Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Smartphone Maker Xiaomi Apologizes For Unauthorized Data Access

Posted by samzenpus on from the our-bad dept.

SpzToid writes Following up an earlier story here on Slashdot, now Xiaomi has apologized for collecting private data from its customers. From the article: "Xiaomi Inc said it had upgraded its operating system to ensure users knew it was collecting data from their address books after a report by a computer security firm said the Chinese budget smartphone maker was taking personal data without permission. The privately held company said it had fixed a loophole in its cloud messaging system that had triggered the unauthorized data transfer and that the operating system upgrade had been rolled out on Sunday. The issue was highlighted last week in a blog post by security firm F-Secure Oyg. In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologized for the unauthorized data collection and said the company only collects phone numbers in users' address books to see if the users are online."

14 of 64 comments (clear)

  1. Apologies not accepted by Virtucon · · Score: 4, Insightful

    Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Apologies not accepted by Anonymous Coward · · Score: 3, Insightful

      Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!

      Seems the only "Fuckwads" around here are us dumbass consumers who actually think that all those free apps we download wouldn't dare do the exact same fucking thing.

      The only real difference is you blindly agreed to the spying in the EULA you didn't bother to read.

    2. Re:Apologies not accepted by 0123456 · · Score: 4, Insightful

      Of course, if the operating system actually had real user-level security controls, the apps wouldn't be able to do that.

      I can't see myself buying another Android device so long as they expect me to allow pretty much every possible permission for every piece of crap app that doesn't even need half of them.

    3. Re:Apologies not accepted by LordLimecat · · Score: 3, Interesting

      Cyanogenmod allows you to "accept" apps that ask for all sorts of non-core access, and then revoke it afterwards. The app can attempt to access your addressbook, but it will get blocked.

      Of course I havent had to use it, because I generally dont run into issues with apps asking for insane levels of access. Maybe its the apps you're using?

    4. Re:Apologies not accepted by mlts · · Score: 2

      The one nice thing about Android (assuming a rooted device) is the ability to turn on and use Linux's iptables to prevent apps from phoning home. After that, Xposed and XPrivacy are good (although the interface is nowhere as nice as Protect My Privacy from Cydia on iOS) to enforce restrictions on apps that ask for more than they should.

      It would be nice if XPrivacy would fake data like PMP does, so if an app asks for GPS info, it will get GPS info, but not anything useful, or if an app asks for contacts on the phone, it gets random sets of garbage.

    5. Re:Apologies not accepted by Anonymous Coward · · Score: 4, Insightful

      No, it wasn't lazy programming. It was broken by design.

      From the blog post:

      "A: For those interested in specific details about the MIUI Cloud Messaging implementation:

      - The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device's online status."

      That's not a programming mistake.

    6. Re:Apologies not accepted by mlts · · Score: 2

      Android can firewall by app, so my AWS program can access what it needs, while another app with more nefarious intentions can be blocked.

      No, this isn't a cure for anything. In fact, it is a last resort. XPrivacy is the best solution for starters, as it will prompt when an app tries to use a permission, and you can allow or deny it. It would be nice to have a "fake" option, so the app -thinks- it has full permissions to do something... but in reality, it is being fed bogus data.

  2. As the quote says... by x0ra · · Score: 4, Insightful

    "It's easier to ask forgiveness than it is to get permission." ...

  3. Please excuse us by phorm · · Score: 5, Insightful

    We'll try to hide it better next time...

  4. There Ain't No Such Thing As... by rodrigoandrade · · Score: 4, Insightful

    A cheap high end smartphone. Apple couldn't do it, Nokia couldn't do it, Blackberry couldn't do it, Samsung couldn't do it, etc.

    If you're not paying with dollars, you're paying with something else...

  5. This does not make sense by 93+Escort+Wagon · · Score: 4, Insightful

    In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologized for the unauthorized data collection and said the company only collects phone numbers in users' address books to see if the users are online.

    I realize there is some translation going on here, and that can sometimes lead to misinterpretation - but in what context can this possibly make any sense? Collecting phone numbers from your address book to see if you're online? Seriously?

    --
    #DeleteChrome
    1. Re:This does not make sense by maroberts · · Score: 3, Insightful

      Well in a roundabout way of thinking, its one of the simplest tests you can do to see if the phone can be accessed over the intertubes. All phones will have a contacts list/address book, so this will be supported by all Android phones.

      Of course, when you think about it however, you realize that its more than a little absurd and creepy.

      --

      Donte Alistair Anderson Roberts - hi son!
      Karma: Chameleon

  6. More flies with honey... by Etherwalk · · Score: 4, Interesting

    Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!

    When an institution or a person does something right, I find it useful to commend them for it.

    There may be many other things they can do right in the future, that they are doing wrong now. And there may be things done in the past that were profoundly wrong.

    But they've still done a good thing.

    In the United States, communications professionals (and the people they coach, like our politicians) avoid admitting when they are wrong, avoid even *engaging* in serious discussion, precisely because people so easily latch onto any words acknowledging another position and turn it into a sound byte. Attacking people who do the right thing for not doing more encourages them *not* to do the right thing in the first place.

    Here, a company admitted it was wrong and apologized. It may or may not be disinformation to distract us from spying on behalf of the Chinese Government; and the company may or may not still be doing things we consider wrong. But the company's message was the right one, and they deserve praise for taking responsibility for a foul-up and acting to correct it.

    1. Re:More flies with honey... by Anonymous Coward · · Score: 2, Insightful

      This is the stupidest logic I've read in a long time. It's like saying that if I apologize after raping you, then you shouldn't be angry at me for raping you. I mean, I apologized right! No harm, no foul.