After Security Experts Discover Xiaomi Smartphones Send User Data to Beijing HQ, Company Issues Patch And Apologizes

A couple of weeks ago, reports hit the Web claiming that Chinese phone maker Xiaomi was sending user info back to home base. At the time, the company's head of global expansion, ex-Googler Hugo Barra, claimed that no such thing was going on. But late last week, Finnish security firm F-Secure posted proof to the Web that certain information was in fact being sent back to Xiaomi's servers. As a very reputable security company, F-Secure's information really struck a chord with many.

In F-Secure's experiments, it was discovered that a device's phone number, IMEI number (similar to a serial code), and phone numbers from contacts saved to the device were sent to Xiaomi's servers. To conduct this experiment, a brand-new Xiaomi RedMi 1S was turned on and used as a normal phone would be - a phone call was received, and an SMS was sent and received.

Prior to F-Secure's discoveries, Xiaomi's Hugo Barra posted this to his Google+ page: "Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users." This is all in direct contrast to F-Secure's findings.

A couple of days after F-Secure's findings were published, Hugo Barra once again came forth with some insight - this time subtly backtracking on some earlier comments. As it turns out, the information that was sent to Xiaomi's servers was the direct result of the company's cloud service being enabled by default on its devices. Barra emphasized the fact that no data is actually "stored" on Xiaomi's servers, and as a result of this entire brouhaha, the company would soon be taking steps to correct things.

Over the weekend, the company did just that, releasing an update that causes its phones to disable its cloud service by default. From an outright dismissal of data being sent to its home servers to an admission that it was its cloud service doing it - all in the span of a couple of days. Somewhat interestingly, most of this transpired mere days after I praised the company for its amazingly rapid growth, that it was "shaping up to become China's Apple".

The good news in all of this is that a patch is out, though there are still questions lingering. We can understand that a cloud service might send somewhat sensitive information back to the cloud provider's servers, but why exactly does that involve a phone number and an IMEI? Does Dropbox require such a thing? Apple's iCloud? Google's Drive? Microsoft's OneDrive? No - of course not. It seems like there's more to this story that needs to be revealed. At least we're on the right track to figuring that out.