* I wouldn't run a DJI app on my own phone.

* I would use a standalone DJI remote for most low to medium assurance applications, because while the shadiness remains in many ways, the threat model is easy to understand and boundaries are pretty easy to draw.

[Workaccount2]

>I don't think they're explicitly a CCP data-collection front

In China you cannot not be explicitly a CCP data-collection front.

China doesn't bring evidence to a judge in order to get a subpoena for data. They just go to DJI an get it. DJI has zero legal recourse if the CCP wants access to all DJI's stored data. Doesn't matter where that data is stored. Same thing for tiktok and why legislators are killing that too. You're a Chinese company? You ultimately work for the state. No discussion.

China is not the US. People need to stop fitting the way things work in the US to the way things work in China.

Edit: For the whataboutists: Yes, everyone is aware that american three letter agencies have backdoor access to every computer, broken RSA and AES, and control the USA's puppet government. Thanks.

[redserk]

To start: I do not trust the CCP, but my trust in the American legal system has been waning.

What's the legal recourse for a US Citizen served with a dodgy FISA-related subpoena/warrant?

Or if a government agency wants to purchase tracking data that includes my phone from a data collection agency? Say the state of Texas purchases geotracking data for app users who cross state lines.

[rainsford]

Apple famously told the FBI to go pound sand when asked to help access an iPhone in an actual terrorism case (i.e. it wasn't about going after dissidents or journalists or anything), even though such help was definitely within Apple's technical power.

Now, while admitting that I am no way claiming the US is perfect, does anyone actually think something even remotely similar would ever happen between a Chinese company and the Chinese government?

[janalsncm]

There is a good book on the American surveillance apparatus Means of Control by Byron Tau. People are a lot more watched than they think.

The Apple example is well-known because it is an exception. Much more common is not only compliance but making an entire business out of selling private data to the government.

https://theintercept.com/2022/04/22/anomaly-six-phone-tracki...

It really doesn’t matter that China is worse. It’s not a competition. The fact that people in other places have even less privacy doesn’t make me feel better.

[redserk]

> It really doesn’t matter that China is worse. It’s not a competition. The fact that people in other places have even less privacy doesn’t make me feel better.

This is exactly the sentiment I wanted to convey. I'd feel far more comfortable if we didn't settle for "at least we're not as bad as..." levels of rhetoric. Unsavory surveillance practices in one country shouldn't give us a justification to accept the declining status quo here.

[rchaud]

Whataboutery has become increasingly common post-Patriot Act America, especially as surveillance technology improved in the smartphone, always-connected age.

It was common to criticize the USSR/Iron Curtain countries for encouraging citizens to spy and report on each other. Today, in the world after the 2013 NSA revelations, Ring.com cameras, Alexa smart speakers, bossware apps and Palantir, surveillance is a "market opportunity".

[FormerBandmate]

This thread is about China?

[lmm]

> Now, while admitting that I am no way claiming the US is perfect, does anyone actually think something even remotely similar would ever happen between a Chinese company and the Chinese government?

Yes. We've seen the back and forth with e.g. Jack Ma. It doesn't happen as publicly because it's not such good marketing in China, but of course it happens.

[Sabinus]

Wasn't the result of this that Jack Ma disappeared for a while and when we reappeared he sang the praises of the government?

[lmm]

One of the results, yes. That's good marketing in China. What kind of things you see in the papers tells you something about a country operates, but not a whole lot about how much access TPTB are actually being given to your messages, which is presumably the thing you care about.

[herbst]

Apple famously positively answers 80% of all government data requests. No idea why people think Apple is somehow special with your privacy, it isn't.

Ex. https://www.statista.com/statistics/1412550/apple-share-user...

[taneq]

They sure did! They also (was it around that time? I forget...) pushed pretty hard for everything to be stored in iCloud, where coincidentally it's not protected by any of the on-device security and can (as I understand it) be legally requisitioned by the authorities. Happy to be corrected (with sources) if I'm wrong here but otherwise this seems very much on par.

[blessedwhiskers]

https://support.apple.com/en-us/102651

[moonlion_eth]

Chinese companies are the government heh

[toss1]

Whatever slim you want to think your recourse is in the US, it is FAR better and broader than in the country that has uncounted mobile execution vans with zero available records of who is executed.

At least the US is trying to be a democracy, and has largely functioning checks and balances.

CCP is flat-out 'you cannot even talk or access information on things that make us look bad, such as Tibet or Tiananmen Protests' and 'make the wrong criticism at the wrong time and it is over for you'.

There is a MASSIVE difference. Playing false equivalence games will end very badly.

[deciplex]

> Playing false equivalence games will end very badly.

Okay: Chinese report higher satisfaction with their government and the direction their country is headed in than virtually any Western nation and much more than in the US. The Chinese economy is doing the opposite of enshittification, whereas the US is openly embracing the trend at this point with inflation / capital strikes, shrinkflation, consolidation, rent-seeking, and overall lower quality of goods and services. The home ownership rate in China is about 90%. Real wages in China are steadily rising and have been for decades - in the US they are falling and have done for decades.

America's primary means of diplomatic leverage is military domination but it can't even prevent the Houthis from a virtual blockade of the Red Sea and sea traffic through there has dropped 90%. Meanwhile China is transforming entire continents with its superior industrial capacity and soft power. They are the world leader in clean energy research and production. They got kicked out of the International Space Station so they built a better one and left an open invitation to the nations that kicked them out of the ISS, to join them on the Tiangong Space Station after they come to their senses.

China has already won. Chinese socialism, won. If there is a positive future for humanity at this point, it is in China and China alone. The West is still coming to grips with this. Posts like yours are transparently cope.

[Workaccount2]

China is still a developing nation. China is winning at the junior economic Olympics. The same way all the major 1st world economies dominated it when they were developing.

Come back and waive your victory banner when China has a $60k GDP per capita and has the current growth trends it does. It needs to increase its GDP 500% before that happens though...

[redserk]

GDP per-capita only works if you're comparing places with similar costs to live and costs to produce.

It's nearly meaningless to use it as a measure of individual quality-of-life without correlating it to the price it costs to produce/consume goods.

This is why the military spending arguments are so weird comparing the US and China. Even omitting the weird bookkeeping that keeps their defense budget supposedly low, it costs much less to produce military goods/services than here.

[deciplex]

China is the workshop of the world what are you even talking about? Their infrastructure is more developed (and more advanced) than most places in the US.

You seemed to be confused by the fact that China hasn't financialized their economy and turned it into a giant Ponzi scheme / wealth extraction machine. That's the point: they're trying to avoid the terminal rent-seeking behavior endemic to Western economies.

[toss1]

I was not talking about false equivalence about their economic status; I was talking about falsely equating or 'whatabout-ing' their human rights status.

And if you think that polls of life satisfaction are meaningful among a population who are forbidden to criticize their govt except in limited ways (e.g., local officials), I'd like to talk about some fantastic oceanfront land in Kansas...

Economy? Of course people are happier to have a change from abject poverty, but it is entirely based on unfair export trade practices and highly leveraged investments both official and shadow-banking. At this point both are extremely fragile as the democracies start to catch on and the over-leverage starts to work against it. Even the massively over-inflated official growth numbers have tanked. On the economy, I'd choose to be in the USA over China, no hesitation.

"Transforming entire continents"? You mean making extortionate loans to impoverished countries to build their own ports and extract resources? Again, that has limited runway as people figure out that it isn't such a good deal.

And I notice that you entirely avoided the human rights citizen security issue. Yes, the US has corporate over-harvesting of data, and govt agencies can buy and/or demand access to the data. We also have court processes. Meanwhile, China has OFFICIALLY one party, a massive and highly intrusive surveillance and censorship apparatus second to none in the world, and mobile execution vans literally seizing and executing people on the street by the tens of thousand or more, but there are no public records. Again, no contest, USA is massively qualitatively and quantitatively better.

Serious question, if you don't think so, why haven't you moved to China? I'm sure they'd welcome such an advocate.

[deciplex]

> China has OFFICIALLY one party, a massive and highly intrusive surveillance and censorship apparatus second to none in the world

Second to ours.

> mobile execution vans literally seizing and executing people on the street by the tens of thousand or more

Absolute nonsense.

[2OEH8eoCRo0]

> my trust in the American legal system has been waning.

Why? We just watched a former POTUS and the current POTUS's son get convicted of felonies in courts with juries. Is there a better test of the legal system?

[celdon25]

Yikes, you must not have been following the cases or know the laws very well if that’s your takeaway from those.

[2OEH8eoCRo0]

Why yikes? I followed the former POTUS's trial closely.

[kanbara]

do you think that national security warrants and subpoenas actually stand up to evidentiary claims? it’s not like the US actually cares and does the right thing— it’s just force hidden behind “process”

[sofixa]

> China doesn't bring evidence to a judge in order to get a subpoena for data

Do you think that e.g. FISA courts or the CIA kidnapping random civilians based on their name/watch type have a high threshold of evidence?

[rrr_oh_man]

> China doesn't bring evidence to a judge in order to get a subpoena for data. They just go to DJI a get it. DJI has zero legal recourse if the CCP wants access to all DJI's stored data. Doesn't matter where that data is stored.

Is this an assumption or do you have first-hand knowledge of how this works operationally, in practice?

[fouc]

I remember reading somewhere that all large companies in China are effectively state-owned, they basically always have a CCP member of the party on their board, which even the CEO is beholden to.

[montag]

> In China you cannot not be explicitly a CCP data-collection front

Unintelligible.

Rewrite as “in China it’s very hard to avoid turning over data to the CCP.”

[snypher]

It's a written rebuttal mirroring the original wording. This is a common writing and debate style; please don't ask people to rewrite their posts when it is fairly clear what they meant¡

[BlobberSnobber]

> China is not the US

Not a very good comparison in terms of the state forcing companies to give out their customers' data...

Also love how, in your opinion, anyone pointing this out must of course be a conspiracy nut.

[deciplex]

> For the whataboutists: Yes, everyone is aware that american three letter agencies have backdoor access to every computer, broken RSA and AES, and control the USA's puppet government. Thanks.

You're deliberately overstating the issue, to the point of absurdity, to avoid legitimate criticism. Three-letter agencies do have a high level of access to this data, and in many cases that's because the companies involved just voluntarily hand it over (no need to get the courts involved). Even when the courts do get involved, these are secret courts where the decisions are classified, and in any case from what we do know they act as a rubber stamp anyway.

So, this is a matter of the US wanting access to that data in addition to, or possibly exclusive from, the CCP. Frankly, as I'm not currently under the jurisdiction of the Communist Party of China, I'd prefer they have unlimited access to that data as opposed to the US government, if I have to choose one or the other.

[andrepd]

Ahaha, as opposed to the US where... 3-letter agencies don't bring evidence to a judge, they just go to google/meta to get it.

[FactKnower69]

Pointing out obvious bad-faith hypocrisy is actually called "whataboutism", you're doing a hecking fallacy!!

[Brananarchy]

This is absolutely a false equivalence.

Google and Meta choose to give the government all sorts of data that they're not required by law to give, because they don't see it as worthwhile to go to bat for their users. You can choose to use a vendor who will protect your privacy and demand full due process on the part of government requestors.

In China there is no due process and no choice of vendors who would demand it, even if they could.

[mensetmanusman]

Aw yes, a $15B company that is “lazy”

[0cf8612b2e1e]

It is amazing how much leeway enormous companies can get by claiming ignorance or laziness.

[taneq]

I haven't used a DJI drone since I got my Spark, so this is a few years out of date, but when I set that up the procedure was incredibly locked down and invasive. You had to install the app, which had to have full access to everything, and which had to have an active internet connection to update the drone firmware. So at the least, it was extorting your physical location, details of any wifi network, access to phone photos, and iirc a bunch of other stuff (like I said it was a few years). The whole way through the app took a very authoritative tone ("do X, do Y, you must do Z") as well. I used a dedicated second hand phone with no SIM card (after initial setup) but it was still uncomfortable and there's no way in hell I'd have allowed the app on my main phone. No idea what it's like now but I'd be amazed if it's more free or respectful of privacy.

I don't think they're a CCP front, and their actual core product engineering is amazing, but my understanding is that like any sufficiently large organisation in China (or any country, I guess) they must comply with government instructions.

[coolg54321]

Their newer drones support DJI RC[0] so you don't have to worry about installing their app on your phone and giving all the permissions. I use it with my DJI Mini 3 Pro, another advantage is that you don't have to worry about phone battery

[0] https://www.dji.com/rc

[hackernewds]

> sufficient product telemetry is indistinguishable from surveillance malware

Isn't this mandatory given the restrictions required of them to disallow flying in banned areas?

[dji4321234]

No; this functionality is actually accomplished in a reasonable way, with a local database stored on the drone and checked by the drone's flight control software, and exemptions granted by uploading a signed payload to the drone detailing an unlock region and timeframe.

It's also worth noting that these restrictions aren't government imposed in countries besides China, and aren't government-linked besides a request-based "please make this location a no fly zone" process - DJI basically just exported a Chinese concept with hope of building goodwill internationally, and the no-fly zones were invented by DJI from public land use data. That's why other drones don't have no-fly zones but are still allowed for sale, there are frequent mismatches between DJI no-fly zones and real no-fly zones (both false positive and false negative), and why DJI disabled their own no-fly zone feature in much of Europe earlier this year (European mandated no-fly rules passed the responsibility to the consumer instead).

[snypher]

No-fly zones and unlocks is exactly why we went over to Autel and I hope they aren't next.

[gumby]

You don't need to phone home in order to implement no-fly zones. All you need to do is download the latest flight restrictions, which could most easily be done anonymously.

[andrepd]

So many things don't need pervasive surveillance and privacy violations... yet it seems everything does it regardless, from the largest social media down to the most insignificant bank or government app you need to conduct your life.

[theshrike79]

What I heard (third hand knowledge) is that the DJI Android software stack can't handle AABs and for some reason it's easier for them to just get people to sideload instead of fixing their toolchain.

[tmerc]

At least on some Android based dji products, the device os does not include Google services. If aabs are dependent on Google Play being installed, then this would be correct. Side loading is absolutely viable for apks, as are third party app stores. I am not an android developer.

[brokenmachine]

what's an AAB?

[lima]

What about consumer apps in Local Data Mode?

[dji4321234]

Overall what I'd say about DJI is that they seem to be earnestly trying to make their features work at face value.

That is, if you opt out of data collection, they seem to be earnestly _trying_ to disable data collection. Unfortunately their apps are a spaghetti monster disaster and it's very difficult for them to get things right, so DJI frequently introduce new features or libraries which contain telemetry they've forgotten to disable. In my experience they do this more often in consumer apps than enterprise apps. I think they might actually have some kind of automated testing or audit applied to their enterprise apps.

Whether this is a conspiracy to introduce subtle surveillance bugs or simple hardware-company-making-software incompetence is of course an exercise left to the reader's paranoia level.

Anyway, I just use DJI RCs and forget network credentials. This limits the DJI bug/malice blast radius surface area to an acceptable range to me, and that's the advice I'd give others, too.

[lazyeye]

This is a naive take Im wondering if its intentional disinfo.