Xiaomi devices have the built-in ability to detect and censor terms like “Free Tibet”, “Women’s Committee”, and “Long live Taiwan’s independence”, Lithuania’s Defence Ministry said in a report published by its National Cyber Security Centre (NCSC). The censorship capability is turned off for phones sold in the European region, but the company has the ability to remotely activate them, the report said.
Xiaomi refuted these allegations and told Reuters: “Xiaomi’s devices do not censor communications to or from its users. Xiaomi has never and will never restrict or block any personal behaviors of our smartphone users, such as searching, calling, web browsing or the use of third-party communication software.” But this statement does not deny the allegation that such a capability is there on its phones.
Xiaomi leads the smartphone market in India with nearly a 30 percent marketshare, raising concerns on how this alleged capability can be misused by the Indian government.
Cybersecurity assessment of Chinese smartphones
Lithuania’s NCSC discovered the censorship capability when it carried out a cybersecurity assessment of Chinese-made 5G smartphones sold in Lithuania. The assessment was carried out on three devices: Huawei P40, Xiaomi Mi 10T, and OnePlus 8T mobile devices. The study identified the following major cybersecurity risks associated with these devices:
- Censorship capabilities of Xiaomi devices: The study found that Xiaomi apps including MiBrowser, Security, Themes, Cleaner, and MIUI Package Installer regularly download a configuration file called “MiAdBlacklistConfig” from a server located in Singapore. “This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time the analysis was performed, 449 records were identified),” the report said. When NCSC analysed the applications, it found code that allows filtering of content based on the downloaded blacklist. “This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist list received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information,” the report revealed.
- Risks associated with installing apps on Huawei devices: “Installing mobile applications on Huawei devices is characterised by cybersecurity uncertainties,” the report said. “It is worth noting that most of the application distribution platforms are located in countries not covered by the General Data Protection Regulation, which creates a corresponding risk of leakage of user metadata,” the report added. More importantly, the study “found that a portion of the mobile applications contained on the application distribution platforms are imitations of the original applications, with malicious functionality or virus infestation; such applications can be downloaded and installed by the user on the mobile phone, thereby jeopardising the security of the device and the data contained in it.”
- Data security risks associated with Xiaomi devices: The report said that pre-installed apps on Xiaomi send a variety of statistical data to servers of the Chinese cloud service provider Tencent, located in Singapore, the USA, the Netherlands, Germany, and India. The company reportedly collects data using two modules. “The Google Analytics module installed on the device allows the browsing and search history to be read, to send this data to analytics servers which Xiaomi accesses” and “the Sensor Data module has been found to collect statistical information on 61 parameters (time of activation of application, language used, etc.) about the activity of applications used,” the report said. “The collected statistics are sent via an encrypted channel to Xiaomi servers in Singapore, which is not covered by the General Data Protection Regulation. According to international sources, clear cases of unauthorised collection of user data by Xiaomi have been identified. Potentially excessive collection and use of analytical data can be said to pose a threat to the privacy of personal data,” the report concluded. Sensor Data reportedly has more than 1,500 customers, including some of the largest corporations in the People’s Republic of China, such as China Telecom, Baidu, CYTS, Sichuan Airlines, etc, the report stated.
Why does this pose a serious concern in India?
The NCSC report found that the blacklist is regularly updated and that the terms in the list can be in any language. More importantly, the censorship functionality can be activated remotely by the manufacturer. Although the functionality currently appears to be targeted at Xiaomi devices sold in China, the Indian government can ask the manufacturer to activate it for its Indian users and can even specify what terms should be on the blacklist.
India’s Information Technology (IT) Rules 2021 require social media platforms to proactively identify and take down illegal content using automated tools. This includes content that depicts rape, child sexual abuse (CSA), or any information that that is “exactly identical” to information that was previously removed or access to which was disabled. The last criterion basically covers information that the government has previously deemed illegal or asked to take down. Social media companies, however, have been reluctant to adhere to this requirement because of censorship concerns. The revelation of Xiaomi’s blacklist now allows the government to directly mandate manufacturers to enable this kind of proactive content censorship. It is, however, not known if Xiaomi can deploy this functionality on all apps on the device or only its own apps.
- Facebook Is Going After Coordinated Social Harm By Authentic Users, But Will This Affect Legitimate Social Movements?
- Summary: WhatsApp Alleges IT Rules Are Unconstitutional In Lawsuit Against Indian Government
- Why A UN Body Is Raising The Alarm On Biometric Recognition Tech In Public Spaces
- Lucknow Safe City Project: A Look Into The Proposed Surveillance Architecture, And A Curious Integration With Jio Cameras