Three Audits Found Nothing. The FCC Banned DJI Anyway.

The FCC is accepting public comments on its DJI ban. Before you respond, consider this: three independent security firms audited DJI and found no evidence of data exfiltration. DJI asked for a government audit. Nobody completed one. The ban happened anyway. And the country doing the banning has the most aggressive data compulsion laws on the planet.

---

This week, the FCC opened a public comment period on its decision to place DJI and other foreign-made drones on its Covered List. If you're an American drone operator, this is your first formal opportunity to tell the regulator how the ban has affected your work.

I fly in Australia under CASA, not the FAA. This isn't my regulatory fight. But I've been watching it for months, because the more you look at how this ban actually happened, the harder it is to see it as anything other than what it is: protectionism dressed in security language, paid for by working professionals who did nothing wrong.

---

How We Got Here

If you haven't followed the DJI ban closely, here's the timeline. It's worth understanding because the mechanism is almost as concerning as the outcome.

In 2024, the US Congress passed the FY2025 National Defense Authorization Act. Buried in it was a provision that required a US national security agency to complete a formal security audit of DJI within one year. The deadline was December 23, 2025. The law had an automatic trigger: if no agency completed the audit by that date, DJI would be added to the FCC's Covered List. Which meant no new FCC equipment authorizations. Which meant no new DJI products could be legally imported or sold in America.

No agency completed the audit.

But here's where it gets interesting. Instead of just adding DJI to the list, the FCC went broader. An executive-branch interagency body issued a National Security Determination that added ALL foreign-made drones and their critical components to the Covered List. Not just DJI. Not just Chinese manufacturers. All foreign-made drones, unless the Department of Defense or Homeland Security specifically determines that a given drone doesn't pose a risk.

The justification cites "unacceptable risks to the national security of the United States." The concerns include potential data exfiltration, unauthorized surveillance, supply chain dependency on foreign manufacturers, and the broader security environment (drone warfare in Ukraine, upcoming FIFA World Cup and 2028 Olympics security planning).

The ban doesn't ground existing drones. If you already own a DJI that received FCC authorization, you can still fly it. But no new models can be approved, imported, or sold. The supply chain is frozen. And the practical effect for American operators is that their current gear is the last generation they'll get until this is resolved.

So to be clear: the ban wasn't triggered by evidence of a security breach. It was triggered by the absence of an audit. Nobody proved DJI was dangerous. Nobody proved it wasn't. The deadline passed, the automatic trigger fired, and then the scope expanded from two companies to every foreign drone manufacturer on the planet.

That's the regulatory foundation we're dealing with.

The Evidence They Didn't Have

Here's what makes this worse. The ban wasn't just poorly reasoned. It was uninformed.

DJI has been independently audited by three separate security firms: Booz Allen Hamilton, FTI Consulting, and TÜV SÜD. Every assessment found the same thing. No unexpected data transmission. No backdoors. No evidence of data exfiltration to China.

In 2024, FTI Consulting audited the Mavic 3T, the Pilot 2 app, and the RC Pro controller. They confirmed zero outbound traffic when Local Data Mode is enabled. None. The drone talks to nothing.

US user data from DJI products is stored on Amazon Web Services servers in the United States. Not in China. Not on DJI's own infrastructure. On AWS. And since June 2024, US users can't even sync data to DJI's servers. The option was removed entirely.

DJI wrote letters to the Secretary of Defense and five federal agencies, welcoming scrutiny and offering full transparency. They asked to be audited. They asked for the opportunity to respond to specific security findings. Nobody took them up on it. Nobody completed the mandated security review. The deadline passed, the automatic trigger fired, and the ban went into effect based on a classified determination that has never been made public.

Three independent audits found nothing. DJI asked for a government audit. Nobody did one. And the ban happened anyway.

The Part Nobody Wants to Say Out Loud

The stated justification for the DJI ban is that Chinese law theoretically allows the Chinese government to compel Chinese companies to hand over data. That's the entire national security argument. Not that DJI has done this. Not that any evidence exists of it happening. But that the legal framework in China could, in theory, allow it.

Now let's talk about what the United States actually does. Not theoretically. Actually.

FISA Section 702 allows US intelligence agencies, primarily the NSA and CIA, to collect communications of non-US persons located outside the United States without individual warrants. This isn't a hypothetical capability. This is the legal authority behind the NSA's PRISM programme, revealed by Edward Snowden in 2013, which compelled Google, Microsoft, Apple, Facebook, and other US tech companies to provide data at scale.

The CLOUD Act, passed in 2018, goes further. It allows US law enforcement to compel any US-controlled company to hand over data regardless of where that data is physically stored. Your data is on a server in Frankfurt? Doesn't matter. The company is under US jurisdiction, so the data is under US jurisdiction.

This isn't theoretical. The EU Court of Justice has twice struck down data-sharing agreements with the United States because US surveillance law was found to be incompatible with fundamental privacy rights. Safe Harbor was invalidated in 2015. Privacy Shield was invalidated in 2020. Both times, the court found that FISA 702 and related authorities made adequate data protection impossible.

So let's be clear about what is happening here. The United States banned DJI drones because Chinese law theoretically allows data compulsion from Chinese companies. Meanwhile, US law actually compels data from American companies, including data stored on foreign soil, without individual warrants, at industrial scale, and has been doing so for nearly two decades. Every iPhone, every Google account, every Microsoft 365 subscription, every AWS deployment is subject to the same legal framework that the FCC used to justify banning DJI.

The difference isn't the risk. The risk is identical. The difference is which flag is on the building.

This isn't a national security policy. It's protectionism dressed in security language. And every working drone operator in America is paying the price for it.

And They Don't Even Understand What They're Banning

It gets worse. The DJI Osmo Pocket 4 is also blocked from US retail under this ban. The Pocket 4 is not a drone. It's a handheld gimbal camera. It doesn't fly. It has no relationship to airspace, aerial surveillance, flight safety, or any of the national security justifications the FCC cited. It's a pocket camera for vloggers and content creators, and it's caught in a ban that was supposedly about protecting American airspace sovereignty.

If you needed a single data point to prove that this ban has already overreached beyond its stated purpose, that's it. They said this was about drones. Then they banned a camera.

Here's what I think the FCC fundamentally misunderstands about what they've done, beyond the evidence problems, the hypocrisy, and the scope creep.

A DJI Mavic 4 Pro is not a mechanical device. It's not like a tripod, or a light stand, or a camera bag. You can't pick it up and make it do its job through physics alone. Without its software, it is a plastic shell with motors and a battery. It cannot take off. It cannot stabilise. It cannot avoid obstacles. It cannot hold a GPS position. It cannot return home. It cannot fly.

The flight controller is software. The obstacle avoidance is software. The gimbal stabilisation is software. The intelligent flight modes are software. The return-to-home failsafe is software. The geofencing that keeps you out of restricted airspace is software.

Strip the software out and what you have left is not a drone. It's a paperweight with propellers.

The FCC thinks it's banning a piece of Chinese hardware. What it's actually banning is software. Extremely complex, safety-critical software that makes an otherwise inert object fly. And if a regulator can ban the software that makes a drone function, what's the limiting principle?

Every modern mirrorless camera is software-dependent. Your Nikon Z9's autofocus tracking, its subject detection, its pre-capture buffer, its video codecs. All software. Lightroom is software. Capture One is software. DaVinci Resolve is software. Every editing tool you depend on runs on code that could, in theory, be restricted by a regulator who decides the company behind it is a security risk.

I'm not saying camera bans are coming. I'm saying the logic of this ban doesn't stop at drones. The FCC has established a framework where the answer to "could this software be a risk?" is "ban it" rather than "audit it, regulate it, require transparency." That framework is the problem.

What I See From Australia

I operate four DJI airframes for Kess Media: Mavic 4 Pro, Mini 5 Pro, Mavic 3, and Mavic 3 Pro. My drone work covers construction documentation, infrastructure inspection, architectural photography, landscape work, government projects, and events. If I lost the ability to fly DJI, I'd lose a significant capability that my clients rely on.

CASA, the Australian aviation regulator, is frustrating but functional. The approval processes are bureaucratic. The paperwork is real. But CASA listens. There are pathways to get complex flight approvals, and the system, for all its friction, operates on the assumption that operators are professionals who can be trusted to follow the rules.

I don't think a DJI ban is on CASA's radar. I can't see it happening here. But I also thought the US ban was a complete, uneducated overreach that would never actually go through. And here we are, with the FCC accepting public comments on a decision it already made.

My concern isn't that Australia follows the US tomorrow. It's that the precedent normalises the idea that governments can unilaterally kill professional tools. That a regulator can look at an industry full of working operators, farmers, surveyors, filmmakers, first responders, and say: your equipment is now illegal because of where the software was written. Not because of anything you did. Not because of any demonstrated security breach. Because of where the code comes from.

If that logic travels, every country's drone operators are exposed. Not to a ban on buying new gear. To a ban on the software that makes their existing gear function.

The "Just Switch" Fallacy

The standard response to DJI concerns is "just switch to Autel or Skydio." This is advice given by people who have never run a commercial drone operation.

Switching platforms means re-certifying pilots, replacing accessories, adapting workflows, rebuilding client confidence, and accepting a downgrade in capability. Because the uncomfortable truth is that nobody makes anything close to DJI's combination of reliability, feature set, obstacle avoidance, and price. The alternatives are either more expensive, less capable, or both.

If the ban stands and DJI exits the US market permanently, alternatives will eventually mature. Competition will fill the gap. But "eventually" is cold comfort for operators who have contracts to fulfil next month with equipment that works today.

I'd transition if I had to. Autel, Freefly, whoever fills the gap. But let's not pretend that's a neutral choice. It's a forced migration caused by a regulatory decision, not a market one.

What the FCC Should Be Doing Instead

The security concerns around foreign-made drones aren't imaginary. Data sovereignty matters. The question of where flight data is stored and who can access it is legitimate. But the answer to that question is auditing, transparency requirements, and enforceable data handling standards. Not a blanket ban that kills an entire professional ecosystem because it's politically easier than doing the technical work of regulation.

Require DJI to store US flight data on US servers. (They already do.) Require independent security audits. (Three have already been done.) Require open-source verification of data transmission protocols. Require the same standards of every drone manufacturer, foreign or domestic, so the playing field is level and the rules are clear.

That's regulation. What the FCC did is prohibition. And prohibition has never, in the history of regulation, produced the outcome its proponents promised.

---

The Other Stories This Week

Nikon announced the NIKKOR Z 120-300mm f/2.8 TC VR S in development. A telephoto zoom with a built-in 1.4x teleconverter, giving you 120-420mm in one lens. As a Z9 shooter, this is the kind of glass I've been waiting for. No pricing or availability yet, but the F-mount predecessor was around $9,500 and this will likely be north of $10K. Dream lens territory. I'll be watching.

Another photo contest caught with a questionable image. The National Wildlife Federation disqualified their winner after an owl-and-aurora composite drew accusations of AI generation. This is the third contest controversy in two weeks. The pattern is clear and the industry still doesn't have a framework. I wrote about this last week and nothing has changed.

DJI launched the Lito series for beginners. The irony of DJI releasing a sub-249g drone with omnidirectional LiDAR while its US future is being decided by public comment is not lost on me. They're still shipping products nobody else can match.

Sigma 35mm f/1.4 Art DN reviewed for E-mount. The Art series continues to deliver. If this comes to Z-mount, it'll slot right into the Chinese glass conversation from two weeks ago, except this time it's a Japanese manufacturer responding to the pressure.

The FCC story in context. If you want to read the coverage that fed this essay, Pixelfetch tracked the DJI Pocket 4 being blocked from US retail and the FCC public comment announcement as they happened.

---

What I'm Actually Thinking

The FCC public comment period closes tomorrow, May 11. If you're a US-based drone operator, submit a comment now. Go to fcc.gov/ecfs/filings/express, enter proceeding number 26-22, and tell them how you use drones and what the ban means for your work. You don't need to be a policy expert. You need to share your story. Even if you think nobody's listening. Even if you think the decision is already made. The record matters. Get your experience on it.

If you're outside the US, pay attention. The logic of this ban doesn't respect borders. It's not a US drone policy. It's a precedent for how governments treat professional tools built by foreign companies.

And if you're a regulator reading this: the audits exist. The evidence exists. The data architecture exists. You just didn't look. That's not a security policy. That's negligence dressed up as national defence.

Same time next week.

Alex Kesselaar is a photographer, drone operator, and the person behind Pixelfetch. He shoots for government and infrastructure clients through Kess Media in Sydney.

The gear, news, and tools that matter. Found for you, zero fluff. Subscribe to the daily briefing →