On the face of it, Xiaomi‘s plan must’ve seemed a good idea: take a leaf from Apple’s playbook and offer free messaging when users turned on its Android phones. Unfortunately, MIUI Cloud Messaging instead prompted accusations of data mining and intrusion into privacy, as new Xiaomi phones uploaded the contents of the phone book, numbers from received SMS messages, and the phone’s own details to the company’s servers, with no prior warning.
The behavior was confirmed by F-Secure, which took a brand new, box-fresh RedMi 1S and checked to see what data it was uploading to Xiaomi by default. After turning it on with a SIM card installed, connecting to WiFi, and allowing it to get a GPS lock, the phone then had a new contact added to its phonebook, was used to send and receive an SMS and MMS message, and then to make and receive a call.
Straight away, the handset uploaded not only the contacts and the number of the received message to the cloud, but the RedMi 1S’ own IMEI and phone number, along with the carrier it was using. After logging into Mi Cloud, Xiaomi’s online services, the phone’s IMSI details were also shared.
While the actions left many concerned – especially given there was no outward indication on the device that the data sharing was actually going on – according to Xiaomi VP Hugo Barra it’s all intentional.
That’s because Xiaomi opted to have its MIUI Cloud Messaging system on by default, and register all new users automatically. Like iMessage and other IM systems, the service bypasses traditional carrier SMS messages and instead routes them through its own servers.
The upshot is often a less expensive way to chat, but it’s how Xiaomi implemented it that has people angry. As Barra admits, phone number, IMSI, and IMEI are indeed harvested so as to route messages properly, though he also insists that phonebook data is never stored on the company’s servers.
Barra also says that messages are encrypted and are “not kept for longer than necessary to ensure immediate delivery” to the intended recipient.
Nonetheless, while the company maintains its innocence – and Barra compares its methods with “some of the most popular messaging services – it’s nonetheless going to change how it operates MIUI Cloud Messaging. An OTA update pushed out over the weekend will alter the default behavior so that new users have to explicitly opt into using the SMS replacement service, as well as have the option to log out of it.
The update also introduces encrypts any phone numbers communicated with the servers.
Xiaomi has made headlines recently with the news of its rapid ascent, already taking Samsung’s top spot in China for smartphone shipments.