The I.C.E. memo focused on the drones used by companies and institutions, not the drones flown by hobbyists in the United States and elsewhere. D.J.I. dominates the overall drone market, with a nearly two-thirds share in the United States and Canada, according to Skylogic Research, a drone research firm. To grow beyond hobbyists, the company has been targeting commercial customers, like utilities, law enforcement and property developers.
The allegations could not be independently confirmed, and a spokeswoman for I.C.E. declined to comment. In a statement to The New York Times, a D.J.I. spokesman said that users can control how much access the company can have to their data and that it shares data only “pursuant to appropriate legal process.”
The accusations point to a broadening debate in both the United States and China over how to secure vast data reserves that are being vacuumed up by commercial technology companies. Likened by metaphor-minded tech types to gold or oil, data has become a hugely valuable way to suss out market trends and target ads.
Now equipped with remote sensing technology to monitor crops, infrared scanners to scrutinize power lines, cameras and tracking systems, drones — much like smartphones — are the stuff of espionage dreams. Customers often have little knowledge of where their data might end up, experts said, while D.J.I. and others give themselves considerable leeway in the fine print of their user agreements to transfer data across borders.
American intelligence and political circles are beginning to consider how companies and governments manage the data they collect. Given that major Chinese companies must maintain close ties to the government, new China tech players like D.J.I. have raised particular concerns.
This summer, the United States Army issued guidance calling for forces to stop using D.J.I. drones because of unspecified security vulnerabilities.
Yet those worries have not spread widely to customers, according to Colin Snow, chief executive of Skylogic.
“Only those few who use drones around critical infrastructure are concerned and chose not to use D.J.I.,” Mr. Snow said in an email. “The rest don’t care because of the price/benefit of D.J.I. aircraft.”
Chinese officials expressed similar concerns in the wake of Edward J. Snowden’s disclosures that American companies aid in Washington’s electronic espionage efforts. A recent cybersecurity law calls for companies like Microsoft and Apple to store data within China’s borders. Earlier this year Apple said it would build a new data center in China to meet that requirement.
The I.C.E. memo listed what it said were a number of examples of D.J.I. drones used in potentially sensitive areas. It said that a Department of Homeland Security facility built to study diseases that threaten American agriculture and public health used D.J.I. drones to assist with construction layout and security. The agency did not respond to a request for comment.
The memo said in other cases, water reserves, power plants, rail hubs and other large-scale infrastructure were often monitored by Chinese-made drones.
“Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction,” the memo said.
D.J.I. said that consumers have total control over whether to upload data, such as flight plans and video, to the company’s servers. Yet like many apps, the company’s software encourages such uploads. D.J.I.’s app offers an automatic function to store user flight logs periodically, though it can be turned off. Out of concerns about data protection, the company added a feature last year that allows a drone pilot to cut off any connection to the outside internet while flying.
A new D.J.I. product set up to help large companies, government agencies, farms and law enforcement manage drones, uploads a large amount of critical data — like flight plans, video and location — to servers. D.J.I. said it was working out the terms of service for the product, and will likely include an option to allow companies to store data to their own servers.
Similar concerns have emerged in China over Apple’s products. In particular, state-run media have showed how the iPhone keeps track of a user’s commonly visited locations. Turning off the function requires a journey deep into the phone’s settings. Apple has said it has strong data privacy and security protections in place in China.
For D.J.I., questions about its data storage practices are not new. Last year company officials told The New York Times that it complied with Chinese government requests to hand over data it collects in China and Hong Kong.
More recently, one security expert recently outlined how D.J.I. left key digital information accessible to the public that could allow someone to look at customer data on its servers, including military and government flight logs. In a statement, D.J.I. said it hired an independent cybersecurity firm to investigate the report and the impact of any unauthorized access to consumer data.
Dan Tentler, founder of Phobos Group, a computer-security company, said such weaknesses were often a bad sign.
“In my experience doing security assessments I’ve never found a massive pile of egregiously staggering security problems somewhere to then find a shining, palace of hardened impenetrable security elsewhere in the org,” he wrote in a Twitter message.
In terms of companies with major security vulnerabilities in one part of the company, he added, “it’ll be a Dumpster fire the whole way through.”
An earlier version of this article gave the wrong surname for the chief executive of Skylogic, a drone research firm. He is Colin Snow, not Pine.
Continue reading the main story