Skip to main content

Xiaomi apologizes for uploading address book data from smartphones without permission

Former Android head and Xiaomi VP Hugo Barra has apologized to owners of its smartphones for “any concern caused” by collecting contact data from address books without permission.

A recent […] report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users […]

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services …

The issue concerned a cloud messaging service Xiaomi offers which works in a similar way to Apple’s iMessage, diverting SMS messages via its own service and avoiding text messaging charges. The issue, however, was that the service was uploading phone numbers to its servers without informing users or seeking permission.

When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user […] This allows the sender to immediately know whether they can text that user without incurring SMS costs.

Barra says that the company has now issued an over-the-air update to Xiaomi phones making the cloud messaging service opt-in, and promised that any phone numbers sent to its servers would be encrypted and deleted after checking the online status.

Within the USA, third-party messaging service Path was last year fined $800k by the FTC for a similar issue, with mobile platform owners across the industry asked to better inform customers about how their data is used.

Xiaomi more than doubled its sales in the first half of this year, outselling Apple in China in the first quarter.

Barra’s full statement can be read below.

Via Yahoo News 

MIUI Cloud Messaging & Privacy

Xiaomi is a mobile Internet company committed to providing high-quality products and easy-to-use Internet services. We believe it is our top priority to protect user data and privacy.  We do not upload or store private information or data without the permission of users.  This Q&A aims to address privacy concerns raised over the past 48 hours.

Q: What is MIUI Cloud Messaging?

A: Xiaomi offers a free service called Cloud Messaging as part of its MIUI operating system.  This service allows MIUI users to exchange text messages with each other free of SMS charges, by routing messages via IP instead of using the carrier’s SMS gateway.

Q: How does Cloud Messaging work?  Does it store any private user information?

A: When a Mi phone is turned on, the Cloud Messaging service is automatically activated through IP communication protocol with Xiaomi servers, in order to provide the user with the free text messaging capability.  MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services.  Some technical implementation details are provided below.  Users’ phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

Q: How does this relate to the privacy concerns raised about Xiaomi over the last 48 hours?  What’s your response?

A: A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers.  These concerns refer to the MIUI Cloud Messaging service described above.  As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users.  We have scheduled an OTA system update for today (Aug 10th) to implement this change.  After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.

Q: How exactly does the MIUI Cloud Messaging system handle phone numbers?

A: For those interested in specific details about the MIUI Cloud Messaging implementation:

– The primary identifiers used to route messages are the sender and receiver’s phone numbers.  IMEI and IMSI information is also used to keep track of a device’s online status.

– When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP.  If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.

– When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user).  This allows the sender to immediately know whether they can text that user without incurring SMS costs.

– In any of these flows, the receiver’s phone number is only used to look up online status and to route messages.  No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

– The OTA system update made available today (Aug 10th) adds an extra layer of security by encrypting phone numbers whenever they are sent to Cloud Messaging servers.

– We will continue to make changes and improvements to this architecture as needed over time.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications