Xiaomi Responds to Indian Air Force Circular Branding it a Security Threat

by: - Last updated on: October 23rd, 2014

Earlier today, a report from The Sunday Standard started making rounds on the Twitterverse citing Indian Air Force (IAF) circular branding Xiaomi a security threat. The circular was apparently sent by IAF to its personnel and their family members, warning them not to use the handsets and devices manufactured by the emerging tech giant. Xiaomi has responded by dismissing the concerns.


In its circular, the IAF had accused Xiaomi of sending user data to remote servers located in China. The note was prepared by the intelligence unit based on the inputs from Indian Computer Emergency Response Team (CERT-In), and quotes several reports in the past which have put question marks over Xiaomi’s handling of user’s private data.

“F-secure, a leading security solution company, recently carried out a test of Xiaomi Redmi 1s, the company’s budget smartphone, and found that the phone was forwarding carrier name, phone number, IMEI (the device identifier) plus numbers from address book and text messages back to Beijing,” the IAF note says.

Speaking to Technology Personalized, Manu Jain, general manager and head of India operations of Xiaomi, tried to defend the company and clarify few things.

First of all – we are extremely cautious about protecting user data; we are 100% compliant with all local laws, including the ones related to data security.

This is pretty similar to what Xiaomi has been saying ever since the concerns broke out earlier this year. Manu went on to say:

We offer various internet based services such as Mi Cloud, cloud based message etc., which require data to be stored in the cloud. However, we take rigorous steps to ensure that the data is encrypted and secured while being sent to the server, and is not stored beyond the time required. In fact, we made changes to our system to ensure that Mi Cloud is by default deactivated, and does not send data to servers automatically. Only when a consumer consciously activates Mi Cloud services, the data is backed-up.

The changes he mentions above came right after F-secure’s report in August this year which IAF cites in its note. Below are the two blog posts from Hugo Barra, Xiaomi’s global face, which details the changes made.

July 30, 2014 – https://plus.google.com/+HugoBarra/posts/9GL9h2fT8H6
August 20, 2014 – https://plus.google.com/+HugoBarra/posts/bkJTXzyXXmj

F-secure clarified in a following report that the OTA released by Xiaomi had in fact addressed the privacy concerns, specifically the one which revolved around Mi Cloud messaging service.

We are not sure when exactly the IAF note was released, but it doesn’t include the references to the changes made by the company since August this year.

Interestingly, Hugo Barra has just posted about Xiaomi’s decision to move its data centers and servers outside of China. Is it a mere co-incidence or was Xiaomi forced to announce this after the news about IAF note got publicized? Your guess is as good as mine. In his post, Hugo Barra explains-

In early 2014, we kicked off a massive internal effort to expand our server infrastructure globally in order to better serve Mi fans everywhere… Our primary goal in moving to a multi-site server architecture was to improve the performance of our services for Mi fans around the world, cut down latency and reduce failure rates. At the same time, it also better equips us to maintain high privacy standards and comply with local data protection regulations.

Xiaomi is planning the server and data migration process across three phases – E-commerce migration, MIUI services migration and local data centers. To achieve this, Xiaomi is looking to move the data servers to Amazon Web Services (AWS) based in California, USA. By end of this year, MIUI services and corresponding data of all non-Chinese users are expected to be moved from Beijing to Amazon AWS data centers in Oregon (USA) and Singapore.

This is a significant move to address the privacy concerns of users. Indian market is pretty significant for Xiaomi and they just can’t carry on with security and privacy concerns hanging above their head. It is true that the company has responded fast to release fix for most of these issues, but hasn’t really managed to explain or defend itself as to why such an issue was present in the first place. Currently, the company is facing cyber security investigation in Taiwan for similar reasons.

Under the law in mainland China, firms storing data on China’s soil are to comply with any data requests from the government. By moving the data completely away from Chinese territories, Xiaomi will exhibit the seriousness associated with such issues.

Although, it has kicked off its Indian operations in style, Xiaomi has a huge task at hand to get rid of its Chinese tags completely and looked upon as a global company. As per Hugo Barra, in 2015, the company is planning to work with local data center providers to completely localize the server infrastructure particularly in India and Brazil. In addition to speeding up the service for users in these markets, it can hopefully cut off the Chinese angle, at least to an extent. Mere talks about valuing data security of users just won’t cut it. Real actions as planned above are much needed.

Weekly Newsletter

Sign up for a specially curated Tech Newsletter.


Leave a Reply

Your email address will not be published.

  1. I would never trust anyone with data. For Xiomi, I would not trust chinese company at all for that matter. Infact, dingt trust any company. They all are doing many hidden things and claiming very innocent being.
    You just know it yet.

      1. Nope. I did not say that I am very particular abt what settings I do on my phone. Your making wrong inference and assumptions.

        I meant that all company are spying in one way or the other.Specifically for Xiomi, I find it more suspicious that it is sending data but it did not disclose it until f0secure security company revealed it.

        1. if one doesn’t want his data to be shared then he shouldn’t use cloud services offered.why such allegations not on google drive,skydrive,dropbox and only on xiaomi just cz its a chinese phone and having their servers in china? all these other service providers are doing this for years but no one complains.

  2. My Question is for Xiomi : How will you deny the fact that ip is not a Chinese Server and a connection is always “ESTABLISH” when running on WiFi or 3G

    A week ago i could see pointing to Chinese server with proper street level address , but now that information is not showing , at least to general public.

    we (Indians) wish these Questions should be answered by Xiomi…
    What data is getting transferred to this IP?
    Are you changing the Global Database to reveal the truth…?
    If you are not sending any data to Chinese server , Why would you require to change the “Whois” information of this IP address?
    Where MIUI Cloud services storing Data?