In the early days of cloud computing, some people argued that for privacy and security reasons — or sometimes simply to boost local businesses — it would be better to store data domestically. Foreign firms, they argued, cannot be trusted. This policy, known as data localization, unfortunately has since become widespread, raising cloud computing costs for businesses and undermining the global free flow of data that underpins international trade and commerce. Moreover, the policy serves virtually no purpose, since the privacy and security of data stored in the cloud depends on the technical controls used to safeguard it, not where it is located.
Many countries are waking up to this problem and taking steps to roll back such measures, but it appears not enough policymakers learned their lesson, as history seems to be repeating itself with another emerging technology: drones. (Full disclosure: Chinese drone manufacturer DJI provides financial support to the foundation we work for.)
The U.S. Justice Department’s Office of Justice Programs (OJP) revised its drone purchasing policy in October, prohibiting the use of OJP funds to purchase drones manufactured by a “covered foreign entity” — which it defines as any entity that is “subject or vulnerable to extrajudicial direction from a foreign government.”
Meanwhile, almost a year after it temporarily grounded its entire drone fleet because all its drones were either made in China or with parts from China, the Interior Department issued a memo incentivizing the use of U.S.-made drones from the Defense Department’s “Blue sUAS” list. DOD announced this list of government-approved drones in August, naming five U.S. companies — Altavian, Parrot, Skydio, Teal, and Vantage Robotics — as alternatives to foreign drone manufacturers. In its October memo, the Interior Dept. exempted the use of Blue sUAS from approval and reporting requirements.
These policies restricting foreign-made drones serve no real purpose because the security of drones doesn’t depend on where they are made.
Domestic drones can be hacked, and foreign drones can be secure.
Defenders of these policies allege drones might be secretly sending sensitive data abroad. But the risk of a backdoor is minimal for many reasons, including the fact that most drones are not connected to the internet and drone operators could inspect any network traffic from these devices to quickly pinpoint any nefarious activity.
Broad restrictions like those the departments of Justice and Interior are implementing limit the government’s options and could lead to reduced adoption of drone technology. They also create a false sense of security, where the government and the public assume domestically manufactured drones are secure, even though this may not always be the case.
By limiting which drones the federal government buys, these policies limit access to the best, most secure technology. Moreover, if other countries copy this model of prohibiting drones based on their country of origin, it would restrict U.S. drone companies from exporting their products and services just as data localization policies have hurt U.S. cloud providers. Many countries follow the U.S. government’s lead, so the departments of Justice and Interior should end their restrictions on foreign-made drones and instead evaluate the security of drones based on an evidenced-based assessment of risks.
Daniel Castro is vice president at the Information Technology and Innovation Foundation (ITIF) and director of ITIF's Center for Data Innovation. He previously worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies.
Ashley Johnson is a research analyst at ITIF. She researches and writes about Internet policy issues such as privacy, security, and platform regulation.