wordpress blog stats
Connect with us

Hi, what are you looking for?

, , ,

Xiaomi MIUI Phones Sent User Data To Chinese Servers Without Consent; Issues a Fix


(with inputs from Nikhil Pahwa)

Chinese mobile maker Xiaomi has been accused of violating user privacy, but the company has until now maintained its stance that it is not accessing user’s confidential information. That was until last week, when security firm F-Secure found that Xiaomi’s MIUI-based smartphones are indeed sending user data – including text messages, contacts, phone numbers, ISP’s name, IMEI number and other details – back to Xiaomi’s server, whether you sign up for the company’s cloud-based services or not.

F-Secure also found that this data wasn’t encrypted. In simplest terms, it means that anyone using a packet sniffing tool among many other ways could look at your personal data.

MIUI is a heavily customized version of Android, and offers cloud messaging service in its devices. This service allows its users to send and receive text messages for free. The text messages are routed via IP instead of carrier’s gateway.

The Chinese company has for the first time acknowledged that its phones are sending text messages back to its servers. However, the company says that this was being done to test whether text messages sent out by a user could possibly be sent over using data connection instead of carrier’s SMS  gateway to save user’s money. Xiaomi’s VP Hugo Barra also mentioned that this option is turned on by default:

Advertisement. Scroll to continue reading.

“As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users.  We have scheduled an OTA system update for today (Aug 10th) to implement this change.  After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.”

Xiaomi’s stance on how it deals with user’s data

Barra has shared details of how MIUI’s Cloud Messaging worked:

“- The primary identifiers used to route messages are the sender and receiver’s phone numbers.  IMEI and IMSI information is also used to keep track of a device’s online status.

– When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP.  If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.
– When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user).  This allows the sender to immediately know whether they can text that user without incurring SMS costs.
– In any of these flows, the receiver’s phone number is only used to look up online status and to route messages.  No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.”

Advertisement. Scroll to continue reading.

It should be noted that, in an interview with The Economic Times, Manu Kumar Jain, general manager and head of India operations, Xiaomi Corporation had said that the company keeps all the data confidential. “We have already issued an official statement about it. I can give a personal guarantee that all the data is confidential and we are not sending it to anybody.

Unencrypted data isn’t confidential, and while the company had stated that it uses strict encryption algorithms to protect user privacy, the F-Secure report suggests otherwise. Some statements on the MIUI, prior to the F Secure note:

MI India’s Facebook page had stated that

“MIUI does not secretly upload photos and text messages”… “MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy.”F-Secure’s investigation found that MIUI-based smartphones do upload texts. It also found that MIUI requests for personal data as well, and it does so every time a user tries to send a text message.

“Q: Does Xiaomi upload any personal data without my knowledge?
A: No. Xiaomi offers a service called Mi Cloud that enables users to back up and manage personal information in the cloud, as well as sync to other devices. This includes contacts, notes, text messages and photos. Mi Cloud is turned off by default. Users must log in with their Mi accounts and manually turn on Mi Cloud. They also have the option to only turn on backup for certain types of data. The use and storage of data in Mi Cloud fully respects the local laws of each country and region. Strict encryption algorithms are implemented to protect user privacy.”

In a statement, the company mentioned that it stores consumer’s data in China, but said it only does so if the user has opted for it. That’s not true either, as has been subsequently acknowledged by the company.

Advertisement. Scroll to continue reading.

Indian Regulators need to take note

Chinese OEM Xiaomi is one of the fastest growing smartphone manufacturers. Its low-priced premium devices has created a stiff competition for other mobile makers. Xiaomi’s former flagship smartphone Mi3 recently arrived in India and was very well received. The handset could possibly soon dominate the market as well. As far as the privacy of a user is concerned, Indian regulators need to keep an eye on it , and ensure that the data of Indian consumers is not being funneled to China. That reminds us: what about the NSA?

Here’s how the NSA snoops on India

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ