Germany’s Federal Office for Information Security (BSI) on January 13 said that it has found no evidence of censorship capabilities in Xiaomi phones, Reuters reported.
In September last year, Lithuania’s Defence Ministry published a report alleging that Xiaomi devices have the built-in ability to detect and censor terms like “Free Tibet”, “Women’s Committee”, and “Long live Taiwan’s independence” and although this censorship capability is turned off for phones sold in the European region, the company has the ability to remotely activate it. Following these allegations, Germany’s cybersecurity watchdog launched a technical investigation into the Chinese manufacturer.
Since Xiaomi leads the smartphone market in India with a 23 percent market share, these allegations raised concerns on how this alleged capability can be misused by the Indian government, especially in light of the Information Technology Rules 2021, which requires platforms to proactively identify and take down content deemed illegal by the government using automated tools.
However, a BSI spokesperson told Reuters that the cybersecurity agency was “unable to identify any anomalies that would require further investigation or other measures.” The agency did not provide any additional details to back its claim.
This finding must come as a relief to Xiaomi, especially since the company is currently being investigated by Indian tax authorities for allegedly evading customs duty worth Rs 653 crore.
What were the allegations against Xiaomi?
A cybersecurity assessment carried out by Lithuania’s National Cyber Security Centre (NCSC), found the following major cybersecurity risks associated with Xiaomi and Huawei devices:
- Censorship capabilities of Xiaomi devices: The study found that Xiaomi apps including MiBrowser, Security, Themes, Cleaner, and MIUI Package Installer regularly download a configuration file called “MiAdBlacklistConfig” from a server located in Singapore. “This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time the analysis was performed, 449 records were identified),” the report said. When NCSC analysed the applications, it found code that allows filtering of content based on the downloaded blacklist. “This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist list received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information,” the report revealed.
- Risks associated with installing apps on Huawei devices: “Installing mobile applications on Huawei devices is characterised by cybersecurity uncertainties,” the report said. “It is worth noting that most of the application distribution platforms are located in countries not covered by the General Data Protection Regulation, which creates a corresponding risk of leakage of user metadata,” the report added. More importantly, the study “found that a portion of the mobile applications contained on the application distribution platforms are imitations of the original applications, with malicious functionality or virus infestation; such applications can be downloaded and installed by the user on the mobile phone, thereby jeopardising the security of the device and the data contained in it.”
- Data security risks associated with Xiaomi devices: The report said that pre-installed apps on Xiaomi send a variety of statistical data to servers of the Chinese cloud service provider Tencent, located in Singapore, the USA, the Netherlands, Germany, and India. The company reportedly collects data using two modules. “The Google Analytics module installed on the device allows the browsing and search history to be read, to send this data to analytics servers which Xiaomi accesses” and “the Sensor Data module has been found to collect statistical information on 61 parameters (time of activation of application, language used, etc.) about the activity of applications used,” the report said. “The collected statistics are sent via an encrypted channel to Xiaomi servers in Singapore, which is not covered by the General Data Protection Regulation. According to international sources, clear cases of unauthorised collection of user data by Xiaomi have been identified. Potentially excessive collection and use of analytical data can be said to pose a threat to the privacy of personal data,” the report concluded. Sensor Data reportedly has more than 1,500 customers, including some of the largest corporations in the People’s Republic of China, such as China Telecom, Baidu, CYTS, Sichuan Airlines, etc, the report stated.
Back then, Xiaomi refuted these allegations and told Reuters:
“Xiaomi’s devices do not censor communications to or from its users. Xiaomi has never and will never restrict or block any personal behaviors of our smartphone users, such as searching, calling, web browsing or the use of third-party communication software.”
Xiaomi also hired an independent third-party expert to investigate the allegations made by Lithuania.
- DRI Launches Probe Against Xiaomi India Over Unpaid Customs Duty Worth Crores
- Xiaomi Designated As A ‘Communist Chinese Military Company’ By US Govt
- A Government Project That Provides Cybersecurity Advice To Citizens Is In The Works: Report
- Quran And Bible Apps Removed By Apple At The Behest Of Chinese Authorities
Have something to add? Post your comment and gift someone a MediaNama subscription.