(with inputs from Nikhil Pahwa)

Chinese mobile maker Xiaomi has been accused of violating user privacy, but the company has until now maintained its stance that it is not accessing user’s confidential information. That was until last week, when security firm F-Secure found that Xiaomi’s MIUI-based smartphones are indeed sending user data – including text messages, contacts, phone numbers, ISP’s name, IMEI number and other details – back to Xiaomi’s server, whether you sign up for the company’s cloud-based services or not.

F-Secure also found that this data wasn’t encrypted. In simplest terms, it means that anyone using a packet sniffing tool among many other ways could look at your personal data.

MIUI is a heavily customized version of Android, and offers cloud messaging service in its devices. This service allows its users to send and receive text messages for free. The text messages are routed via IP instead of carrier’s gateway.

The Chinese company has for the first time acknowledged that its phones are sending text messages back to its servers. However, the company says that this was being done to test whether text messages sent out by a user could possibly be sent over using data connection instead of carrier’s SMS  gateway to save user’s money. Xiaomi’s VP Hugo Barra also mentioned that this option is turned on by default:

“As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users.  We have scheduled an OTA system update for today (Aug 10th) to implement this change.  After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.”

Xiaomi’s stance on how it deals with user’s data

Barra has shared details of how MIUI’s Cloud Messaging worked:

“- The primary identifiers used to route messages are the sender and receiver’s phone numbers.  IMEI and IMSI information is also used to keep track of a device’s online status.

– When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP.  If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.
– When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user).  This allows the sender to immediately know whether they can text that user without incurring SMS costs.
– In any of these flows, the receiver’s phone number is only used to look up online status and to route messages.  No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.”

It should be noted that, in an interview with The Economic Times, Manu Kumar Jain, general manager and head of India operations, Xiaomi Corporation had said that the company keeps all the data confidential. “We have already issued an official statement about it. I can give a personal guarantee that all the data is confidential and we are not sending it to anybody.

Unencrypted data isn’t confidential, and while the company had stated that it uses strict encryption algorithms to protect user privacy, the F-Secure report suggests otherwise. Some statements on the MIUI, prior to the F Secure note:

MI India’s Facebook page had stated that

“MIUI does not secretly upload photos and text messages”… “MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy.”F-Secure’s investigation found that MIUI-based smartphones do upload texts. It also found that MIUI requests for personal data as well, and it does so every time a user tries to send a text message.

“Q: Does Xiaomi upload any personal data without my knowledge?
A: No. Xiaomi offers a service called Mi Cloud that enables users to back up and manage personal information in the cloud, as well as sync to other devices. This includes contacts, notes, text messages and photos. Mi Cloud is turned off by default. Users must log in with their Mi accounts and manually turn on Mi Cloud. They also have the option to only turn on backup for certain types of data. The use and storage of data in Mi Cloud fully respects the local laws of each country and region. Strict encryption algorithms are implemented to protect user privacy.”

In a statement, the company mentioned that it stores consumer’s data in China, but said it only does so if the user has opted for it. That’s not true either, as has been subsequently acknowledged by the company.

Indian Regulators need to take note

Chinese OEM Xiaomi is one of the fastest growing smartphone manufacturers. Its low-priced premium devices has created a stiff competition for other mobile makers. Xiaomi’s former flagship smartphone Mi3 recently arrived in India and was very well received. The handset could possibly soon dominate the market as well. As far as the privacy of a user is concerned, Indian regulators need to keep an eye on it , and ensure that the data of Indian consumers is not being funneled to China. That reminds us: what about the NSA?

Here’s how the NSA snoops on India