
Xiaomi Recording ‘Private’ Web and Phone Use - rock_artist
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#6a50cdaf1b2a
======
cantrevealname
Just wait till they:

\- start encrypting all the data they collect (with real encryption, not
base64 encoding)

\- saving up the data for hours or days at time and sending it in bursts (so
there is no immediate connection to a remote server)

\- sending the data to plausible U.S.-registered domains (rather than to
Singapore and Russia)

\- monitoring at the kernel or firmware level so that it doesn't matter what
browser or apps you use

\- turning off data collection when it suspects a security researcher (due to
signs of debuggers, development tools, network monitoring, usual network
settings like to proxies or DNS, etc)

We won't be able to prove anything. So disheartening.

~~~
myrloc
Excuse my naïveté, but who would actually work on such things? How can someone
have such low moral standards to, day after day, build systems that secretly
remove privacy from otherwise innocent people?

~~~
gentleman11
“Money makes a man act funny” -Eminem.

I have had friends suddenly get very selfish when the chance to get even $10
is available. I had a regular at a retail job once who came in every day... he
asked to borrow $1 once to help pay for something. To avoid paying it back, he
never returned, likely walking an extra several km to the next nearest store
of the type every day. For $1

------
schoolornot
I recently wiped my factory-unlocked Samsung S20, enabled debug mode, and ran
"pm list packages" over ADB. The results were beyond startling. There were
close to 100 packages running under com.samsung and other various namespaces
with tons of sensitive permissions. Most of these processes I could not
identify what they existed for. And I still can't figure out why a freshly
wiped unlocked phone w/ a Sprint SIM is running a Verizon provisioning
process.

I do not trust any of these Android manufacturers to do right by people. Even
the Pixel phones have a "Support" application that has camera permissions --
which last I checked, couldn't be changed regardless of whether you need
support or not. What's going to happen when some obscure team within Google
pushes an update to this app to do something without user approval?

~~~
101404
I wonder if it is illegal under GDPR to include spying apps on phones without
telling the user.

~~~
Nextgrid
The question of the GDPR is not whether it's illegal but whether anything is
done to crack down on offenders. Facebook, Google and thousands of
marketing/analytics/advertising companies are still around and are stalking
users with total disregard of the GDPR, so that's a clear negative.

~~~
tgsovlerkhgsel
Would someone who is downvoting this be willing to explain why? Because I have
the same impression (that many GDPR rules are simply being ignored because
enforcement is lacking).

~~~
Nextgrid
The typical response I get to such comments is that Google _did_ get fined 50M
_once_ in France. The problem is that not only is it pocket money to them but
Google continues to violate people's privacy (Google Analytics still tries to
stalk me everywhere without asking for consent first).

When it comes to Facebook I am not aware of any investigation or enforcement
action being taken despite them being even worse than Google when it comes to
privacy and having proven their malicious intent and complete disregard for
the privacy multiple times.

~~~
hetspookjee
Well you can get rid of Google analytics, you just have to install their Opt-
out Google Analytics browser extension and fill in some data. I really wish
the EU actually did something worthwhile with the GDPR.

~~~
Nextgrid
The point of the GDPR is that you don’t have to opt-out, you have to opt- _in_
if you are happy with tracking.

------
mikestew
There's too much to quote, but scroll down to Xiamoi's responses. Man, that is
the quintessential example of gaslighting. "No we didn't, that's not true at
all. Well, we kinda did, but it's 'anonymized', so it's okay."

"But we have video of your device sending data to..."

"...but, but, anonymized!"

"I thought you said you weren't sending data at all, now it's just anonymized
browser data, but we see your devices sending device usage outside the
brows..."

"ANONYMIZED!!!!11"

~~~
0xy
There's no such thing as anonymized when it comes to data tracking.
"Anonymized" tracking itself is gaslighting.

~~~
nicbou
It's anonymized in the sense that you don't know who it will be sold to and
what they will do with it.

In all seriousness, this is a point GDPR struggles with. It's really hard to
properly define what constitutes personal data.

~~~
tjoff
Personally Identifiable information is data that can be used to identify a
person with reasonable effort (getting a warrant is not reasonable for
instance).

The same data can be both PII and not PII depending on the context.

Not sure what the struggle is?

------
djrogers
Wow, just... Wow.

> Xiaomi said, “The research claims are untrue,”

and

> When Forbes provided Xiaomi with a video made by Cirlig showing how his
> Google search for “porn” and a visit to the site PornHub were sent to remote
> servers, even when in incognito mode, the company spokesperson continued to
> deny that the information was being recorded. “This video shows the
> collection of anonymous browsing data, which is one of the most common
> solutions adopted by internet companies to improve the overall browser
> product experience through analyzing non-personally identifiable
> information,” they added.

"We're not doing that. And everyone does that, so it's OK that we do that".

~~~
MaxBarraclough
I'm reminded of something Christopher Hitchens once wrote about this sort of
'defence in depth', which I'll try to recount as best I can:

 _One often hears from undemocratic regimes that they aren 't torturing people
in the manner accused, and that if they were it wouldn't be so bad, and that
if it were bad it would still be well justified. On hearing these three in
combination, little doubt should remain that the accusers have it right._

------
neurostimulant
Xiaomi produces one of the best bang for your bucks hardware in the market.
Their software is crap though. Ads in the system apps, ui customization that
arguably looks worse than stock android, and now blanket tracking like this,
though it was always pinging their tracking servers frequently. My pihole logs
pretty much full with blocked xiaomi requests until I flashed the phone.

Best thing to do when you got an android phone, especially from a chinese
manufacturer, is to flash LineageOS on it.

~~~
raindropm
Problem is lately many banking app required you to use non-root phone, at
least in my country. There used to be workaround, but it is not work anymore.

I have Redmi phone and I hates it as soon as I found that there is ads in
their rom. It's so disappointing. I mean, other Chinese brand have their own
crapware yes, but ads?

I then flash my phone to pure Pixel rom and never been happier, until the bank
app incident happened. So I have to use their original rom for now until I get
a new phone.

No matter how rave the Mi phone review be, or how it is great 'bang for the
bucks' brand, I will never touch their phone again.

~~~
neurostimulant
Actually, I installed LineageOS but skip installing root binary (it's an
optional step when flashing LineageOS) as I don't need root anymore. Without
root I can still use my banking app because Google safetynet is passing on my
phone.

~~~
cJ0th
I use LinageOS myself but I would _never_ use a smartphone for anything
related to personal finance.

Without an extensive research project there is no telling what's going on
under the hood imho.

~~~
propogandist
Most banking apps have extensive telemetry enabled themselves. Even keyboards
are trying to phone home constantly

------
amiga-workbench
Stuff like this is why without fail, every phone I own gets LineageOS
installed immediately.

Xiaomi phones have a bootloader unlock timer to try and mitigate sites
reselling their phones with modified software, so I had to leave my Mix 2s
alone for a few days before I could make it safe to use.

~~~
pingec
Are there any resources describing what you lose and gain by installing
LineageOS?

I'd like to know what will stop working before I try it out...

~~~
climb_stealth
It probably depends on the device, but in the best case you are not losing
anything. Especially as you can install google services, so Google Play and
everything around it works.

The only apps that stopped working on my Poco F1 are apps that check for
modified Android. For example my Australian digital drivers license app
doesn't work as it detects the Android environment as non-standard. I believe
you can do some root magic to work around it, but I could never be bothered to
do so. Interestingly enough the three different banking apps I use all work
fine.

Have a look at the installation instructions to see how you feel about it [0].
They are usually really good. The devil is in the detail though and you
probably have to plan in an afternoon to use google to find workaround for
bits that don't work. For example when I was upgrading to the latest Android
version I had to install a different bootloader as the previous one wasn't
compatible. It took a bit of looking around, but going from the error messages
usually brings up the right solutions in various forums.

[0]
[https://wiki.lineageos.org/devices/beryllium/install](https://wiki.lineageos.org/devices/beryllium/install)

~~~
inyorgroove
> but in the best case you are not losing anything.

This is starting to not be the case, I couldn't get the wide angle camera
working on my newer Xiaomi Mi 10 Lite for example. I had to fall back to
miui.eu based rom to get it to work.

~~~
morsch
That's not an officially supported device. The most recent supported model
from that line is the Mi 8, afaik.

------
mbdesign
On a Xiaomi device myself. Recently I've setup Nextdns.io to resolve all the
DNS requests through it. Very frequent callbacks to Xiaomi servers for
tracking. Blocked a bunch of them now, but it's half a solution.

~~~
xiii1408
Other than the tracking, would you recommend it? Is LineageOS available? I've
been curious about trying a Chinese phone for a while, but would only do it if
Lineage is available, since I'm annoyed by anything more busy than stock
Android.

~~~
IIAOPSW
I have lineage on my xiaomi.

The bootloader is locked by default but if you ask for it to be unlocked they
will do it. The process is intentionally manual to prevent hacking, but
ultimately smooth.

~~~
Arkanosis
Things might have changed since last year, but it hasn't been smooth at all
for me.

Not only you need a Windows computer to unlock, but then it takes literally
months to proceed and if you happen to do something that you're not told you
should not do (like logging out or re-trying to unlock), the counter is reset
and you have to wait even more. Plus the unlocking program on Windows randomly
doesn't work and error messages are not helpful at all.

My Xiaomi is an impressive, nice and powerful phone that hasn't cost much. But
it was so much pain to root that I won't probably ever buy a phone from them
in the future.

------
mrwww
Google accusing apple of "Selling privacy as a luxury good", well, isn't it?
Clearly, if you don't want to be spied on you're going to have to pay a
premium.

~~~
blaser-waffle
The profit from your data offsets the cost of the hardware.

If they're not selling your data, then you get to pay full price for the
phone. Not a crazy idea, really, but I wish that was made clearer.

~~~
foxrider
Yet Apple ecosystem is an insane walled garden and you don't really own your
hardware, because you can't even run applications not downloaded from the app
store.

------
evross
Just following the surveillance model pioneered by Google, Facebook etc. I'm
glad tech surveillance is being covered and some awareness and opposition is
visible here. Xiaomi aren't the only ones taking a mile of advantage from the
inch of 'good telemetry' promoted by some companies.

------
devit
Are there going to be legal consequences for this?

I would expect this to carry the heaviest penalties possible including massive
penalties against China if they fail to enforce them, but I guess nothing is
going to happen given the current state of society.

------
zaro
“It’s a lot worse than any of the mainstream browsers I have seen,”

It's a lot worse than Chrome ?

The Xiaomi browser tracks your browsing. The Google browser in combination
with the most of the sites in the internet track your browsing, your location,
and a lot of other things.

Choosing the lesser evil is quite popular now days, and it's obvious which one
it is.

~~~
Tijdreiziger
> it's obvious which one it is.

Indeed: it's Firefox.

~~~
m463
Firefox does a lot of phone home stuff too. (Not like chrome's built-in
tracking)

------
baq
i didn't know for sure that such things would happen but expected it. one of
the reasons i'm on an iphone for 2+ years. i've got zero trust in chinese
manufacturers, in my mind they're just extensions of the CCP.

~~~
thelittleone
Same. I found this wiki page with a list of smartphone manufacturers by
Country.

[https://en.m.wikipedia.org/wiki/List_of_mobile_phone_brands_...](https://en.m.wikipedia.org/wiki/List_of_mobile_phone_brands_by_country)

I’ve visited Taiwan for work quite a few times and met with some of the big
tech manufacturers. Very professional teams of engineers and a beautiful
country.

It would be super interesting if a Taiwanese manufacturer developed a
smartphone + ecosystem whose selling point was no spyware and openness, at the
price point of the Chinese manufacturers.

~~~
mekster
How much influence does China have over Taiwan? Can they completely decline
any malicious orders?

~~~
djrogers
> How much influence does China have over Taiwan?

Right now their only influence is financial, which Taiwan work pretty hard to
resist where possible.

------
Causality1
We need legislation that triggers automatic import bans when malfeasance of
this magnitude is discovered. The only way to stop companies from doing this
is financial disembowelment. Anything less just becomes the cost of doing
business.

------
0x49d1
Anyone thought that they don't?! Cmon, they sell nice smartphones for 80-100$,
why would they do that? They have built-in ads, so they probably study our
behavior to send more relevant ads and make more proper contracts for
advertisements.

------
pier25
Does this also happen with Android One phones?

~~~
korax_nyx
I would love to know that too

------
lostmsu
So if you do not use preinstalled Xiaomi software, you are mostly OK? (until
they start stealing Firefox browsing history)

Having a Xiaomi phone myself there's a trade-off between using the official
ROM, that provides full device encryption and SE Linux enforcement, but tracks
what you do in settings, and unofficial LineageOS (PHH GSI), that does not
encrypt the device data and has SE Linux off on most Xiaomi phones, I ended up
sticking with MIUI.

------
hkai
Why would you even consider using a Chinese phone? We wouldn't use a North
Korean phone, so why do we treat China differently?

------
solarkraft
Why is it surprising that proprietary software, especially from China, would
steal your data? The incentive is pretty clear.

------
est
Wait, people still use stock MIUI after they bought Xiaomi phone? It was nick
named ADUI after all.

------
itronitron
...by purchasing a license to use _our phone_ , you (the user) consent to send
all data about about your use of _our phone_ while using _our phone_ that you
have been granted a license to use by _us_

------
TLightful
For those more expert than I, is Apple any better in this regard?

If not, which mobile is ideal?

~~~
djrogers
> For those more expert than I, is Apple any better in this regard?

Yes, and unequivocally so. Apple is not know to track browsing behavior,
search terms, etc. Most of the data that your phone collects about you either
remains in your phone (that’s why they’ve been shipping with NPUs for several
years - they do A lot of machine learning in device rather than in-cloud) or
is analyzed using differential privacy mechanisms.

The amount of data that Apple refuses to collect in Apple Maps for example is
astounding. Start and end points of any journey are not used for example. Your
trip is broken up into a bunch of segments, and only the middle ones are
analyzed for traffic pattern, and even then only after being anonymized.

And most of the details behind all of this are published in a well written and
frequently updated privacy whitepapers.

[1]
[https://www.apple.com/privacy/features/](https://www.apple.com/privacy/features/)

~~~
izacus
You ignored iCloud though, which isn't E2E reencode and uploads personal
photos, contacts, location and some other data to Apple. They can decrypt this
data and regularly share it with the governments.

So your post is kinda misleading when you leave these details out - it creates
a false sense of safety.

(And before someone complains: Yes, Apple is infinitely better at privacy than
Xiaomi. We still shouldn't hide privacy risks though.)

~~~
foxrider
However, there is an elephant in the room - any Xiaomi device can unlock its
bootloader, and the flash an open firmware, like LOS. This instantly makes it
much better than Apple phones or any phones on the market - you can even
ignore google software. With Apple you cant even run apps that haven't gotten
through Apple censors, and the closest you can get to owning your hardware is
"jailbreaking" it.

------
zrth
Serious question: How is this different from what google is doing?

------
rawoke083600
Ag no man ! Xiaomi is my fav android phone brand.

------
neonate
[https://archive.md/rhr59](https://archive.md/rhr59)

------
askafriend
Much better to pay the Apple tax than to have to worry about this kind of
stuff to save a couple bucks.

~~~
tonyedgecombe
Yes, that extra margin is the reason Apple doesn't have to stoop to some of
the practices of companies on much slimmer margins.

------
guug
It was only a matter of time before forign companies followed Google and
Microsoft's lead and started slurping user data. Expecting any other outcome
would be nothing short of delusional.

Screw Xiaomi and screw Google and Microsoft.

------
ComodoHacker
This is old news. Just run Lumen on any Xiaomi device and see for yourself.

------
qppo
The fucking huevos on Forbes to publish this article alongside the most
godawful CCPA opt-out flow I've seen yet...

Clicking the "do not sell my info" link takes you to a page where it asks you
for your personal information to request to opt out... with the fine print
telling you that you can actually opt out by going back to the previous
dialog, selecting more info, then selecting one of the three cookie sections
(which is not labeled "do not sell my info" or anything similar). There's then
a timer where it takes about a minute to update the cookie preferences.

I know Forbes has turned into a glorified blogging site for "journalists"
these days but come on. Talking about privacy and misleading information on
the same site that makes you jump through hoops to remain anonymous while
browsing? Pot calling the kettle black much.

~~~
cambalache
If you are a native English speaker kudos for writing "huevos" and not
"Cahones" or other of its similar cringy misspellings. But 90% chance you are
from the south cone so carry on.

~~~
maximente
my brain's classifier would predict upon hearing just huevos => mexican
spanish. i'd imagine southern cone speakers would say pelotas, but might be
way off here.

~~~
LolWolf
That's pretty much spot on (more generally, I think it's a Central-American
thing). Either "pelotas" or "bolas" are the common ones in South America
(huevos is present, but rarely used in the same way—"huevón" is the classic
insult used throughout).

~~~
cambalache
Not at all. Huevos is the preferred term in Argentina/Uruguay.

~~~
LolWolf
Interesting. My dad is Uruguayan and I have not heard him use it (perhaps a
biased sample?). I’m Venezuelan, for context, so it may explain this view :)

~~~
cambalache
Venezolano y nunca ha oido un argentino decir "ponga huevo" "dejame de romper
los huevos" ay chamo te van a quitar la cedula, Maduro, pero si tu viejo es
yorugua capaz alla usan mas pelotas entonces.

------
fulyscentedking
Don't use Xiaomi, Huawei or other Chinese smart phone brands if you don't want
to your information collected by those Chinese companies and the CCP.

That being said Google, Apple and other American companies collect your
information too, maybe not as bad, just maybe.

We really need good free and open source OS options for smart phones. Like the
GNU/Linux options available on desktops.

~~~
Hnrobert42
Off-handedly casting Google and Apple in the same lot with CPC sponsored phone
companies is absurd.

~~~
morsch
Maybe so, but you're not making much of an argument of it.

~~~
Hnrobert42
I will not be baited into distinguishing between the two. As noted, saying
they are the same on its face. If you believe they are the same/similar, I
encourage you to write an article about it and post it for a discussion here
on HN. If you let me know, I’ll happily respond there. Otherwise, I will
assume you agree with me.

------
cmoscoso
I think they call it backup.

------
bottled_poe
This is surprising? I thought this was a feature.

~~~
gruez
>I thought this was a feature.

???

In what way does this benefit the user?

~~~
Hnrobert42
Improved user experience. /s

------
seemslegit
As opposed to ?

------
mdpopescu
So... the browser on Xiaomi phones is doing what the other browsers have been
doing for years?

The horror!

------
seemslegit
> One message was clear to the researcher: when you’re listening, Xiaomi is
> listening, too.

So does one or more of: Google, Facebook, Samsung, Apple, Amazon

------
i_am_nomad
Many comments here boil down to “if you want privacy, buy an iPhone.” While
true, this is another exhibit of privacy now being only for people who can
afford it.

~~~
andrepd
>While true

Is it? I never understood the reasoning. What makes you think Apple is better
than Xiaomi/Samsung/Google/whatever?

~~~
i_am_nomad
Maybe I should qualify that with, “outside of China.” If you’re using Apple
phones in China, you should assume your data are available to the CCP.

Otherwise, I have yet to see any evidence or indication that Apple collects
data in a manner similar to what’s described in this article.

~~~
RealStickman_
So basically Apple only protects you when they think they won't loose too
much? No thanks, I'll take LineageOS + microG every day.

------
ravenstine
I'm sure they won't be able to deanonymize the data at the government's
behest.

------
thoraway1010
I know apple keeps on getting headlines for breaking privacy (and also making
phones that supposedly get thrown away because they don't have right to
repair)

My own sense is android phones are MUCH less private and secure AND have much
shorter useful lives.

~~~
LeoPanthera
> I know apple keeps on getting headlines for breaking privacy

Seems like they're mostly in the news for the exact opposite.

------
peterwwillis
Google has been doing this for like a decade, and we've known 5-Eyes has been
collecting this data from them for like a decade. So I guess the news is that
China is late to the party.

------
ptx
How does Windows 10 compare? It also tracks and reports which websites you
visit, but maybe it doesn't in private browsing mode?

Edit: People asking for sources, go to Settings -> Diagnostics & Feedback. See
the part where it says "Send ... info about websites you browse"? You might
also be interested in the setting below it; when you enable it "Microsoft will
collect samples of the content you type"[1].

[1] [https://support.microsoft.com/en-
us/help/4468236/](https://support.microsoft.com/en-us/help/4468236/)

~~~
drevil-v2
Citation needed. The device telemetry does not include browsing history.

~~~
ptx
Citation needed. Microsoft's documentation says it includes "information about
the websites you browse".

It also says that "data items collected in Windows diagnostics are subject to
change to give Microsoft flexibility to collect the data needed", so even if
they aren't collecting that data today, they reserve the right to take
whatever they want whenever they feel like it.

------
throwaway9587
Before you go shaming those bad, bad Chinese companies, imagine my surprise
when I restored my Apple iPhone from iCloud only to find my (always set to
private!) Safari back there with every tab I ever opened.

~~~
gruez
It's entirely possible to implement that behavior in a privacy preserving way.
Just encrypt "sensitive" data with a key that's stored on the secure element.
That way if you restore to the same device, you get everything back. Sadly, I
don't feel like wiping my phone to test this out, so whether Apple actually
does that is an open question at this point.

