Few days back the there was a report that Indian Air Force (IAF) has sent out a circular to its staff not to use Xiaomi Redmi 1S (review) phones as they are sending back data to Chinese servers. And this circular was based on the report which came out back in July from F-Secure which did test on the Redmi 1S about the activation of our Cloud Messaging service (which enables users to send text messages for free, similar to other popular messaging services). Xiaomi was quick to resolve this issue by sending out an update and made the cloud service opt in and will not be enabled by default. F-Secure had tested the updated version and found no privacy issue.
Now that the circular from IAF has created a buzz on Internet the company has now clarified that they are not collecting any data without consent and they also come out with the details on the same.
1. Cloud services are now opt in
The main issue was with the cloud services and now it is opt-in and is not enabled by default. In case you enable this service here it what it does:
- Mi Cloud enables users to back up their data as well as sync it to other devices
- Cloud Messaging allows users of Mi devices to exchange text messages free of carrier charges by routing messages via IP instead of carrier’s SMS gateway
These services are optional (opt-in). Users can turn them on and off at any time.
2. Company does not collect data without permission
The company has confirmed that they do not collect any data associated with services such as Mi Cloud and Cloud Messaging until the user provides explicit consent by turning on the corresponding service(s). Even after users have turned on these services, they can turn them off at any point of time. They are said that they take rigorous precautions to ensure that all data is secured when uploaded to Xiaomi servers and is not stored beyond the time required.
3. Data stored are encrypted:
- Data encrypted using AES-128 standard before storing, which makes it practically impossible for anyone to steal this information
- User passwords and identifiers such as IMEI number using cryptographic one-way hash functions before they’re uploaded, which means company never actually receive the original information
- No single person, including Xiaomi employees, can decrypt user data stored in Mi Cloud, even if they get access to the hard drives
- Strict access control policies with multiple authorizations being required for engineers building services that access any personal data
- All access to servers is logged and audited
4. Company is moving Indian users’ data to servers outside of China, and to India in 2015
Since early 2014, the company have been migrating services and corresponding data for Indian users from Beijing data centers to Amazon AWS data centers in Singapore and USA. Parts of this migration will be completed by the end of October, and all of it will be completed by the end of 2014. In 2015, they plan to launch a local data center in India to serve the needs of (and store data for) Indian users.
The report based on F-Secure was fixed in almost 4 days time and the update was rolled out in quick time.
