A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app – these are also the places where users can turn off Cloud Messaging.
We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.
Fast response, but it’s exactly this kind of shitty behaviour that especially a Chinese company simply cannot afford out here in the west. If Microsoft, Apple, or Google does something like this, they’ll have armies of defenders and a huge PR department to solve it. Upcoming Chinese companies are generally much, much leaner and do not have that at all.
In any case, you’re generally much better off with a custom ROM anyway, and this just yet another reason.
When this issue broke a couple of weeks ago a fellow flashed the unit with CyanogenMod and the unit kept making connections to Chinese servers. This suggests the problem might be hardwired.
Chinese source
http://www.ima-mobile.com/viewtopic.php?f=7&t=39178
A different English language site talking about it.
http://en.miui.com/thread-31107-1-1.html
It would be great if OSAlert could get an interview with the person at this company – or any other – that actually does the human calculation … balancing factors which may or may not include the following .. I don’t know but I’d love to know…
1. Can we get away with this .. will anyone spot it? Will it a batter of when not if someone spots it but putting the traffic through wireshark. Will someone find strings in the binary images? No-one will succeed in decompiling the code.
2.Is the information that valuable? Do we want it? Who wants it – where is the order coming from? Do they know the risks of being caught? They probably think it is low risk.
3. I’m betting the tech sites will complain but the vast vast majority of users won’t ever find out even if reported, and even then most won’t care or understand.
4. We’ll pretend it was a bug / error / slip .. despite this requiring egineering effort to code, test, deploy.
5. Maybe we should just ask for the data in a long terms of user and most users will click “ok”…
etc etc etc
But they’ll still have a market in China, and possibly Africa. The West won’t be counting for much over the coming decades.