June 9, 2026
Why Are U.S.-Based Drone Companies Sending Data to China?
Author
The Hidden Security Risks Inside Modern Drone Platforms
Drone data security has become one of the most urgent issues in the commercial UAS market — and the threat may be closer than most operators realize. Many drones sold in the U.S. are transmitting operational data to foreign servers without operators realizing it.
Even if data is hosted on U.S. servers, foreign manufacturers may still be able to access the data. And just because data may initially go to a U.S. server, that doesn't mean it will never go to a foreign server.
That may sound alarmist. Unfortunately, it is also true.
Recently, our team analyzed a third-party drone SDK and discovered that it was communicating with a Chinese-hosted endpoint. The data being transmitted included GPS coordinates, field telemetry, and device identifiers.
Critically, this communication occurred without any obvious notification to the operator.
Many operators assume their data is secure because a manufacturer advertises U.S.-based hosting. But hosting location is only one piece of the security equation.
For example, we’ve seen drone companies publicly demonstrate their ability to view live flight activity occurring thousands of miles away, including flights taking place in the United States. In many cases, operators have little visibility into who can access that information, how long it is retained, or where it ultimately travels.
Federal agencies have been warning about this for years.
In January 2024, the FBI and CISA issued a joint advisory warning that Chinese-manufactured drone platforms and associated software could expose sensitive operational data to the Chinese government. The advisory also warned that software updates could silently introduce new data collection capabilities over time.
This isn’t unique to one platform or one manufacturer. It reflects a much broader issue across the commercial drone ecosystem: Many drone systems are now deeply dependent on software infrastructure that operators, manufacturers, and even some engineering teams don’t fully understand.
And increasingly, that infrastructure is the source of security issues.
“U.S.-Hosted” Does Not Mean “U.S.-Controlled”
Over the past year, we’ve seen several manufacturers respond to growing security concerns by emphasizing that their data is hosted on U.S.-based servers.
That sounds reassuring, but a server’s location doesn’t determine who controls the data.
This is where understanding Chinese law becomes important, not as a political talking point, but as a practical infrastructure issue.
Two laws matter in particular:
Under these laws, Chinese companies can be compelled to provide data access to Chinese authorities, including data collected outside China, with penalties for non-compliance.
In practice, that means “hosted in the United States” is not necessarily the same thing as “operating independently of foreign legal obligations.”
What Secure Drone Infrastructure Actually Looks Like
Security isn't a feature. It's a collection of decisions. At American Autonomy, Inc. we've built our platform around a few simple principles:
1. Keep Data in the United States
Our infrastructure is hosted entirely in the United States on Amazon Web Services. We control the software and the hosting environment ourselves. We do not rely on foreign-hosted services, and no foreign authorities have access to our users’ data.
2. Give Operators Ownership of Their Data
Operators own their data. They can export it. They can share it with the systems they already use. They can request deletion. We don't trap their operational history inside our platform.
3. Build Security Into the Architecture
Security should never be an add-on.
Our systems use role-based access controls, multi-factor authentication, encrypted databases, encrypted network traffic, segmented cloud infrastructure, and least-privilege access policies.
4. Make Every Change Traceable
Every infrastructure change, software deployment, and code update is reviewed, tested, and auditable.
We maintain version-controlled infrastructure, automated testing, dependency audits, and security reviews before changes are deployed.
Most Manufacturers Are Not Asking Enough Questions
One of the most surprising things we’ve learned talking with manufacturers is how often security gets treated as a secondary concern.
Many U.S.-based companies entering the market have decades of experience in manufacturing, sourcing, mechanical engineering, and even aviation systems.
But very few have deep experience building secure software infrastructure.
That gap matters because the next phase of the commercial drone market will not be won solely on aircraft performance. It will also be won on trust.
We see that some drone users — both enterprise customers and individual pilots — are becoming more sophisticated in their requirements. Now that we have seen evidence that the federal government’s warnings are correct, we encourage all buyers to ask the hard questions:
| Questions to Ask | Why It Matters |
|---|---|
| Where is the data hosted? | Determines which legal jurisdictions may access it |
| Who owns the data? | Understand whether there’s vendor lock-in |
| Can data be exported? | Protects operational continuity |
| Who controls updates? | Prevents unreviewed software changes |
| Is multi-factor authentication supported? | Protects accounts from compromise |
| Are permissions role-based? | Limits access to sensitive information |
| Is infrastructure U.S.-controlled? | Reduces dependency on foreign entities |
| What happens if the OEM disappears? | Ensures operators retain access to data |
As we've seen with our own eyes, these are not hypothetical concerns.
Security Is a Product Requirement
The commercial drone industry is entering a new phase. For years, the conversation centered on things like sensors, flight time, and payload size. Those things still matter, but now they’re table stakes.
Increasingly, users are also evaluating reliability, data ownership, how well a platform can integrate with third-party systems, and the OEM’s long-term viability.
We think that shift is healthy. It signals that drones are maturing from isolated tools into established infrastructure.
Trust Must Be Earned
The reality is that no software platform is secure simply because someone says it is.
Security is the result of architecture and where data is stored.
It depends on who controls access as well as how updates are tested.
It comes from whether operators can retrieve their data and continue operating if a vendor disappears.
At American Autonomy, Inc. we've spent years building those protections into the foundation of our platform because we believe trust will become one of the most important competitive advantages in commercial drones.
The next generation of drone platforms will not be judged solely by flight performance.
They will be judged by whether operators trust them with their business.
