Comment by TheChaplain

Anti-reversing. Obfuscation and packers are dominant in Chinese applications. If something isn't obfuscated, it's free reign for competitors.

> Leaving the door propped open for everyone is also plausible deniability for doing bad things.

We completely agree here, see "sufficient product telemetry is indistinguishable from surveillance malware." I personally don't think this justifies a blanket ban on a technology; if it did, the world would need to be a very different place.

I fly over 55lbs drones for a living and they all have manufacturer black boxes, mandated by regulation, to say "A drone company has ZERO business collecting flight log information" is wrong.

> arranging it so that DJI "just seems to never be able to" hire any security experts

They're foot-nuking themselves this way, as well. Due to their poor security, DJI are also easily compromised by Western interests and collect a ton of data about Chinese drone operations. I suppose someone could argue they decided that this is worth the cost of the operation, etc., but it seems... odd.

> hire product managers from a pool trained on CCP-sponsored university programs and industry media sources, that have those product managers parroting "useful" beliefs like "more analytics is always better."

The CCP don't need to do any work to make this happen. I totally agree that they benefit, thus my "indistinguishable from malware" comment. But this is how product management works worldwide. Maybe the modern obsession with product telemetry has been a years-long deep intelligence op, but I think it's easier to attribute to standard corporate behavior.

I wasn't exactly going for "DJI is great" - it's kind of funny that's how it came off.

My points were:

* DJI's use of Secneo on Android isn't hiding a "sendAllYourPhotosToTheCCPServerNow" function. This seems obvious but I've seen this take everywhere.

* However, DJI's apps are loaded with telemetry that's indistinguishable from malware. They ARE full of shady things.

* I wouldn't run a DJI app on my own phone.

* I would use a standalone DJI remote for most low to medium assurance applications, because while the shadiness remains in many ways, the threat model is easy to understand and boundaries are pretty easy to draw.

To start: I do not trust the CCP, but my trust in the American legal system has been waning.

What's the legal recourse for a US Citizen served with a dodgy FISA-related subpoena/warrant?

Or if a government agency wants to purchase tracking data that includes my phone from a data collection agency? Say the state of Texas purchases geotracking data for app users who cross state lines.

do you think that national security warrants and subpoenas actually stand up to evidentiary claims? it’s not like the US actually cares and does the right thing— it’s just force hidden behind “process”

> China doesn't bring evidence to a judge in order to get a subpoena for data

Do you think that e.g. FISA courts or the CIA kidnapping random civilians based on their name/watch type have a high threshold of evidence?

> China doesn't bring evidence to a judge in order to get a subpoena for data. They just go to DJI a get it. DJI has zero legal recourse if the CCP wants access to all DJI's stored data. Doesn't matter where that data is stored.

Is this an assumption or do you have first-hand knowledge of how this works operationally, in practice?

I remember reading somewhere that all large companies in China are effectively state-owned, they basically always have a CCP member of the party on their board, which even the CEO is beholden to.

> In China you cannot not be explicitly a CCP data-collection front

Unintelligible.

Rewrite as “in China it’s very hard to avoid turning over data to the CCP.”

> China is not the US

Not a very good comparison in terms of the state forcing companies to give out their customers' data...

Also love how, in your opinion, anyone pointing this out must of course be a conspiracy nut.

> For the whataboutists: Yes, everyone is aware that american three letter agencies have backdoor access to every computer, broken RSA and AES, and control the USA's puppet government. Thanks.

You're deliberately overstating the issue, to the point of absurdity, to avoid legitimate criticism. Three-letter agencies do have a high level of access to this data, and in many cases that's because the companies involved just voluntarily hand it over (no need to get the courts involved). Even when the courts do get involved, these are secret courts where the decisions are classified, and in any case from what we do know they act as a rubber stamp anyway.

So, this is a matter of the US wanting access to that data in addition to, or possibly exclusive from, the CCP. Frankly, as I'm not currently under the jurisdiction of the Communist Party of China, I'd prefer they have unlimited access to that data as opposed to the US government, if I have to choose one or the other.

Ahaha, as opposed to the US where... 3-letter agencies don't bring evidence to a judge, they just go to google/meta to get it.

It is amazing how much leeway enormous companies can get by claiming ignorance or laziness.

Their newer drones support DJI RC[0] so you don't have to worry about installing their app on your phone and giving all the permissions. I use it with my DJI Mini 3 Pro, another advantage is that you don't have to worry about phone battery

[0] https://www.dji.com/rc

No; this functionality is actually accomplished in a reasonable way, with a local database stored on the drone and checked by the drone's flight control software, and exemptions granted by uploading a signed payload to the drone detailing an unlock region and timeframe.

It's also worth noting that these restrictions aren't government imposed in countries besides China, and aren't government-linked besides a request-based "please make this location a no fly zone" process - DJI basically just exported a Chinese concept with hope of building goodwill internationally, and the no-fly zones were invented by DJI from public land use data. That's why other drones don't have no-fly zones but are still allowed for sale, there are frequent mismatches between DJI no-fly zones and real no-fly zones (both false positive and false negative), and why DJI disabled their own no-fly zone feature in much of Europe earlier this year (European mandated no-fly rules passed the responsibility to the consumer instead).

You don't need to phone home in order to implement no-fly zones. All you need to do is download the latest flight restrictions, which could most easily be done anonymously.

At least on some Android based dji products, the device os does not include Google services. If aabs are dependent on Google Play being installed, then this would be correct. Side loading is absolutely viable for apks, as are third party app stores. I am not an android developer.

what's an AAB?

Overall what I'd say about DJI is that they seem to be earnestly trying to make their features work at face value.

That is, if you opt out of data collection, they seem to be earnestly _trying_ to disable data collection. Unfortunately their apps are a spaghetti monster disaster and it's very difficult for them to get things right, so DJI frequently introduce new features or libraries which contain telemetry they've forgotten to disable. In my experience they do this more often in consumer apps than enterprise apps. I think they might actually have some kind of automated testing or audit applied to their enterprise apps.

Whether this is a conspiracy to introduce subtle surveillance bugs or simple hardware-company-making-software incompetence is of course an exercise left to the reader's paranoia level.

Anyway, I just use DJI RCs and forget network credentials. This limits the DJI bug/malice blast radius surface area to an acceptable range to me, and that's the advice I'd give others, too.

Why BS? The US government can jail me; the Chinese government cannot. I therefore fear surveillance by the US government more than I fear surveillance by the Chinese government.

Now, in an ideal world, I want neither China nor the US monitoring me, nor anyone else. But for me personally, the downside from the US monitoring me is larger.

That line of reasoning seems sound to me. If you see a flaw in it, state what the flaw is, rather than just labeling it "BS".

State your reason - I'm in the same boat as dheera and I'm curious.