Phones from the Chinese brand Xiaomi offer excellent specifications at a reasonable price. The downside: the devices send private data on a large scale to servers in China, which the Chinese government can read. Lithuania calls for the devices to be scrapped; the Netherlands keeps silent.
- What is all this about?
Smartphones from Chinese brand Xiaomi massively share user data with the company’s servers, including data of European users. The Chinese government can access this data.
Lithuanian researchers also discovered censorship software in a Xiaomi model. It has been disabled for Europe but can be enabled remotely. Dutch cybersecurity experts call for a thorough investigation of these phones but fear that the Netherlands will refrain from doing so – because of our economic dependence on China.
- How did we go about investigating this?
We read that the Lithuanian government warned its citizens about Xiaomi phones, which triggered our curiosity. Are those models sold in the Netherlands as well? Why hasn’t such a warning been issued here? We spoke extensively with cybersecurity experts at home and abroad and with a member of the European Parliament specialising in this issue, and we read several articles and reports on the matter.
- US tech companies also tap our data. Why is this different?
In China, companies are legally obliged to share user data with the government upon request. China also has a weaker separation between private and government parties. For example, companies often have a party committee that ensures that companies follow the line of the Chinese Communist Party.
In the United States, the government can also force companies to share data. But this is preceded by a system of checks and balances. Bart Groothuis, Member of the European Parliament for the VVD and previously head of the Cyber Security Bureau of the Ministry of Defence, told Follow the Money: ‘In the United States, this concerns legislation embedded in a democratic constitutional state, where each request from a government service goes through the courts. Moreover, the US does not have an offensive espionage programme against the Netherlands. Countries like China, Russia and Iran do.’
After a long day at work in the spring of 2020, cybersecurity expert Gabriel Cirlig enters his London flat. He is carrying a small, white box.
On his way home, Cirlig had seen an advertisement for the Redmi Note 8, the latest smartphone from the Chinese tech company Xiaomi. He told Follow the Money that he was particularly intrigued by the price-quality ratio: he didn’t trust it. It’s a beautiful, fast phone, with a good camera as well, but the new price is only £150. How can such a good phone cost so little?
Cirlig, who was listed on Romania’s Forbes 30 under 30 in 2018 for his work on cybersecurity, decided to buy the Redmi Note 8 right away. Once home, he subjects the device to the same procedure as all his other tech purchases: he dissects it.
Whether it is a laptop, smart TV, or a car: the Romanian meticulously deconstructs their underlying software and hardware. This is how he discovered in 2018, for example, that his car was spying on him.
Using a few technical tricks, Cirlig managed to gain insight into the data stream that his brand-new purchase sends out into the world. The result leaves him flabbergasted: the phone collects a massive amount of data about its user’s behaviour and sends it to China. When Cirlig subsequently investigates the software on several other Xiaomi devices, it turns out that they do the same thing.
The Lithuanian Ministry of Defence announced that Xiaomi’s devices contain serious security risks and even called on citizens to stop buying Chinese smartphones altogether
Cirlig’s investigation unleashed a privacy riot. Xiaomi – which initially denies the data leak – then comes up with an enhanced incognito mode that would guarantee users’ privacy. Cirlig, however, soon realises that this is a load of nonsense.
In September 2021, Xiaomi once again features negatively in the news. The Lithuanian Ministry of Defence announced that the manufacturer’s devices contain serious security risks and even called on citizens to stop buying Chinese-made smartphones altogether. Those who already have a Chinese smartphone should throw it away, according to Margiris Abukevicius, Deputy Minister of Defence.
Xiaomi devices are also sold in the Netherlands. For the time being, our government sees no reason to ban them. Meanwhile, experts argue in favour of an independent, in-house investigation into the potential risks of these phones, as reported by Follow the Money. What exactly is going on?
The rising star of Xiaomi
Within a few years, Xiaomi has become a dominant player in the international smartphone market. Their range is broad: Xiaomi makes everything from smart TVs and electric scooters to air fryers and security cameras. ‘If you want to, you can furnish your whole life with Xiaomi products,’ says Cirlig.
From 2019 onwards, Xiaomi rises rapidly: in that year, the US, under the Trump administration, imposes harsh measures on Xiaomi’s compatriot Huawei. Huawei’s market share crashes, and Xiaomi takes advantage of the situation.
And with success: in July 2021, the company takes up second place in the global smartphone market for the first time. They are positioned below Samsung but above Apple. A month later, Xiaomi – which has its Western European headquarters in the Netherlands – even takes the lead in the European market.
The brand’s phones distinguish themselves through their high quality and reasonable price. But there is a catch. Cirlig’s research shows that Xiaomi phones transmit all surfing behaviour on the built-in web browser in real-time. As soon as you open a page or perform a Google search, a message goes to Xiaomi’s servers, even after enabling the so-called incognito or private mode.
However, it does not stop there. The built-in news app transmits what articles you are reading and from which media outlets they originate. The built-in media player transmits the names of the songs and videos you play through it, both online and offline.
‘Xiaomi devices know everything about you,’ says the Romanian. ‘What music you listen to, what folders you create, what you call them, the duration of your telephone calls, what you search for in your browser... They send it all on to China.’
Whether you change the user ID on your device, reset it to the factory settings or reinstall the operating system – nothing helps
Moreover, that data stream contains all kinds of information that allow Xiaomi to easily tie your data together. Owners of a Xiaomi phone have access to Xiaomi’s own cloud storage service and app store: all you have to do is register with your e-mail address or social media account. But once you’ve logged in, the phone will send that user ID along with your browsing behaviour. That way, the company always knows which data comes from which user. Even after you have logged out, the phone continues to send this identification code.
Not only do the built-in apps and web browser send data, but the phone’s operating system also enthusiastically shares data with its parent company. In a report published last month, researchers from the universities of Edinburgh and Dublin took stock of what information various brands of Android phones transmit about their users. Here too, the Xiaomi phones are the worst of all. Xiaomi, Huawei, and Samsung sent the most data, but amongst these three, Xiaomi stands out because it collects the ‘most extensive data’ about user interaction with the device.
The Xiaomi devices let the parent company know, for example, which apps are on your phone, when you use them, how long they are onscreen and when you send text messages. According to the researchers, Xiaomi can always keep track of you through the unique identification code physically embedded in the device. Whether you change the user ID on your device, reset it to the factory settings or reinstall the operating system – nothing helps.
‘A blatant violation of privacy’
Even if you instruct your phone via an ‘opt-out’ to not share your data, it will continue to send data to Xiaomi’s servers.
Privacy lawyer and researcher at the University of Amsterdam Ot van Daalen calls it ‘a blatant violation of European privacy regulations’. He explains that the data that Xiaomi collects via smartphones can be of a very sensitive nature: ‘Consider apps that help Muslims determine when they should pray, or gay dating apps. That is uterly personal information. You are not allowed to process such data at all, unless you have a good reason for doing so. Which, in this case, is not applicable.’
"Every Chinese company, including Xiaomi, has to share data with the government when asked to do so"
According to cyber experts, parties such as Xiaomi and Huawei collect this user data mainly for commercial reasons. However, once a Chinese company stores this data, the Chinese government can also access it, including that of non-Chinese users. Since 2017, China has had a cyber security law that accommodates this.
The Belgian State Security Service told Follow the Money that ‘every Chinese company, including Xiaomi, has to share data with the government when asked to do so. The degree of control is not always the same, but the option is constantly present.’ The Belgian State Security makes this even more concrete in a statement to the Belgian magazine De Tijd: ‘Companies the size of Huawei, Xiaomi, Oppo and OnePlus have a party committee of the Chinese Communist Party (CCP) present within the company. The task of such party cells is to ensure that the company follows the CCP’s policy guidelines.’
The Belgian State Security Service has already publicly warned against espionage via Chinese smartphones, including phones by Xiaomi. In July of this year, in response to parliamentary questions from the New Flemish Alliance (N-VA), the service told De Tijd in no uncertain terms: ‘We want to point out the potential espionage threat associated with the use of these devices.’
Xiaomi collects more and more sensitive data than other providers. This will not only affect individuals, Cirlig warns: ‘People often only consider their own privacy. They often pretend not to care that their data is shared. But the danger is not only limited to an individual’s personal data but also exists for all the people in your neighbourhood, your street, or your city. That combined data can be used to influence public opinion and even elections in a country or region.’
‘You can safely assume that if an intelligence service wants information, they will use all the tools at their disposal’
Cirlig recalls the Russian interference in the 2016 US presidential election and mentions EU foreign chief Josep Borell’s warning that the EU cannot withstand the amount of disinformation coming from China. In short: ‘If people value being able to continue to live as they do now and do not want to be constrained by influence from an external power, then they need to do something about it.’
In its 2020 annual report, the Dutch General Intelligence and Security Service (AIVD) also warns of the ‘global, large-scale collection of personal data by Chinese players’. According to AIVD, this includes travel, visa, passport, flight, telephone, and medical data. According to the Service, China uses this information to ‘create profiles of employees of companies and institutions that it wants to hack’. As these activities extend to ‘Dutch targets’, the AIVD refers to them as a ‘threat to our nation’s security’.
According to IT security specialist Matthijs Koot, intelligence services often use data processed by private organisations. ‘You can safely assume that if an intelligence service wants information, they will use all the tools at their disposal.’ When asked whether the Chinese diaspora or renegades can be kept under surveillance this way, he replied: ‘You can never be sure. But in the case of authoritarian regimes, you have to assume that these kinds of options may be used for this kind of thing.’
The Lithuanian Security Service found an additional problem with the Xiaomi phone that it investigated: software that censors information using keywords. The service discovered that Xiaomi system apps regularly and automatically downloaded the file ‘MiAdBlacklistConfig’ from a server in Singapore. On 27 September 2021, the file contained 1376 keywords (three times as many as in April 2021, when there were 449), including ‘World Uyghur Youth Conference’, ‘Free Tibet’, and ‘Yellow Peril’, but also ‘transgender’, ‘virgin, and ‘vaginas’. According to the researchers, this list enables the device to block ‘multimedia displayed on the device’ in a targeted manner.
It very much resembles a filter that blocks advertising and unwanted material, such as porn. However, the fact that it also includes political topics such as Tibet and Uyghurs is cause for concern.
According to security expert Koot, it is unclear how extensive the censorship might be: ‘The report provides no technical evidence that web pages can be blocked. Perhaps only advertisements are blocked. But even targeted blocking of advertisements, which includes political content ads, can in itself be an effective measure for influencing and censoring. That is bad enough.’
The censorship software has been disabled for the European market. However, it can be enabled remotely without the user noticing
The Lithuanian researchers established that the censorship software has been disabled for the European market. However, the software can be enabled remotely without the user noticing it. According to the Lithuanian researchers, this function poses a potential threat to free access to information in Lithuania and ‘in all other countries where Xiaomi devices are used’.
Xiaomi has since announced that it is commissioning an investigation into the findings concerning the censorship software. In Germany, supervisory authority Bundesamt für Sicherheit in der Informationstechnik (BSI) has now launched its own investigation into Xiaomi in response to the Lithuanian report.
The Lithuanian Security Services’ fierce opposition towards certain Chinese phones does not come as a surprise. China and Lithuania have been feuding for some months now.
It is caused by Lithuania’s close ties with Taiwan, which it recently expanded. China sees Taiwan as a part of China, although the island itself thinks differently. Lithuania does not go so far as to recognise Taiwan as a sovereign state, but it will soon be the first European country to have an official permanent representative from the island. It has also received government representatives from Taiwan.
China is furious about this. Member of Parliament Matas Maldeikis recently said in Nieuwsuur, which described him as ‘the Taiwanese’s best friend in the Lithuanian parliament’: ‘No country in the world can dictate who you should have deals with, who you should communicate with and who you should have commercial ties with.’
The Chinese ambassador immediately left Lithuania, and Beijing asked the Lithuanian ambassador to leave China. After the Lithuanian investigation into Xiaomi phones, China announced economic sanctions against Lithuanian companies.
Domestic investigation necessary
The Dutch government has not expressed an opinion as yet. In response to Queeny-Aimée Rajkowski’s (VVD) parliamentary questions, Minister Stef Blok of Economic Affairs and Climate wrote to the Lower House on 4 November that there is ‘currently no reason’ to adopt the Lithuanian advice to ban Chinese smartphones.
Blok reported that the Dutch Central Government has purchased sixty Xiaomi phones since 2018. These ‘are not used for business operations’ but were purchased ‘for technical, forensic or investigative research’. Whether Xiaomi is operating in violation of Dutch privacy laws or fundamental rights by passing on data or using its censorship software is something the minister leaves up to the relevant supervisory authorities.
The Netherlands is also keeping a low profile within the European Union. A letter that a Lithuanian MEP sent to the European Commission about the Chinese smartphones was signed by more than thirty MEPs from different countries. There was not a single Dutch MEP among them. Not because they are not critical, says MEP Bart Groothuis (VVD), but because the letter was drawn up in a ‘messy way’.
"Due to our close economic ties with China, the Netherlands is not as critical as the Lithuanians, Norwegians, and Swedes"
However, Groothuis, who previously headed the Dutch Cyber Security Agency at the Ministry of Defence, says: ‘Of course we should be worried about an autocratic country’s censorship that uses technology to gain an increasing influence over our freedoms. We should not be naive. China is placing more and more emphasis on obtaining information via telecommunications. Government-affiliated hacker groups are draining telecom providers worldwide on an ever-increasing scale. When you look at it that way, the question of whether they are using the ability to retrieve data from smartphone companies is a no-brainer.’
‘To protect ourselves against this, we must investigate the possibility of banning companies in this sector that do not act in accordance with our democratic values,’ says Groothuis. As far as Xiaomi is concerned, he argues for independent research, for example, by the National Cyber Security Centre (NCSC) or the National Bureau for Communications Security (NBV), but also for investigations by their European counterparts: ‘You first need investigations by security services from all over Europe. They must speak out. Only then can you take action.’
But he stresses, ‘whatever measures you eventually take against Chinese parties, it is preferable to do it via Brussels. Because as a single country, you cannot interfere with the free, internal market – and you would be risking retaliation. Due to our close economic ties with China, the Netherlands is not as critical as the Lithuanians, Norwegians, and Swedes. They are much less economically dependent.’
However, Matthijs Koot is sceptical about the results of an investigation into Xiaomi. ‘If the Netherlands were to conduct an independent investigation, that would be a good thing, but if it is done, the results might not be published or not published in full, because of other interests related to China that come into play.’
For cybersecurity expert Gabriel Cirlig, the matter is crystal clear. If you want your data to stay safe, do not buy a Xiaomi. ‘It is spyware in a box.’ And ‘if the product is free, you are the product. If something seems too good to be true, it usually is.’
FTM heeft vragen uitgezet bij Xiaomi, de NCTV en de AIVD. Xiaomi was niet bereikbaar voor commentaar; de NCTV heeft toegezegd later op maandag nog met antwoorden te komen. We zullen het stuk updaten als we die antwoorden binnenhebben.
- Update maandag 8 november,16 uur: de reactie van de AIVD hebben we hieronder opgenomen.
- Update woensdag 10 november, 11:00: een weggevallen alinea (beginnend met ‘Maar, zo benadrukt hij...’) is op z’n plaats gezet.
- Update woensdag 17 november: een vertegenwoordiger van Xiaomi heeft een inhoudelijke reactie met ons gedeeld. We hebben deze reactie integraal opgenomen in het kader hieronder.
On Tuesday 16 November, more than a week after the deadline, Xiaomi sent this reponse:
Xiaomi ("we") is aware of the "Cybersecurity assessment of 5G-enabled mobile devices" report ("The Report"), which was recently published by the Cybersecurity and Information Authority of Lithuania (NCSC). We take the allegations made in the report seriously. While we dispute the characterization of certain findings, we are engaging an independent third party expert to assess the points raised in the report. We are confident in the integrity of our devices and compliance practices of our business, and we believe a third party will verify this for our users and partners.
Specifically, Xiaomi would like to address two major concerns raised in the report:
1. Alleged Censorship
Xiaomi's devices do not restrict or filter communications to or from our users. Xiaomi has never and will never restrict or block any personal behaviors of our smartphone users, such as searching, calling, web browsing or the use of third-party communication software. The NCSC report does not allege that we do so.
The report points to Xiaomi's use of advertising management software that has the limited ability to manage paid and push advertising delivered to devices through Xiaomi apps such as Mi Video and Mi Browser. This can be used to shield users from offensive content, such as pornography, violence, hate speech, and references that may offend local users. This practice is common in the smartphone and internet industry worldwide.
We review our advertisement management system policies from time to time to ensure they meet the needs and expectations of our users.
Xiaomi is committed to operating responsibly and transparently across all jurisdictions. We are committed to constant improvement and innovation, and welcome engagement with users, regulators and other interested stakeholders.
2. Data Processing and Data Transfer
The report also wrongly suggests inappropriate data stewardship. In fact, Xiaomi is fully compliant with all requirements of GDPR, including handling, processing and transfer of end-user data. Our compliance applies to all systems, apps and services. Any use of personal data is contingent on the valid consent of the end-user and is always in accordance with local or regional laws and regulations of the European Union and its Member States.
Xiaomi operates in accordance with ISO/IEC 27001 Information Security Management Standards and the ISO/IEC 27701 Privacy Information Management System. Xiaomi has also received Enterprise Privacy Certification from TrustArc on a yearly basis since 2016. This ensures the best possible privacy and security protections for the end-user.
Xiaomi would like to emphasize once again, that we are committed to the privacy and security of our users. We operate with the highest standards and comply with all local and regional regulations.
 See Article 13 Controversial Content of Facebook Ads policies, available at https://www.facebook.com/policies/ads/; Political Content Clause of Google Ads policies, available athttps://support.google.com/adspolicy/answer/6008942