Privacy Infringement 'Very Common' Among Chinese Companies

china-xiaomi-aug-2014.jpg A mobile phone user displays his Xiaomi smartphone in Jinan city, Shandong province, Aug. 6, 2014.

Privacy infringements like that recently discovered in Xiaomi smartphones is common practice among Chinese digital service providers, analysts said on Tuesday.

Chinese mobile phone company Xiaomi has removed a "loophole" in its cloud messaging software after a report showed it was secretly sending the data to a server in China without notifying users.

The budget smartphone maker, which has a growing market in other developing countries, said the upgrade to its software had been launched on Sunday, and that users should now be able to opt out of the cloud messaging service.

Chinese netizens said they had waited several days for confirmation that Xiaomi really was uploading their private data, but that such treatment is common among Chinese service providers, who are often required to collect data by the government.

"[This] has been going on for a few days now, and finally we have some reliable confirmation that this is true," user @FelixDing wrote on a popular social media site on Monday.

"To tell you the truth, I'm not at all surprised. Such privacy-violating practices are widespread among Chinese Internet companies, and they even think they can export their skulduggery to other countries," the user wrote.

Nanjing-based database engineer Zhang Haoqi said Xiaomi's statement wasn't made available inside China, in Chinese, and that the company's Chinese customers still had no idea where their data was ending up.

"We can't rule out the possibility that they are uploading data and passing it to whomever, to whatever company or organization," Zhang said.

He said privacy was still a relative concept for digital service providers.

"Whether or not they are respectful of certain boundaries depends largely on the laws and regulations of the countries in which they operate," Zhang said.

"The boundaries exist, but they won't be respected if companies aren't restrained [by laws or regulatory bodies]," he added.

'Back door' surveillance

Guangzhou-based writer and online commentator Ye Du said a large number of apps inside China contain a "back door" to enable surveillance.

Beijing is also very concerned about the possibility that overseas corporations like Apple could get their hands on potentially sensitive user data.

"Actually, everyone knows that it's not just Xiaomi [that does such things]," Ye said. "All the software we use has back doors in it imposed by the government to supply them with so-called security information, including all the anti-virus software and applications."

"When it comes to taking away users' privacy and data of all kinds, Chinese companies are much worse than overseas companies, and there is always some level of official collusion, or even coercion, involved," he said.

"In the name of so-called state security, they feel they have to be on top of everything the population does, their data, to collect it for various intelligence databases."

Stored numbers

Xiaomi's security issue was initially reported in the Taiwan media following a blog post by security company F-Secure Oyg last week.

Xiaomi's free cloud messaging service mimics the iMessage service offered by Apple to its users, who pay no SMS charges.

Xiaomi vice president Hugo Barra apologized for the unauthorized data collection in a blog post on Google Plus, adding that the phone numbers were only collected for the purposes of seeing whether contacts were online or not.

Any phone numbers sent back to Xiaomi servers in future will now be encrypted and not stored, Barra said.

Although an increasing number of smartphone apps around the world collect vast amounts of personal data including geolocation, the contacts folder is viewed as much more sensitive.

Last year, U.S. trade regulators fined the social network Path after researchers revealed that the company was collecting the contents of users' address books without their knowledge or permission, and storing them on its servers.

Apple later amended its iPhone operating system so that app developers would have to ask explicitly for permission before accessing address book data.

Reported by Yang Fan for RFA's Mandarin Service. Translated and written in English by Luisetta Mudie.


Add your comment by filling out the form below in plain text. Comments are approved by a moderator and can be edited in accordance with RFAs Terms of Use. Comments will not appear in real time. RFA is not responsible for the content of the postings. Please, be respectful of others' point of view and stick to the facts.