How the FCC's technology bans are building the black markets, security vulnerabilities, and institutional corruption they claim to prevent — and why the pattern is as old as regulation itself.
Within four weeks of the FCC's December 2025 ban on new foreign-made drones, Tom's Hardware reported that suspicious DJI clones had appeared on the American market. A company called Xtra, registered in Delaware in March 2025 and operating for less than a year, was offering action cameras that bore a conspicuous resemblance to DJI's product line. Another company, Skyrover, listed in Hong Kong, was selling drones whose profiles matched the DJI Mini 2 SE and Mini 4 Pro closely enough to raise eyebrows. Neither DJI nor the clone brands issued statements about the similarity of their products. Nobody needed them to.
Three months later, the FCC extended the same Covered List framework to consumer routers, banning the import of new models manufactured outside the United States. And three months after that — which is to say, right now — the predictable consequences of both bans are unfolding with the regularity of a chemical reaction. Prices on grandfathered inventory are rising. Supply is thinning. Shell brands are materializing. Power users are sourcing equipment through international channels. And the devices that the FCC says pose unacceptable national-security risks are settling into exactly the kind of unregulated, unpatched, untraceable distribution pattern that makes them most dangerous.
This is not a new phenomenon. It is, in fact, one of the most thoroughly documented dynamics in the history of regulation. When governments prohibit goods for which demand is inelastic — goods that people need, or believe they need, or have built their operations around — they do not eliminate the market. They transform it. The visible, regulated, taxable market becomes an invisible, unregulated, untaxable one. The products do not improve. The prices do not fall. The security does not increase. What increases is the distance between the consumer and any institutional mechanism that might actually protect them.
The FCC's technology bans are constructing, in real time, a case study in prohibition economics. The evidence is already arriving faster than the agency can process conditional-approval applications.
The most complete existing case study is the one unfolding in the GPU market, where U.S. export controls on advanced Nvidia AI chips have produced a black market of remarkable scale and sophistication. Since 2022, the U.S. has progressively restricted the sale of high-performance GPUs to China, beginning with the A100 and H100 and eventually extending to the lower-spec H20, which Nvidia had specifically designed to comply with earlier restrictions. Each time the government drew a line, Nvidia engineered a product that technically fell below it. Each time Nvidia found the gap, the government moved the line again. The result was not the elimination of Chinese access to advanced chips. It was the creation of a multi-billion-dollar smuggling infrastructure.
GamersNexus, in a December 2025 investigative report that involved extensive travel through Asian supply chains, documented the mechanics in detail. Shell companies registered in Singapore and Malaysia purchased servers from Dell and Supermicro containing banned Nvidia GPUs. The servers were then shipped through intermediary jurisdictions. In the Huaqiangbei electronics market in Shenzhen, chip vendors reported engaging in sales involving hundreds or thousands of restricted processors. A company called Luxuriate Your Life — a name that suggests either a remarkable lack of subtlety or a sophisticated understanding of the absurdity of the enterprise — purchased $390 million worth of servers containing banned GPUs before Singapore authorities intervened. When GamersNexus asked a middleman whether Nvidia knew about the grey trade, the response was immediate: "Of course they know... 'Open one eye, close one eye.'"
The Center for Strategic and International Studies, hardly a radical institution, published an analysis in May 2025 acknowledging that the export controls had produced a smuggling ecosystem whose scale could only be inferred from the cases that authorities had discovered by chance. "These incidents, which came to light through happenstance, suggest the existence of larger traffic in smuggled high-end devices," the report stated. CSIS went on to observe that the controls had, as a secondary effect, catalyzed China's domestic chip industry into an acceleration that might not have occurred otherwise. Huawei's 910C GPU entered mass production. China began producing twice as many research papers as the United States on chip design. The strategic objective of the controls — maintaining American dominance in AI computing — was being actively undermined by the controls themselves.
Foreign Policy made the point with characteristic directness in an April 2025 analysis: the tens of billions of dollars in revenue that would have gone to Nvidia and AMD would instead be gradually captured by Chinese AI firms, strengthening their financial sustainability and enhancing their capacity to reinvest in research and development. The ban was not preventing Chinese access to advanced computing. It was funding the development of Chinese alternatives.
The FCC's drone ban is producing the same dynamics at consumer scale, and it is doing so at a speed that should alarm anyone who believes the agency's stated objectives are genuine. DJI, which holds a dominant share of the U.S. consumer and commercial drone market, has filed suit in the Ninth Circuit Court of Appeals, arguing that the FCC caused the company "immediate and grave harm" without ever identifying a specific security threat tied to DJI products. The company projects losses of $1.56 billion in 2026 alone from blocked product launches. Twenty-five new DJI products planned for the U.S. market cannot proceed.
But DJI's losses are not the market's losses. The market adapts. Suspicious clone brands registered in Delaware appeared within weeks of the ban — brands whose products replicate DJI's design language with a fidelity that strains the concept of coincidence. Regulators have already flagged the potential for rebranded products designed to circumvent restrictions. Oregon's Department of Aviation surveyed twenty-five states and projected up to $2 billion in national exposure from the ban's impact on public-safety and government drone fleets. The Texas Farm Bureau warned that agricultural operations dependent on foreign-made equipment have no viable domestic replacement.
First responders — police departments, fire agencies, search-and-rescue teams — are the ban's most immediate and least politically convenient victims. These agencies built their operational capabilities around DJI hardware because nothing else offered comparable performance at a price their budgets could absorb. Now they face a choice between maintaining aging fleets with diminishing parts availability, paying dramatically more for approved alternatives that may not match DJI's capabilities, or finding ways to acquire the equipment they need through channels the FCC would prefer not to think about. Law enforcement, it turns out, is not immune to the logic of prohibition.
The router ban is younger than the drone ban by three months, and its grey-market dynamics are correspondingly less visible. But the structural conditions are identical, and in some respects more favorable to informal markets. Routers are smaller, cheaper, and less conspicuous than drones. They do not fly through regulated airspace. They do not require registration with the FAA. They sit on a shelf in a closet, connected to a cable, doing their work invisibly. The FCC can exert meaningful pressure on Amazon, Best Buy, and MicroCenter. It cannot meaningfully police a MikroTik router ordered from a Latvian retailer and shipped via international post.
The FCC's own rules technically prohibit the importation of covered equipment even for personal use. But the enforcement reality is that Customs and Border Protection is not inspecting parcels for unauthorized radio-frequency devices, and the likelihood of a federal agency pursuing an individual homeowner for operating an uncertified Wi-Fi router is zero. The gap between the law on paper and the law in practice is the space in which grey markets flourish.
The demographics of the router grey market will differ meaningfully from the GPU black market. GPU smuggling is driven by institutional actors — data-center operators, research labs, government entities — moving millions of dollars of hardware through shell companies and fraudulent documentation. Router grey-market activity will be driven largely by individual power users: systems administrators, security researchers, open-source firmware enthusiasts, small-business operators, and the hobbyist community that builds networks for the same reason some people restore cars — because they want to understand and control the infrastructure they depend on. These users are overwhelmingly capable of configuring their own equipment, maintaining their own firmware, and managing their own security. Many of them run OpenWrt, DD-WRT, or similar open-source firmware that is maintained by community developers entirely independent of any manufacturer's update channel. The firmware update cutoff that the FCC has set for March 2027 does not affect them, because they were never dependent on manufacturer firmware in the first place.
The irony is precise: the people who will route around the ban are the people who least need its protection, while the people who most need protection — the eighty-one percent of broadband users who have never changed their default router password, according to Broadband Genie's 2025 survey — are the ones the ban does nothing for, because they already own their routers and will continue operating them, unconfigured and unpatched, until the hardware fails.
The firmware update cutoff deserves particular attention, because it is the point at which the FCC's policy transitions from merely ineffective to actively dangerous. Under the current framework, manufacturers of grandfathered routers can continue pushing security patches until March 1, 2027. After that date, no firmware updates may be delivered to covered equipment without conditional approval from DHS.
The FCC justified the router ban by citing the Volt Typhoon, Flax Typhoon, and Salt Typhoon campaigns — Chinese state-sponsored operations that compromised consumer routers to build botnet infrastructure and penetrate critical systems. The documented evidence from every one of these campaigns, as detailed by the FBI, NSA, CISA, and independent security researchers, shows that the routers exploited were overwhelmingly end-of-life devices running unpatched firmware. The KV Botnet — Volt Typhoon's primary tool — was composed of Cisco and Netgear routers that had stopped receiving security updates. Black Lotus Labs researcher Danny Adamitis told SecurityWeek that the botnet was "made up primarily of end-of-life products that are vulnerable to critical security issues. Vendors have stopped shipping security patches for these devices."
The FCC's policy response to this evidence is to create a deadline after which millions of additional routers will stop receiving security patches. The agency is manufacturing, on a defined timeline, precisely the conditions that enabled the attacks it cited as justification for the ban. By March 2027, every covered router in America that has not received conditional approval will become a permanently unpatched endpoint — the exact profile that Volt Typhoon, APT28, and every other sophisticated threat actor has demonstrated they can exploit at scale.
The Internet Governance Project observed that the policy paradoxically targets the devices most likely to have modern, auto-updating security features while allowing insecure, aging hardware to remain in service indefinitely. Matt Wyckhouse of Finite State noted that no domestic manufacturer currently exists that could replace the banned products. The near-term effect is to freeze the installed base at its current security posture and prevent the introduction of newer, potentially more secure hardware.
This is not a marginal concern. It is the central contradiction of the entire policy. A ban justified by the exploitation of unpatched routers will produce more unpatched routers. A ban justified by supply-chain security will push supply chains underground. A ban justified by the need to protect American infrastructure will leave American infrastructure running on aging, unsupported equipment with no clear path to replacement.
The broader pattern — across routers, drones, and GPUs — reveals something more troubling than mere policy failure. It reveals an institutional dynamic in which regulatory agencies have discovered that technology bans are more politically useful than technology standards, even when standards would produce better outcomes by every metric the agencies claim to care about.
The European Union's Cyber Resilience Act, which entered into force in December 2024, requires all connected devices sold in Europe to meet mandatory cybersecurity standards regardless of country of origin. Unique default credentials. Mandatory vulnerability disclosure. Automatic security updates. Software-bill-of-materials transparency. The EU approach regulates the thing that actually matters — whether a device is secure — without regard to the thing that doesn't — where it was assembled. It is boring, technocratic, effective policy that generates no headlines and advantages no particular company.
The FCC's approach generates headlines. It creates winners and losers. It produces stock-price movements — Netgear up twelve percent the day after the router ban, Asian manufacturers down — that reward politically connected firms and punish their competitors. It gives the chairman material for social-media posts about "American drone dominance" and "safeguarding our homeland." It provides the administration with a narrative of decisive action against foreign threats. What it does not do is improve the security of a single router, because it contains no security requirements whatsoever.
A router manufactured in Texas with default credentials of admin/admin, no automatic update mechanism, and its management interface exposed to the public internet would be fully compliant with the FCC's framework. A TP-Link router manufactured in Vietnam with unique per-device credentials, WPA3 encryption, automatic firmware updates, and a locked-down management interface would be banned. The policy does not distinguish between secure and insecure devices. It distinguishes between domestic and foreign ones. And in so doing, it creates the structural conditions for every pathology that prohibition has produced throughout history: grey markets, shell companies, counterfeit brands, regulatory arbitrage, corruption at the points where enforcement meets commerce, and the systematic erosion of the institutional legitimacy on which effective regulation depends.
The institutional-legitimacy question is perhaps the most consequential of all, because once an agency's credibility is spent, rebuilding it takes decades.
The FCC under Brendan Carr has been unusually forthright about its willingness to use regulatory authority for purposes beyond its statutory mandate. Carr has threatened broadcast licenses to punish unfavorable news coverage of the Iran conflict. He has conditioned merger approval on the elimination of diversity programs and the installation of political monitors at news networks. He has expanded the equal-time doctrine to morning shows and late-night programs. He has publicly advocated for the business interests of SpaceX's Starlink, whose routers are the only consumer networking equipment inherently exempt from the ban he issued. A coalition of more than eighty First Amendment scholars and civil-society organizations accused him of "unlawful jawboning." The Freedom of the Press Foundation filed an ethics complaint against him with the District of Columbia Bar. Former FCC chairs from both parties signed a petition urging the agency to rescind its news-distortion regulation on First Amendment grounds.
This is the institution asking the public to trust that its router ban is motivated by cybersecurity rather than industrial policy, protectionism, or political patronage. The request is not credible. And the loss of credibility matters, because the next time a genuine cybersecurity threat requires a regulatory response, the FCC will need public trust to implement it effectively — trust that it has systematically depleted through a pattern of politically motivated action that has nothing to do with the security of anyone's router.
The economists who study regulatory capture have a term for the end state of this process: institutional decay. It describes the condition in which a regulatory agency has been so thoroughly co-opted by the interests it is supposed to regulate — or, in this case, by the political interests of the administration it serves — that it can no longer perform its legitimate function. The public stops trusting the agency's determinations. Compliance becomes performative rather than substantive. Enforcement becomes selective and politically motivated. And the regulated space becomes, paradoxically, less regulated than it was before the agency intervened, because the intervention itself has destroyed the mechanism of effective oversight.
There is a final irony in the FCC's technology bans that is worth stating explicitly, because it connects the router ban, the drone ban, and the GPU export controls to the same underlying pathology.
In each case, the stated objective is to reduce American dependence on foreign technology. In each case, the actual effect is to reduce American access to the most current, most capable, most secure technology available — while doing nothing to create domestic alternatives that could replace it. The router ban does not conjure an American router manufacturer into existence. The drone ban does not make Skydio's abandoned consumer line reappear. The GPU export controls do not prevent China from developing its own chips; they accelerate it. In every case, the prohibition creates a protected market in which the remaining domestic players face less competition, less pressure to innovate, and less accountability to consumers — while the foreign technology the government banned continues to exist, continues to improve, and continues to find its way into American hands through channels that no regulatory agency can effectively monitor.
The market for prohibited goods is not a market failure. It is a market response to regulatory failure. And the FCC's current trajectory — banning categories of technology rather than setting standards for them, using national-security authority to pursue industrial-policy objectives, wielding regulatory power as a tool of political leverage rather than public protection — is producing regulatory failure at a scale and speed that would be impressive if it were not so dangerous.
The grey markets are coming. In routers, they are already forming. In drones, they have arrived. In GPUs, they are entrenched and expanding. The prices will rise. The supply chains will go underground. The firmware will go unpatched. The shell companies will proliferate. The enforcement actions will be selective, spectacular, and insufficient. And the vulnerabilities that the FCC cited to justify the bans will not diminish. They will multiply — manufactured, at industrial scale, by the very agency that promised to eliminate them.
Prohibition has never worked. It is not working now. It will not work next time. And the people who profit from the attempt — the politically connected firms, the approved incumbents, the regulatory apparatus itself — will be the last to admit it, because for them, the failure is the product.
Sources and documentation: FCC Fact Sheet DOC-420034A1 (router ban, March 23, 2026); FCC Fact Sheet on foreign UAS Covered List update (December 22, 2025); FCC FAQs on Covered List (updated March 31, 2026); Tom's Hardware, "Suspicious DJI clones appear on the market after the FCC banned foreign-made drones" (January 25, 2026); Tom's Hardware, "Here's what the FCC ban on foreign-manufactured routers actually means for consumers" (April 2026); DroneDJ, "25 new DJI launches blocked by FCC, $1.5 billion at stake" (April 22, 2026); DroneXL, "FCC Exempts Four Foreign Drone Models From Import Ban" (March 19, 2026); GamersNexus, "The NVIDIA AI GPU Black Market: Investigating Smuggling, Corruption, & Governments" (December 13, 2025); CSIS, "The Limits of Chip Export Controls in Meeting the China Challenge" (May 2025); Foreign Policy, "Washington May Regret Overextended AI Chip Controls" (April 2025); Tom's Hardware, "Nvidia H100 GPU black market prices drop in China" (May 2024); Broadband Genie Router Security Survey (2025); FBI IC3 PSA260407 (April 7, 2026); SecurityWeek, "US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon"; Dark Reading, "Is the FCC's Router Ban the Wrong Fix?" (March 2026); Oregon Department of Aviation UAS survey (2026); Texas Farm Bureau agricultural drone impact statement; Investing.com, "Netgear stock surges 12% on FCC router import ban" (March 24, 2026); Free Press, "Leading First Amendment Scholars and Litigators Call on FCC to End Unlawful Jawboning" (March 20, 2026); Freedom of the Press Foundation ethics complaint against Brendan Carr (July 2025); DJI v. FCC, Ninth Circuit petition (February 2026).
Member discussion: