China's Xiaomi faces privacy hurdles ahead of international expansion

Xiaomi apologized on Sunday for causing privacy concerns related to its phones

Xiaomi offices in Beijing

Xiaomi offices in Beijing

China's Xiaomi has apologized for causing privacy concerns, after the fledgling smartphone maker faced scrutiny over whether it can be trusted with users' personal data.

Last week, red flags were raised when security firm F-Secure tested a Xiaomi phone, only to find that it sent contact information and device data back to a company server, without the user's permission. This prompted local media in Taiwan to question Xiaomi's previous claim that the company was not secretly storing user's data.

On Sunday, Xiaomi Vice President Hugo Barra responded, and said that the transmitted data was part of the phone's Cloud Messaging service, which can send messages via SMS and over the Internet. The service operates with the help of Xiaomi servers, and relies on both phone numbers and device information to rout the messages. But no user personal data is stored by the company, Barra said.

"We apologize for any concern caused to our users and Mi fans," he wrote. To address the problem, Xiaomi is making its Cloud Messaging an opt-in application, and introducing an over-the-air update to its phones that will let users disable the feature.

Lately, Xiaomi has been gaining international attention over its low-cost handsets, which have started to enter select foreign markets. But like other Chinese tech firms, the company is being scrutinized over privacy and security around its products, including in neighboring Taiwan.

"Do Xiaomi phones steal data and transfer it to Beijing?" asked one headline from Taiwan's iThome, a tech publication that requested F-Secure investigate the company's devices.

But on Monday, F-Secure security advisor Su Gim Goh said that most mobile phone vendors usually do end up tracking user information in one way or another, although they first ask for user's permission with a long privacy policy. However, in Xiaomi's case, the company had failed to take this step.

"Xiaomi previously said they were basically not collecting any data, but they actually were. That was the most shocking part," Goh said. "The information was also traveling in plain text. It was unencrypted. That was another point of concern."

Goh, who is based in Malaysia, said Xiaomi phones are also taking the country's market by storm. But the company will need to be vigilant in protecting user's privacy, especially as concerns continue over electronic spying programs by the U.S. and China, he added.

"We did prove the stereotype true. That phone makers from China have the reputation to collect more personal data," he said.

But even so, the privacy concerns probably aren't on the minds of most consumers, and won't stop sales of Xiaomi phones, said CK Lu, an analyst with research firm Gartner.

"There's always been talk of this fear of China. We have seen Huawei, and ZTE, been accused of spying in similar scenarios," he said. In 2012, for example, a U.S. congressional committee concluded that both companies were a national security threat for their alleged ties to the Chinese government.

In Taiwan, Xiaomi phones have been selling well, and been directed to consumers, not government officials, Lu said. "Even though people may have some concern about using a Chinese service, for most users it's not a big deal," he added.

Join the CSO newsletter!

Error: Please check your email address.

Tags Xiaomiconsumer electronicssecuritysmartphonesAndroidprivacy

More about F-SecureGartnerHuaweiXiaomiZTE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place