Belgian state security gave similar advice a few months ago :
I’ve always suspected something like this might be happening with OEMs from the People’s Republic of China, which is why I would never buy a phone designed and controlled by them.
I would hope that installing a custom ROM, especially /e/ would wipe all that out. Maybe some /e/ users could report what they see in the way of background connections when using a tracker blocker app…?
Despite not being this case, if the censorship functions were integrated to the hardware like a CPU you could not really prevent a phone from spying your activity there.
This is consistent with my own observations. I can confirm that the stock Xiaomi MIUI makes an insane amount of connections to Alibaba Cloud servers in Singapore, as well as ad servers, Amazon hosted stuff and so on, with multiple connections being established every second. A lot of course also goes to Google, but the number of connections to Xiaomi servers is on another level.
Rest assured that absolutely every URL and search you perform in the supplied default browser ends up in the hands of the company, most likely also your location and more. I don’t even want to think about what might be happening with the biometric data from the fingerprint sensor.
You can use an app like No Root Firewall to see for yourself what connections are made.
Flashing /e/ should get rid of almost all of this on a level where I’d say it is safe for casual users. But don’t use a phone by a Chinese brand if you are a journalist, human rights activist, might be considered a contact person of someone in an ethnic minority group in China, or work for a company in an industry that might be a target of industrial espionage.
It would indeed be an interesting experiment to check how many suspicious connections remain after flashing /e/, even if it’s a non-scientific test via a piHole log or something.
Or if you work for a government.
Other sources talk about a spam filter in the Mi browser for advertising. A storm in a teacup?
I find it embarrassing when a 22 year old can figure this out, but Lithuania overlooks the whole thing (intentionally?). Is this perhaps not about security and privacy but about geopolitics?
Also, the Chinese are not the only ones who can spy…
Is Xiaomi possibly the next successful manufacturer on the US blacklist?
(Even though it has been removed from the blacklist for the time being due to a court ruling).
Reason one: No backdoor for the NSA built in.
Reason two: Successful and competition for Apple.
Everyone who endangers Apple and is not at the service of the NSA will end up on this list sooner or later.
I have not personally investigated the technical details of the specific allegations of the Lithuanian government, but what I have looked at myself is the fact that MIUI sends a lot of sensitive data to servers by a Chinese company. An tha data can be easily accessed by an authoritarian state.
If that report you cite is accurate, I completely agree that this specific warning by the Lithuanian government is indeed not warranted, disingenuous and potentially intentionally misleading. But this does not change the fact that the conclusion that Chinese phones are indeed a security liability is entirely correct.
“No backdoor for the NSA” is quite debatable. For one, the NSA can just exploit any of the many vulnerabilities in such a phone instead of building in a back door. Second, if they do want a back door, they can just tamper with the device on the way to citizens of allied countries like they did with Cisco equipment. Third, MIUI is still based on Android, so any back door in Android, NSA or otherwise, would likely also be inside of MIUI. Not to mention the security holes and lack of adequate encryption of cellular networks.
Of course the Chinese are not the only ones engaging in spying, but unlike the USA (with their admittedly horrible track record with Assange, Snowden, drone strikes, death penalty etc.), China is ruled by an authoritarian government that engages in repression of dissent and independent media, hostage diplomacy and institutionalized large-scale human rights abuses, and this is no longer limited to their own citizens within their own borders.
That’s another threat level, particularly if you ever travel to China or any country that has an extradition agreement with them or are in a situation where they would want to intimidate you. Unlike NSA mass spying, which beyond the privacy violation generally only has real-world consequences for very few individuals, this is actually very likely to become a serious problem for ordinary citizens quite soon.
Also keep in mind that the data will likely be stored forever, and there is currently a massive push by the Chinese government to expand its influence internationally. So consider your choices in the context of what will be 10 years from now.
One thing that also has to be said: If security, rather than privacy, is your main concern, /e/ is likely not the optimal choice.
Of course, I would not recommend using smartphones from Chinese manufacturers with original operating systems. However, a Xiaomi phone running Lineage OS or /e/ without Google integration is more trustworthy than any other Android or Apply phone. The latter have recently made themselves impossible with their plan to search users’ private data for potentially criminal content.
Whether the data flow goes to Google and the NSA or to Xiaomi and the CPC is not that important. In general, the level of data protection, the user’s sovereignty over the device and the trustworthiness of the devices (keyword: open source and open hardware) must be improved.
I would agree that sovereignty and the availability of open source solutions is important, but in today’s world, it is impossible to control and audit every piece of a modern phone. Devices will inevitably consist of a collection of black-box modules from the USA, China and probably a hundred other countries.
Another issue is that even though a device may be trustworthy, the transmission standards may not be, and in many cases are deliberately weakened. There is not much point in privacy proofing your phone if your phone calls, text messages and DNS requests are then sent unencrypted through the network, where the Chinese government can filter and reroute traffic with Huawei cellular base station hardware, Russia has a vulnerability in that base station that gives them acces, the NSA has front-door access at many international internet exchanges, private advertising companies like Google and Facebook own the internet cables the data passes through on the way to the destination, and so on.
Therefore, strict privacy by design of the entire system, in a way that rouge components cannot endanger privacy and security, is essential in order for our data to remain private.
This topic was automatically closed after 15 days. New replies are no longer allowed.