DJI Passes Critical Data Security Compliance in the US and Canada

Mavic 3 classic

DJI has passed the Cryptographic Module Validation Program (CMVP), a critical security benchmark that was jointly established by the United States Department of Commerce and the Canadian Center for Cyber Security.

The drone and robotics company says that its DJI Core Crypto Engine has passed the CMVP and been granted Federal Information Processing Standard (FIPS) 140-2 validation by the U.S. and Canadian Governments. This standard, which is globally recognized, ensures that the hardware validated meets specific security requirements, DJI explains.

DJI says that from this point on, all DJI drones containing the DJI Core Crypto Engine ensure that whether flown for leisure or operated for business, its customers are “treated to trusted, authoritative, and globally recognized security standards.” The company says that this is particularly key for its customers in enterprise and the government, both of which require the specification.

“When it comes to data, DJI has very strong principles around transparent usage, security, and privacy. We truly believe that ‘customer data is none of our business’ and understand how important data security is for the people, businesses, and government agencies that rely on our platforms,” Christina Zhang, Senior Director of Corporate Strategy at DJI, says.

“This encryption validation is testament to how tirelessly we strive to make customer data and privacy more secure by tightening existing systems, innovating new ones and embracing new methods and technologies.”

DroneDJ reports that it’s not clear if the Core Crypto Engine models are being used by all drones and aircraft that DJI manufactures or if it is specific to its enterprise-level products. The company’s data security web page doesn’t clarify either way either, though the header graphic does appear to present a more business-focused use case. That said, given the company’s language, it is likely that DJI will add the Core Crypto Engine to all its drones going forward.

DJI has put together a web page that explains its stance on protecting customer data, where it says that it will not sell user data to advertisers.

“We believe it’s important for all DJI users to know we do not sell user data to advertisers. That’s not our business model and it never will be. It’s also, frankly, none of our business. We just want you to enjoy the experience of flight and take incredible photos and videos,” the company says.

Whether or not this validation changes how the United States government views DJI remains to be seen. The company was placed on the Commerce Department’s Entity List in 2020, which is colloquially referred to as a the “economic blacklist.”

Image credits: DJI