Chinese smartphone manufacturer Xiaomi reportedly upgraded its operating system on August 11 so that users are informed that it was collecting information from their address books and sending the data to Chinese servers.
The announcement comes after a computer security firm reported the fast-growing smartphone maker was collecting personal data from address books of Xaiomi handset users without permission.
Xiaomi apologized for the issue and informed that it had fixed the cloud messaging bug that caused the unauthorized transfer of data. The OS upgrade was complete by Sunday, according to the firm.
F-Secure busted Xiaomi’s problem
A report by the security firm F-Secure last week found that Xiaomi’s Cloud Messaging service was sending user’s data and phone numbers over to a remote server in China without taking their permission.
Hugo Barra, Xiaomi’s Vice President’, said that this was the only way the software could route SMS texts to avoid carrier charges over the Internet (just like Apple’s iMessage service) but informed that this would be ‘opt-in’ in the future.
“As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users,” was Barra’s statement on Google+. “We apologize for any concern caused to our users and Mi fans.”
An update to Cloud Messaging Service was sent to the networks, with users now being given the option to ‘opt in’ to the service via the Settings menu in the Mi operating system.
Many smartphone apps collect large amounts of personal data, but address books of smartphone users are considered private and generally not scrutinized for data collection purposes.
A US-based social network Path was fined $800,000 by the Federal Trade Commission after researchers found that the company was accessing users’ address books without their permission and stored the data on its servers. Following the Path fine, Apple modified its iPhone operating system so app developers have explicit permission from its users before accessing the data stored in their address books.
The incident is one of the first slip-ups for the smartphone giant that is often referred to as China’s Apple. Since its launch four years ago, Xiaomi has made a big name in the Asian pacific region as well as the global start-up industry under the leadership of Chinese entrepreneur Lei Jun.
Sean Sullivan, security researcher at F-Secure, told V3 that there was no evidence the data collected from the Xiaomi handsets is being utilized for illicit purposes.
“There are no signs of it being linked to any government. Was it a mistake? Perhaps in the sense that Xiaomi misread the (Western) public’s current willingness to automatically share ‘metadata’ with a phone vendor. And in the case of phone numbers, many people consider that to be data rather than metadata,” he stated.
“The behaviour isn’t significantly different than other vendors except that other vendors ask and prompt the user before collecting. Many people simply ignore such prompts and just click ‘okay’ but at least the prompt is there. That now seems to be the way Xiaomi will move.”
Xiaomi has more to do
Despite releasing an update and apologizing, Xiaomi’s problems aren’t over. Want ChinaTimes says that a Xiaomi handset user from Hong Kong named Kenny Li has found that the software update doesn’t stop his phone from automatically transmitting information to servers in Beijing.
Li says he discovered multiple sources that send phone data to a Beijing-based IP address after he updated the device according to Xiaomi’s instructions. The Internet messaging function starts again even after being disabled due to the software update, says Lin.
To confirm the connection was still operating, Li removed all default Xiaomi services and apps and even set up a firewall. However, the phone’s data, including the Key Chain that stores users’ passwords, was still connecting to servers in Beijing.
He also found that Internet messaging continues to run in the background and data is being sent to Beijing despite Xiaomi claiming that it can be deactivated. Other users also discovered that previous problems with the proxy that sent off Download Manager Information and Gmail were still running in the background after update.
As it stands, smartphone companies seem to be riding the margins of consumer acceptance and regulation in order to maximize their consumer research and, in some cases, abide by the secret instructions of law enforcement agencies. But they should prepare for changes where users want more of a relationship with their own private information and those who gather it.