Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

timothy posted about 3 months ago | from the they're-just-making-a-copy dept.

Cellphones 164

They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?

Sorry! There are no comments related to the filter you selected.

Obligatory (2, Informative)

Anonymous Coward | about 3 months ago | (#47640579)

"By not having one" comment

Re:Obligatory (0)

Anonymous Coward | about 3 months ago | (#47640617)

Not having phone how loud stupid gossip with fair weather friends?

Re:Obligatory (1)

tepples (727027) | about 3 months ago | (#47641687)

Doesn't always help if the person on the other end has a Xiaomi phone.

well.. (2)

sjwt (161428) | about 3 months ago | (#47640583)

One could always try one of these...

Nice little phone [photobucket.com]

Re: well.. (0)

Anonymous Coward | about 3 months ago | (#47642005)

This is how you get your privacy back:
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

Normal now (5, Insightful)

Mitreya (579078) | about 3 months ago | (#47640585)

Xiaomi smartphones do in fact upload user data without their permission/knowledge

Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.

Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.

Re:Normal now (4, Informative)

Zumbs (1241138) | about 3 months ago | (#47640791)

Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge

Half? Try 99% of the top 400 apps [appthority.com] on both Android and iPhone. I also seem to remember that Apple got into problems because they were uploading user data without permission.

Re:Normal now (1)

Anonymous Coward | about 3 months ago | (#47640811)

Did you actually read that report? Most of the items on the list have nothing to do with uploading user's data.

Re:Normal now (-1)

Anonymous Coward | about 3 months ago | (#47640865)

Most of what the Nazis did didn't involve indiscriminate murdering of Jews. What is your point, fanboi?

Re:Normal now (0)

Anonymous Coward | about 3 months ago | (#47641363)

That escalated quickly.

Re:Normal now (0)

Anonymous Coward | about 3 months ago | (#47641441)

:D

Re:Normal now (2)

Zumbs (1241138) | about 3 months ago | (#47640871)

The most commonly uploaded data is location data (followed by identification using IMEI/UDID). In my book that is user data, but you are free to disagree.

Location data has legit uses (2)

tepples (727027) | about 3 months ago | (#47641715)

So should "find restaurants near me" apps instead require users to download the complete list of worldwide restaurants? Because even clicking on a map or entering a postal code is "location data". Another is to satisfy movie studios that refuse to license works for streaming unless the provider can positively match viewers to a country whitelist.

Re:Location data has legit uses (1)

Anonymous Coward | about 3 months ago | (#47641959)

No. But "flash light" apps shouldn't. You're confusing a legitimate need for an app to require access to data with an app that requires access to data it should never use.

But there's no way to say "block this access", you either have to accept everything the app asks for, or refuse to install it.

Re:Normal now (1)

AmiMoJo (196126) | about 3 months ago | (#47641025)

I also seem to remember that Apple got into problems because they were uploading user data without permission.

Indeed, and in fact what F-Secure found is that the phone sense the IMSI and SIM's phone number to a server via a HTTP request. The lack of encryption is rather poor but in terms of what data it sent it is actually far less than what Apple was caught doing.

Re:Normal now (1)

Kjella (173770) | about 3 months ago | (#47641115)

Those numbers look clearly inflated to sell their own consulting reports and services. Like in-app purchases, so because Angry Bird lets you buy the Mighty Eagle it has a "risky behavior"? Oh please. It'd be easier to take serious without the hyperbole.

Re:Normal now (4, Informative)

sribe (304414) | about 3 months ago | (#47641491)

I also seem to remember that Apple got into problems because they were uploading user data without permission.

Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.

Re:Normal now (1)

Shoten (260439) | about 3 months ago | (#47641881)

I also seem to remember that Apple got into problems because they were uploading user data without permission.

Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.

Right...and even then, this was location-based information that Apple said the phone wasn't collecting. It could just as easily have been a misunderstanding about underlying software behavior at a low level (or even that the programmer who built it that way didn't even work at Apple any longer) as anything else.

Re:Normal now (3, Insightful)

Z00L00K (682162) | about 3 months ago | (#47640839)

The only way around it is to avoid storing sensitive data on the phone.

This must also be an important issue for those that uses phones as security tokens, i.e. banks and other important institutions that sends an SMS with credentials to provide verification - it's a very insecure solution since the phone may have an app that forwards the credentials to a third party that can use this to access the system.

Re:Normal now (0)

Anonymous Coward | about 3 months ago | (#47640875)

It is an other factor for authetication. If the other are never seen on the phone than the phone still stands as 2fa device.

Re:Normal now (2)

Shoten (260439) | about 3 months ago | (#47641887)

The only way around it is to avoid storing sensitive data on the phone.

This must also be an important issue for those that uses phones as security tokens, i.e. banks and other important institutions that sends an SMS with credentials to provide verification - it's a very insecure solution since the phone may have an app that forwards the credentials to a third party that can use this to access the system.

Avoid storing sensitive data...like the phone numbers of other people? Like the text messages you send? Just using this phone...to make phone calls, mind you...results in data being uploaded. I don't see how "not having that data" on your phone is really an option. It's a goddamned phone; you're going to have to use it, some day.

Never ethical, never private, never secure (1)

jbn-o (555068) | about 3 months ago | (#47642071)

Location data and contact/address data are sensitive yet inextricably linked to how people use trackers (also known as cell phones and other portable electronic devices). Whether the device conveys GPS coordinates, can be tracked to a remarkably small area via cell tower triangulation, or unknown (to the user) parties get the information from a proprietor (such as Apple [consumerist.com] ), the privacy loss inherent in ordinary tracker operation makes it impossible to "avoid storing sensitive data on the phone".

This is no accident. When societies face the combination of nonfree software (both in OS and programs people are encouraged to install later), devices that are as close to always-on as is possible for mobile computing, and a userbase as persistently distracted away from focusing on their civil liberties as most tracker users are (no thanks to sites like /. which carry stories like these without any ethical critique to go alongside the corporate-written stockprice-sensitive spin) results like these are the outcome. Add to that the unethical ways in which trackers are made (such as Apple turning a blind eye to the environment in China [dw-world.de] or expoiting workers at Pegatron even worse than at Foxconn [theguardian.com] but Apple is certainly not alone in any of this) and you have an ugly recipe for abuse from end-to-end. Many thanks to people including Richard Stallman for compiling useful information about all of this [stallman.org] and for his many years of warning people against nonfree software.

So what? (0)

Anonymous Coward | about 3 months ago | (#47640589)

I hae the Redmi Note and use their cloud service for backups. As far as I'm concerned, every government in the world has their fingets in my phone data, so why not let a relatively innocuous company like Xiaomi?

I'm sure as hell not going to commit any genuinely provate data to ANY network or device without encryption.

Why is /. spreading false rumor ? (-1, Troll)

Anonymous Coward | about 3 months ago | (#47640601)

To Timothy,

The allegation of Xiaomi engaging in stealing secrets / spying on behalf of the Chinese government has been proven false

Would you kindly check for facts before you post an article ?

Hugo Barra has posted the clarification on this subject more than one week ago

See it here --- https://plus.google.com/+HugoB... [google.com]

Q: Online articles recently referred to some privacy issues with the Redmi Note, claiming that photos and text messages are sent to China secretly. Are they true?

A: An article severely misinterpreted a discussion thread asking about the Redmi Note's communication with a server in China. The article also neglected to refer to a Chinese version of this Q&A already posted on the Xiaomi Hong Kong Facebook page (https://www.facebook.com/Xiaomihongkong/posts/799059896795602). MIUI does not secretly upload photos and text messages.

MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy.

Q: Does Xiaomi upload any personal data without my knowledge?

A: No. Xiaomi offers a service called Mi Cloud that enables users to back up and manage personal information in the cloud, as well as sync to other devices. This includes contacts, notes, text messages and photos. Mi Cloud is turned off by default. Users must log in with their Mi accounts and manually turn on Mi Cloud. They also have the option to only turn on backup for certain types of data. The use and storage of data in Mi Cloud fully respects the local laws of each country and region. Strict encryption algorithms are implemented to protect user privacy.

Q: Can I turn Mi Cloud off?

A: Yes. Just go to Settings > Mi Cloud to turn it off. If you would like to use a cloud back up service from another provider, there are options from Google, Dropbox and many others.

Q: Why should I believe you?

A: Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users. In a globalized economy, Chinese manufacturers' handsets are selling well internationally, and many international brands are similarly successful in China â" any unlawful activity would be greatly detrimental to a company's global expansion efforts.

Re:Why is /. spreading false rumor ? (4, Funny)

Rosco P. Coltrane (209368) | about 3 months ago | (#47640613)

Oh, someone swears it's all a-okay. I'm totally reassured now...

Re: Why is /. spreading false rumor ? (1)

thesupraman (179040) | about 3 months ago | (#47640639)

Well he was one hell of a lot more convincing than you.
Which was not difficult.

Re: Why is /. spreading false rumor ? (-1)

Anonymous Coward | about 3 months ago | (#47640911)

Well he was one hell of a lot more convincing than you.
Which was not difficult.

No, no he wasn't, except to simpletons with their heads in the sand.

So a non-denial denial (5, Informative)

Anonymous Coward | about 3 months ago | (#47640653)

The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.

This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.

Re:So a non-denial denial (1, Insightful)

ThePhilips (752041) | about 3 months ago | (#47640889)

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

When my Android phone starts, I'm pretty sure it sends the same shit to api.account.google.com or some such. And probably to api.account.samsung.com. Because I have Google and Samsung accounts and I'm logged in by default.

Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.

When news comes from "security" consultancies, I frankly often side with the manufacturers. The ensuing hype only promotes the "consultancies" - and does nothing positive for the manufacturers. Why would they (manufacturers) add something to the phone to help promote the "consultancies"?!

Re:So a non-denial denial (5, Informative)

benjymouse (756774) | about 3 months ago | (#47640949)

Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.

I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?

F-Secure saw the communication even before they created a Mi cloud account.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

- Inserted SIM card
- Connected to WiFi
- Allowed the GPS location service
- Added a new contact into the phonebook
- Send and received an SMS and MMS message
- Made and received a phone call

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

I do not often say this on ./ but you're an idiot!

Re:So a non-denial denial (5, Informative)

Anonymous Coward | about 3 months ago | (#47640999)

Mi Cloud is turned off, you never read their claim, they never turned it on, it was a new handset tested.

The phone sends your phone number to Xiaomi, it sends your IMEI and your network provider. F-Secure tested it by sending an SMS, and the handset sent the number of that SMS too. They added a contact and that phone number of the added contact was sent too.

All of this with Mi Cloud turned off on a freshly bought Xiaomi handset.

Your Android handset certainly does not do this, and not without permission and it is *not* acceptable.

Re:So a non-denial denial (1)

ThePhilips (752041) | about 3 months ago | (#47641059)

Mi Cloud is turned off, [...]

Oops! (Though I'm still doubtful, frankly.)

Your Android handset certainly does not do this,

Well, actually, it does. Because Android to be useable requires Google account. And when you create a Google account, Google conveniently activate the "Sync", IOW, sending your contacts, appointments, messages, etc - for archive purposed - to the Google servers.

and not without permission and it is *not* acceptable.

Buried in the EULA is not the same as giving an explicit permission. Having a crippled brick instead of the phone serves is a good incentive to "give the permission" to be spied on.

As others have said: do not put any sensitive information on the phone. IMO, with the current business around private information, masquerading as the "social" networking, I wouldn't even put the encrypted files on the smartphones.

Re:So a non-denial denial (1)

DamonHD (794830) | about 3 months ago | (#47641073)

Well, actually, it does. Because Android to be useable requires Google account.

No.

I very deliberately did NOT set up a Google account on my Android Fairphone, and it does the basic things just fine, like, um, phone calls and even alarms. It even takes OK pictures.

I have EU citizens' contact details in my phone and I think that, given NSA revelations, I would be breaking the law to knowingly share/sync those details with/via a US entity such as Google (or Apple).

Would be nice to have local contact and calendar sync with my MacBook (OS X 10.9) but Apple made that hard, not the lack of apps on the phone so far as I can tell.

Rgds

Damon

Re:So a non-denial denial (1)

Anonymous Coward | about 3 months ago | (#47641535)

I have EU citizens' contact details in my phone and I think that, given NSA revelations, I would be breaking the law to knowingly share/sync those details with/via a US entity such as Google (or Apple).

You == idiot.

Re: So a non-denial denial (0)

Anonymous Coward | about 3 months ago | (#47641957)

If you want local sync, look into OwnCloud. You can run your own server, it's open source, provides calendar and contact sync for your devices, has iOS. Android, windows and Mac support and also does OneDrive / DropBox style file sync. Set your server up with http and you've got a wholly controlled sync solution that works as well as the privacy trashing commercial services.

You're welcome :)

Re:Why is /. spreading false rumor ? (-1)

Anonymous Coward | about 3 months ago | (#47641437)

Fuck you, you commie apologist.

Lately, (0)

Anonymous Coward | about 3 months ago | (#47640603)

many stories on Slashdot end with a question mark.
What do you think, is this a good or bad thing?

Re:Lately, (1)

Rosco P. Coltrane (209368) | about 3 months ago | (#47640611)

Depends: European or African thing?

Re:Lately, (-1)

Anonymous Coward | about 3 months ago | (#47640663)

Negroid thang.

Why "relatively" private? (4, Interesting)

Rosco P. Coltrane (209368) | about 3 months ago | (#47640605)

I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.

Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

Re:Why "relatively" private? (0)

Anonymous Coward | about 3 months ago | (#47640747)

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot,

I think perhaps the question is: Where do you find a trusted phone?

Re:Why "relatively" private? (5, Insightful)

worf_mo (193770) | about 3 months ago | (#47640757)

[...]

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.

Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details, whether you use their service or not. It should be easy for them to filter out bogus data and associate your number with your real name.

Won't help my ass (0)

Anonymous Coward | about 3 months ago | (#47641047)

> Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details [...]

While it's important to keep that in mind, the "this won't help" mindset is a classical fallacy: someone gotta start, and if (and when) it's widespread enough, it'l help all of us. Like higiene.

You don't spit on the roads, do you? Or do you shit out your window?

So if you implement that -- have a talk with your friends about it too.

Re:Won't help my ass (3, Insightful)

jareth-0205 (525594) | about 3 months ago | (#47641153)

> Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details [...]

While it's important to keep that in mind, the "this won't help" mindset is a classical fallacy: someone gotta start, and if (and when) it's widespread enough, it'l help all of us. Like higiene.

You don't spit on the roads, do you? Or do you shit out your window?

So if you implement that -- have a talk with your friends about it too.

Well not really, because *everybody* has to do it or it's useless, and since your phone number could easily be in 100 phonebooks that's alot of poisoning to do. And As soon as people start doing it in numbers you can imagine a malicious Google (or whatever) would implement anti-poisoning analysis.

I believe the only real solution, which is unpopular on this largely libertarian site, is to have stronger protections in law, making data about you your property and controlled as such, and penalties for misuse the same seriousness as theft. That's a long way from where we are now though.

Re:Won't help my ass (1)

retchdog (1319261) | about 3 months ago | (#47642183)

libertarians are all about personal property, until it conflicts with another of their interests (often big business, but not always).

it's a quick way to tell what they really want. there's no really fundamental libertarian reason to not protect personal data as property; it's just that the vogue in pop-libertarianism right now is to strip consumer rights in favor of tech companies. why? well, maybe because pop-libertarians are techies, and they want that shit.

Re:Why "relatively" private? (1)

AmiMoJo (196126) | about 3 months ago | (#47641055)

Apple, Google & Co already have your details, whether you use their service or not.

It is illegal to use such data in the EU. They can store it on the user's behalf (cloud service), but to use it themselves they need permission of the subject of the data which clearly they don't have. Building "shadow profiles" is illegal here.

Re:Why "relatively" private? (0)

Anonymous Coward | about 3 months ago | (#47641503)

Right, so they build the profiles of EU citizens in the USA. You didn't really think they care about the EU's laws did you?

Re:Why "relatively" private? (1)

Ol Olsoc (1175323) | about 3 months ago | (#47641529)

Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details, whether you use their service or not. It should be easy for them to filter out bogus data and associate your number with your real name.

The whole system from top to bottom is inherently non-private. Get yourself a phone number/device, and they have your name and address for billing. Use that smartphone and the very nature of cellular is that you are located to a tower. And GPS even furthers your location accuracy.

There is no privacy, it was not designed to be private. And extraordinary measures to be anonymous simply attract attention.

Re:Why "relatively" private? (0)

Anonymous Coward | about 3 months ago | (#47640767)

>I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?

Then don't get a phone, much less a smartphone, twinkie. By definition, the global phone and data network can see everyone you talk to and your location to within the service radius of the nearest cell tower.

>Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

This is quite possibly the dumbest thing I've read all month.

Re:Why "relatively" private? (0)

Anonymous Coward | about 3 months ago | (#47640785)

This is quite possibly the dumbest thing I've read all month

Care to elaborate?

Re:Why "relatively" private? (1)

stephanruby (542433) | about 3 months ago | (#47640931)

I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.

Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

If you want privacy, don't use an address book, memorize your friends numbers. On that topic of friends, don't have more than two friends. That will minimize your exposure. The first one can be called Mr. White and the second one Mr. Black, and again, don't be lazy, do not enter their nickname into the address book.

Do not use gps navigation, get yourself an old fashion magnetic compass. Magnetic compasses have worked for centuries. And they'll keep on being useful for many centuries to come. Turn on your phone only at specific hours on certain dates. The rest of the time, keep your phone turned off, battery removed, and the phone tucked away in a Tesla envelope (along with some extra sim cards). And if someone ever comes knocking on your door, or calls you by mistake, you're a Jehova's Witness and you're into Multi-Level-Marketing.

That's what I would call total privacy, and even then it wouldn't be completely total.

Re:Why "relatively" private? (1)

Ol Olsoc (1175323) | about 3 months ago | (#47641541)

If you want privacy, don't use an address book, memorize your friends numbers. On that topic of friends, don't have more than two friends. That will minimize your exposure. The first one can be called Mr. White and the second one Mr. Black, and again, don't be lazy, do not enter their nickname into the address book.

Do not use gps navigation, get yourself an old fashion magnetic compass. Magnetic compasses have worked for centuries. And they'll keep on being useful for many centuries to come. Turn on your phone only at specific hours on certain dates. The rest of the time, keep your phone turned off, battery removed, and the phone tucked away in a Tesla envelope (along with some extra sim cards). And if someone ever comes knocking on your door, or calls you by mistake, you're a Jehova's Witness and you're into Multi-Level-Marketing.

That's what I would call total privacy, and even then it wouldn't be completely total.

Dude! you forgot the Sextant, a fine and secure way of location.

Re:Why (0)

Anonymous Coward | about 3 months ago | (#47641767)

I don't think compasses will remain useful for centuries to come. Changes in the magnetic poles and their eventual reversal will cause compasses to stop working at some point, and then reverse once the polarity is reversed.

That's impossible (0)

Anonymous Coward | about 3 months ago | (#47640609)

You've never been able to control your cell phone: even something as innocuous as communicating with a cell tower in range is something you might not want to happen.

If you want to keep your data private, do not let it get anywhere near your phone.

Re:That's impossible (0)

Anonymous Coward | about 3 months ago | (#47640633)

Actually, there is this awesome remake of N900: http://neo900.org/ [neo900.org] which would have plain Linux as OS and modem actually will be properly separated from motherboard, so you could be sure it is turned off when you turn it off. It will be pretty expensive though, since currently they struggle to find even 1000 buyers.

Re:That's impossible (1)

sumdumass (711423) | about 3 months ago | (#47640745)

I want one...

But perhaps they struggle to find buyers is largely because there is no pre order option or let me know when it is availible option that I can find on their website. Maybe they could set up something like an if interested in owning one of these, keep me informed something or other. There is only a donate button and I don't wish to fund a project, I wish to purchase the results of it if the price is right- and we won't know that until it's shipping or ready to ship.

Ship dates (1)

tepples (727027) | about 3 months ago | (#47641751)

But perhaps they struggle to find buyers is largely because there is no pre order option

Perhaps that's because payment processors want a ship date in the next 30 days. OpenPandora had to refund a lot of preorders when it couldn't ship in that time frame.

Not actually sending much info, just the IMEI (4, Insightful)

Animats (122034) | about 3 months ago | (#47640635)

So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/pass/v3/user@id?type=MXPH&externalId=01 [xiaomi.com] , The data is transmitted as a cookie of the form deviceId=IMEI . (The API returns a brief reply in JSON.) That tells them the phone has connected to the phone network, and its IP address. That's not particularly interesting information. The carrier knows the IMEI number, too, of course. Perhaps this is to check up on whether carrier-reported sales data matches actual phones coming on the air.

Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.

You want to be safe? (3, Insightful)

Nyder (754090) | about 3 months ago | (#47640651)

Look, these days if you want to be safe, do not use a smartphone. Get a dumb phone, then you don't have to worry about any apps leaking your data.

Either an app will leak your data, someone will hack your phone, you leave it somewhere or someone steals it. Either way, you are screwed if you use your phone for all sorts of personal/business stuff.

I guess it's about convenience over personal/financial/business safety.

That's not a solution (1)

bolt_the_dhampir (1545719) | about 3 months ago | (#47640915)

Using a dumb phone is not a solution. Everything a dumb phone does, by which I mean mainly messaging and phone calls, can be monitored anyway, as well as the location of the phone, by triangulation. All this means is that you lose features with implied privacy issues by going from a smart to a dumb phone, but are left with the remaining features that also have privacy issues.

Re:You want to be safe? (0)

Anonymous Coward | about 3 months ago | (#47641177)

Look, these days if you want to be safe, do not use a smartphone. Get a dumb phone, then you don't have to worry about any apps leaking your data.

But then you can't use all the cool and useful apps. I don't want to live a Richard Stallman lifestyle where he is "free" but everything is extremely clunky and limited.

Your phone is not a trusted device (4, Insightful)

bolt_the_dhampir (1545719) | about 3 months ago | (#47640655)

It's as simple as that. It doesn't matter if you turn on mobile data as long as that is under the control of the phone's operating system, and it doesn't matter if you pay attention to your cell phone bill, as traffic to and from specific government servers is likely exempt from the monthly traffic calculations just as the provider's own servers are likely to be. It doesn't matter if you monitor your wireless network, since questionable transmissions are likely to only go through mobile data, as that's harder to monitor.

While you may be able to test this with your own base station, the phone might also detect that it's not on an official network and therefore not do anything, but that's probably taking it a bit far.

While you could switch to a "dumb" phone, those are of course also trackable, and your conversations and messages can still be monitored, so I don't see any real gain there.

Myself, I carry a phone with me all the time, but I simply do not treat it as a secure device. If you want to take private pictures with your girlfriend, for instance, your phone is not the camera you want to use. End of story.

Blackphone (0)

Anonymous Coward | about 3 months ago | (#47640671)

Get a Blackphone

Www.blackphone.ch

Re:Blackphone (3, Insightful)

raburton (1281780) | about 3 months ago | (#47640685)

Get a Blackphone

...because its manufacturer assures you it's secure!

Re:Blackphone (0)

Anonymous Coward | about 3 months ago | (#47641531)

https://twitter.com/TeamAndIRC/status/498187730023501824

Off-topic rant... (0, Informative)

Anonymous Coward | about 3 months ago | (#47640689)

What's with all this Sinophobia and Russophobia, slashdot?
I know it's good for marketing (news sites make loads of money by exaggerating facts while pushing some propaganda), but seriously, can you put yourselves in the shoes of those foreigners living in your country?
For example, from the articles related to Russia I've read, EVERY ARTICLE has been shown to be manipulative and politically biased by its own commenters. How do you think Russians feel? EACH AND EVERY SINGLE article about Chinese technology mentions malware, "hacking" or the chinese military. I got news for you: China and Russia are SCAPEGOATS, and the infosec industry PROFITS from it. Who are the ones in the infosec industry? YOUR MILITARY. Do you really believe the Chinese Goverment controls all the devices made in China? No? Then WHY do you keep spreading PROPAGANDA?
Really, what does it matter to you if someone in some remote country are killing one each other? And how does THAT relates to NERDS and TECHNOLOGY? I you will publish political stuff, CAN you at least TRY to show a less biased point of view?
And finally.... what about some navel gazing? Can't you do some analogy to your own articles with your own laws/products/companies/whatever? What about some analysis about how much your own people cares, and does, against their own government? Why don't you stop spreading ideological bullshit about "freedom" and "democracy", if you have NO moral ground to criticize other people's countries?
Either mind your own fucking business and stop spreading military/govt propaganda against other governments, try to be less biased, or simply make your editorial line public and show less hypocrisy, most of the stuff about Russia/China has nothing to do about NERDS or TECHNOLOGY, it's none of your business, and while you push for this propaganda, you are omitting what is already happening in your own country.

Off-topic rant... (0)

Anonymous Coward | about 3 months ago | (#47640799)

There are bad people in the world. Sometimes those bad people run countries.

Russia and China are two such countries.

For this article, a Chinese phone maker is sending your private data to its servers without need or agreement. It is breaking the privacy law in Europe doing so. Do we simply ignore that because its Chinese?

It doesn't just send your phone number, and IMEA, and telco details, it sends the numbers of everyone you add to your phone book, and phone numbers of SMSs received. These third party people didn't agree to this either. Their privacy is violated also.

As to Russia, do you genuinely believe the Crimea suddenly swung to be totally pro-Russia? Or did Putin simple get a made up poll. Clearly its a fake poll, and so the Crimea has been invaded. Ukraine is next, real people are dying there at the hands of Russia soldiers.

Is that Russophobia? No, it's the unpleasant truth.

Should I sugar coat it so that Russians living abroad feel happier? Perhaps their feelings aren't the most important thing here. Putin is killing people.

Off-topic rant... (-1)

Anonymous Coward | about 3 months ago | (#47641223)

You have no idea about Russia, about history of Autonomous Republic of Crimea etc. Real people are dying in Ukraine at the hand of the part of Ukrainian army obeying orders of the current violent Kiev regime. During WWII real Poles and Jews were dying at the hands of Ukrainian fascists - predecessors of current Ukrainian regime .

http://www.volhyniamassacre.eu/history/kalendarium [volhyniamassacre.eu]

Re: Off-topic rant... (0)

Anonymous Coward | about 3 months ago | (#47642021)

The US, in its lust for hegemony, is responsible for more death and misery to mankind than Russia and China combined.

Re:Off-topic rant... (0)

Anonymous Coward | about 3 months ago | (#47641461)

Russia shot down a plane full of people that had nothing to do with Tsar Putin's fiefdoms. That's why people dislike the Russians these days.

As for the Chinese, we don't like them in the same way people in the 1980s did not care for the Chinese, they are competitors.

Besides, have you seen the amount of anti-Americanism on this site?

Re:Off-topic rant... (0)

Anonymous Coward | about 3 months ago | (#47641579)

> What's with all this Sinophobia and Russophobia, slashdot?

As opposed to all the anglophobia of the hundreds of NSA and GCHQ stories?

Simple (1)

tquasar (1405457) | about 3 months ago | (#47640711)

There is no privacy. I knew a man who repaired pagers and police radios, etc. He worked in a small shop that was surrounded by copper screens and everything was grounded to eliminate any stray signals. Think of a clean room. So who can live like that?

How is it different from microsoft's windows? (0)

Anonymous Coward | about 3 months ago | (#47640715)

microsoft corporation's product called 'windows' does exactly the same.
And millions of pleb users still use it without saying anything.

Typical (1)

sociocapitalist (2471722) | about 3 months ago | (#47640759)

Because the American phone manufacturers don't do the same thing?
http://online.wsj.com/news/art... [wsj.com]

Don't trust any company with your personal information - or accept that it's going to be shared with whoever has the money to pay for it, or the power to grab it.

Re:Typical (3, Interesting)

rebelwarlock (1319465) | about 3 months ago | (#47640837)

So in your mind, only American companies should be in the news when they do something like this?

Re:Typical (0)

Anonymous Coward | about 3 months ago | (#47641175)

This is an American based/oriented site, isn't it?

How? Blackberry Q10 and Silent Circle Blackphone (0)

Anonymous Coward | about 3 months ago | (#47640763)

How about Blackberry Q10 and Silent Circle Blackphone?
I have a BB's Q10 and all the data is encrypted. I hope this helps and is better than iPhone or any other out there.
Silent Circle Blackphone supposed to be the real deal but they did not have a version with QWERTY keyboard.

Why do they have to imitae Apple or Google? (1)

hherb (229558) | about 3 months ago | (#47640783)

Please, somebody tell the Chinese that this is not a feature users want, even if all the bog vendors have implemented it!

In other news... (1)

jordanjay29 (1298951) | about 3 months ago | (#47640805)

...the sky is blue.

Carry on.

Firefox OS Niche (1)

Anonymous Coward | about 3 months ago | (#47640827)

Written by people that care about your privacy.

Tinfoil hat, blah blah... (1)

jayegirl (26328) | about 3 months ago | (#47640835)

Surely I'm not the only one who looks at the supercomputer in her pocket which is capable of speaker independent voice recognition, and often wonders whether encrypted text versions of *all* the conversations she's been having in its proximity are getting squirted off somewhere s33kr1t in the middle of the night, when no-one would notice a stray packet or two...

China can have it. (3, Interesting)

DMJC (682799) | about 3 months ago | (#47640841)

Frankly at this point, I'd rather the Chinese have my data to be honest. They won't share it with the Australian/Five eyes governments, and since I live ina Five eyes country, that works better for me. It's not like they'll put me in a prison from China for some BS they find on my phone. My own government on the other hand is much more likely to screw up my life using my own private data.

Obligatory (2)

Meneth (872868) | about 3 months ago | (#47640897)

The data is copied, not "stolen". Get it right!

Re:Obligatory (1)

jones_supa (887896) | about 3 months ago | (#47640967)

Indeed. :D

No one loses anything if you make a copy!

Blackberry, Microsoft, Apple and Google (4, Insightful)

jbolden (176878) | about 3 months ago | (#47640953)

Between commercial malware and government agencies, how do you keep your phone's data relatively private?

There are 4 main smartphone brands:

Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.

Of those 4 companies which do you think you are going to have the toughest time with privacy? If you care about privacy and don't have a strong reason to pick Android, don't use Android, it is quite obviously going to have to be the worst of the 4. You are going to have to cut against the grain to be secure and be on a platform designed advertisers. The other 3 while they may have problems are all much much better on privacy. Blackberry's balance feature allows you to create a container which divides your data a secure side and an insecure side. They offer things like secure browsing by default. You want security choose an operating system designed to enhance not reduce security. Apple and Microsoft are sort of midpoints. Apple is very good about now allowing applications to upload data you don't know about sharing between apps is off by default. Microsoft emulated the Apple sandboxing, certification and limited interaction approach we'll see if overtime they maintain it. If you want to use these devices and have secure data something like Good's containers (which do work on Android) provide a pretty excellent way to keep specific data associated with specific applications secure.

Re:Blackberry, Microsoft, Apple and Google (0)

Kjella (173770) | about 3 months ago | (#47641101)

Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.

Apple is selling simplicity, they'll never give you the tools to manage your privacy.
Blackberry is selling central control, a satellite designed to talk to the mothership (BES).
Microsoft is trying to sell you Windows across the board = everything through the cloud.
Google is like you say a data siphon, their first party services are all about market data.

I'd say there's one black sheep and three shades of dark gray. However all of that doesn't matter nearly as much as you'd think as the real issue is third party apps. All of them want third party developers for their phone. The developers go where the money is. The money is in selling your data. So the platform will sell out your data. Until or unless someone is willing to cash out extra for a phone that doesn't "subsidize" itself by being a trojan horse, the current situation will continue. The Blackphone is interesting, but so stripped bare that most users won't use it. I think you need a sandbox/VM where you can run apps normally with fake contact/location/etc. data.

Re:Blackberry, Microsoft, Apple and Google (0)

jbolden (176878) | about 3 months ago | (#47641131)

I disagree. Apple does a pretty good job on privacy and is concerned about it. They've already limited applications interactions and they are fairly secure by default. Their infrastructure allows additional privacy to be easily added on.

As for Microsoft I'm not sure where you are disagreeing with me.

Re:Blackberry, Microsoft, Apple and Google (1)

drinkypoo (153816) | about 3 months ago | (#47641169)

I disagree. Apple does a pretty good job on privacy and is concerned about it.

They're so concerned about your privacy, they have three or four methods built into the phone which appear to be primarily for defeating it.

Re:Blackberry, Microsoft, Apple and Google (1)

jbolden (176878) | about 3 months ago | (#47641359)

I'm not sure what you mean specifically so I can't comment on that. They seem to have a pretty good range of consumer grade privacy features that are adjustable. That's not to say that every-time there is a conflict between privacy and some other goal they optimize for privacy but they do seem to lean towards privacy and allow the privacy conscious to lean more towards privacy.

Re:Blackberry, Microsoft, Apple and Google (1)

sribe (304414) | about 3 months ago | (#47641507)

They're so concerned about your privacy, they have three or four methods built into the phone which appear to be primarily for defeating it.

Are you referring to the silly hoo-hah of a few weeks ago? Like the feature that makes an unencrypted backup of the phone's data IF THE USER REQUESTS UNENCRYPTED BACKUPS??? And the features that are not even on a normal phone, but get added when users install the developer tools???

Yeah, that was a whole lot of noise about nothing.

Re:Blackberry, Microsoft, Apple and Google (2, Insightful)

Anonymous Coward | about 3 months ago | (#47641105)

Google does _not_ sell user information.

They sell _the use_ of user information.

It is not the same thing.

Selling "Joe Blow works at Acme Corp and shops for sex dolls" is selling user information.

Selling "I will advertize your sex dolls to people who shop for them" is selling the _use_ of the information. Only Google knows you are Joe Blow at Acme with an interest in sex dolls. The advertiser does not; they just get a service that makes use of Google's knowledge.

Yes, Google knows your stuff. But they don't have to sell your info in order to profit from it.

Re:Blackberry, Microsoft, Apple and Google (1)

jareth-0205 (525594) | about 3 months ago | (#47641159)

There's one big wildcard in there though, if you buy an Android phone then the firmware can be replaced (ease depends on the model...) with open source variant that has more protections. Depending on your view of these firmwares, that might catapult it from the bottom of the pile to the top.

Re:Blackberry, Microsoft, Apple and Google (1)

jbolden (176878) | about 3 months ago | (#47641361)

I don't think the problem is so much the firmware on Android. The Samsung firmware on the Galaxy is excellent from a privacy and security standpoint. The issue is the higher up layers in the stack.

Re:Blackberry, Microsoft, Apple and Google (0)

Anonymous Coward | about 3 months ago | (#47641819)

You trust Samsung? Seriously? What? Seriously? What the fuck?

what about android? (0)

Anonymous Coward | about 3 months ago | (#47641227)

I changed my default search engine to something other than google however i see a quick stint of traffic heading to google.com whenever i search

Get a phone with paging module (0)

Anonymous Coward | about 3 months ago | (#47641259)

Currently the only way to have a safe phone is one with verified OSS and a modem that can be disabled by powering it down. In order to stay in communications a POCSAG pager module can receive incoming calls, the phone owner can decide whether to with an easy to use app power up and call back the number received in the page.

Really (0)

Anonymous Coward | about 3 months ago | (#47641343)

As far as i can tell, they say that the IMEI and the Telco's name was sent to the Xiaomi servers, Does that counts as stealing user data?

Really (0)

Anonymous Coward | about 3 months ago | (#47641943)

Yes, because they're Chinese. And Chinese people steal stuff.

Not relevant (0)

Anonymous Coward | about 3 months ago | (#47641645)

So what?
Due to pattern issues, they will not coming to US/EU.
If you are in China, you don't care.
if you got it through gray market, you don't care.
I don't care

symbian (0)

Anonymous Coward | about 3 months ago | (#47642093)

that's why I like my symbian enabled nokia phone. But it is just belief, as a matter of fact I'm not sure if is safer to use symbian phones

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?