After a long day at work in the spring of 2020, cybersecurity expert Gabriel Cirlig enters his London flat. He is carrying a small, white box.

On his way home, Cirlig had seen an advertisement for the Redmi Note 8, the latest smartphone from the Chinese tech company Xiaomi. He told Follow the Money that he was particularly intrigued by the price-quality ratio: he didn’t trust it. It’s a beautiful, fast phone, with a good camera as well, but the new price is only £150. How can such a good phone cost so little?

Cirlig, who was listed on Romania’s Forbes 30 under 30 in 2018 for his work on cybersecurity, decided to buy the Redmi Note 8 right away. Once home, he subjects the device to the same procedure as all his other tech purchases: he dissects it.

Whether it is a laptop, smart TV, or a car: the Romanian meticulously deconstructs their underlying software and hardware. This is how he discovered in 2018, for example, that his car was spying on him.

Using a few technical tricks, Cirlig managed to gain insight into the data stream that his brand-new purchase sends out into the world. The result leaves him flabbergasted: the phone collects a massive amount of data about its user’s behaviour and sends it to China. When Cirlig subsequently investigates the software on several other Xiaomi devices, it turns out that they do the same thing.

Lithuaniana announced that Xiaomi’s devices contain serious security risks and asked its citizens to stop buying Chinese smartphones altogether

Cirlig’s investigation unleashed a privacy riot. Xiaomi – which initially denies the data leak – then comes up with an enhanced incognito mode that would guarantee users’ privacy. Cirlig, however, soon realises that this is a load of nonsense.

In September 2021, Xiaomi once again features negatively in the news. The Lithuanian Ministry of Defence announced that the manufacturer’s devices contain serious security risks and even called on citizens to stop buying Chinese-made smartphones altogether. Those who already have a Chinese smartphone should throw it away, according to Margiris Abukevicius, Deputy Minister of Defence.

Xiaomi devices are also sold in the Netherlands. For the time being, our government sees no reason to ban them. Meanwhile, experts argue in favour of an independent, in-house investigation into the potential risks of these phones, as reported by Follow the Money. What exactly is going on?

The rising star of Xiaomi

Within a few years, Xiaomi has become a dominant player in the international smartphone market. Their range is broad: Xiaomi makes everything from smart TVs and electric scooters to air fryers and security cameras. ‘If you want to, you can furnish your whole life with Xiaomi products,’ says Cirlig.

From 2019 onwards, Xiaomi rises rapidly: in that year, the US, under the Trump administration, imposes harsh measures on Xiaomi’s compatriot Huawei. Huawei’s market share crashes, and Xiaomi takes advantage of the situation.

And with success: in July 2021, the company takes up second place in the global smartphone market for the first time. They are positioned below Samsung but above Apple. A month later, Xiaomi – which has its Western European headquarters in the Netherlands – even takes the lead in the European market.

The brand’s phones distinguish themselves through their high quality and reasonable price. But there is a catch. Cirlig’s research shows that Xiaomi phones transmit all surfing behaviour on the built-in web browser in real-time. As soon as you open a page or perform a Google search, a message goes to Xiaomi’s servers, even after enabling the so-called incognito or private mode.

However, it does not stop there. The built-in news app transmits what articles you are reading and from which media outlets they originate. The built-in media player transmits the names of the songs and videos you play through it, both online and offline.

​‘Xiaomi devices know everything about you,’ says the Romanian. ‘What music you listen to, what folders you create, what you call them, the duration of your telephone calls, what you search for in your browser... They send it all on to China.’

Whether you change the user ID on your device, reset it to the factory settings or reinstall the operating system – nothing helps

​Moreover, that data stream contains all kinds of information that allow Xiaomi to easily tie your data together. Owners of a Xiaomi phone have access to Xiaomi’s own cloud storage service and app store: all you have to do is register with your e-mail address or social media account. But once you’ve logged in, the phone will send that user ID along with your browsing behaviour. That way, the company always knows which data comes from which user. Even after you have logged out, the phone continues to send this identification code.

Not only do the built-in apps and web browser send data, but the phone’s operating system also enthusiastically shares data with its parent company. In a report published last month, researchers from the universities of Edinburgh and Dublin took stock of what information various brands of Android phones transmit about their users. Here too, the Xiaomi phones are the worst of all. Xiaomi, Huawei, and Samsung sent the most data, but amongst these three, Xiaomi stands out because it collects the ‘most extensive data’ about user interaction with the device.

​The Xiaomi devices let the parent company know, for example, which apps are on your phone, when you use them, how long they are onscreen and when you send text messages. According to the researchers, Xiaomi can always keep track of you through the unique identification code physically embedded in the device. Whether you change the user ID on your device, reset it to the factory settings or reinstall the operating system – nothing helps.

‘A blatant violation of privacy’

Even if you instruct your phone via an ‘opt-out’ to not share your data, it will continue to send data to Xiaomi’s servers.

Privacy lawyer and researcher at the University of Amsterdam Ot van Daalen calls it ‘a blatant violation of European privacy regulations’. He explains that the data that Xiaomi collects via smartphones can be of a very sensitive nature: ‘Consider apps that help Muslims determine when they should pray, or gay dating apps. That is uterly personal information. You are not allowed to process such data at all, unless you have a good reason for doing so. Which, in this case, is not applicable.’

According to cyber experts, parties such as Xiaomi and Huawei collect this user data mainly for commercial reasons. However, once a Chinese company stores this data, the Chinese government can also access it, including that of non-Chinese users. Since 2017, China has had a cyber security law that accommodates this.

The Belgian State Security Service told Follow the Money that ‘every Chinese company, including Xiaomi, has to share data with the government when asked to do so. The degree of control is not always the same, but the option is constantly present.’ The Belgian State Security makes this even more concrete in a statement to the Belgian magazine De Tijd: ‘Companies the size of Huawei, Xiaomi, Oppo and OnePlus have a party committee of the Chinese Communist Party (CCP) present within the company. The task of such party cells is to ensure that the company follows the CCP’s policy guidelines.’

The Belgian State Security Service has already publicly warned against espionage via Chinese smartphones, including phones by Xiaomi. In July of this year, in response to parliamentary questions from the New Flemish Alliance (N-VA), the service told De Tijd in no uncertain terms: ‘We want to point out the potential espionage threat associated with the use of these devices.’

Xiaomi collects more and more sensitive data than other providers. This will not only affect individuals, Cirlig warns: ‘People often only consider their own privacy. They often pretend not to care that their data is shared. But the danger is not only limited to an individual’s personal data but also exists for all the people in your neighbourhood, your street, or your city. That combined data can be used to influence public opinion and even elections in a country or region.’

‘You can safely assume that if an intelligence service wants information, they will use all the tools at their disposal’

Cirlig recalls the Russian interference in the 2016 US presidential election and mentions EU foreign chief Josep Borell’s warning that the EU cannot withstand the amount of disinformation coming from China. In short: ‘If people value being able to continue to live as they do now and do not want to be constrained by influence from an external power, then they need to do something about it.’

In its 2020 annual report, the Dutch General Intelligence and Security Service (AIVD) also warns of the ‘global, large-scale collection of personal data by Chinese players’. According to AIVD, this includes travel, visa, passport, flight, telephone, and medical data. According to the Service, China uses this information to ‘create profiles of employees of companies and institutions that it wants to hack’. As these activities extend to ‘Dutch targets’, the AIVD refers to them as a ‘threat to our nation’s security’.

​According to IT security specialist Matthijs Koot, intelligence services often use data processed by private organisations. ‘You can safely assume that if an intelligence service wants information, they will use all the tools at their disposal.’ When asked whether the Chinese diaspora or renegades can be kept under surveillance this way, he replied: ‘You can never be sure. But in the case of authoritarian regimes, you have to assume that these kinds of options may be used for this kind of thing.’

Censorship

The Lithuanian Security Service found an additional problem with the Xiaomi phone that it investigated: software that censors information using keywords. The service discovered that Xiaomi system apps regularly and automatically downloaded the file ‘MiAdBlacklistConfig’ from a server in Singapore. On 27 September 2021, the file contained 1376 keywords (three times as many as in April 2021, when there were 449), including ‘World Uyghur Youth Conference’, ‘Free Tibet’, and ‘Yellow Peril’, but also ‘transgender’, ‘virgin, and ‘vaginas’. According to the researchers, this list enables the device to block ‘multimedia displayed on the device’ in a targeted manner.

It very much resembles a filter that blocks advertising and unwanted material, such as porn. However, the fact that it also includes political topics such as Tibet and Uyghurs is cause for concern.

According to security expert Koot, it is unclear how extensive the censorship might be: ‘The report provides no technical evidence that web pages can be blocked. Perhaps only advertisements are blocked. But even targeted blocking of advertisements, which includes political content ads, can in itself be an effective measure for influencing and censoring. That is bad enough.’

The censorship software has been disabled for the European market. However, it can be enabled remotely without the user noticing

The Lithuanian researchers established that the censorship software has been disabled for the European market. However, the software can be enabled remotely without the user noticing it. According to the Lithuanian researchers, this function poses a potential threat to free access to information in Lithuania and ‘in all other countries where Xiaomi devices are used’.

Xiaomi has since announced that it is commissioning an investigation into the findings concerning the censorship software. In Germany, supervisory authority Bundesamt für Sicherheit in der Informationstechnik (BSI) has now launched its own investigation into Xiaomi in response to the Lithuanian report.

Domestic investigation necessary

The Dutch government has not expressed an opinion as yet. In response to Queeny-Aimée Rajkowski’s (VVD) parliamentary questions, Minister Stef Blok of Economic Affairs and Climate wrote to the Lower House on 4 November that there is ‘currently no reason’ to adopt the Lithuanian advice to ban Chinese smartphones.

Blok reported that the Dutch Central Government has purchased sixty Xiaomi phones since 2018. These ‘are not used for business operations’ but were purchased ‘for technical, forensic or investigative research’. Whether Xiaomi is operating in violation of Dutch privacy laws or fundamental rights by passing on data or using its censorship software is something the minister leaves up to the relevant supervisory authorities.

The Netherlands is also keeping a low profile within the European Union. A letter that a Lithuanian MEP sent to the European Commission about the Chinese smartphones was signed by more than thirty MEPs from different countries. There was not a single Dutch MEP among them. Not because they are not critical, says MEP Bart Groothuis (VVD), but because the letter was drawn up in a ‘messy way’.

However, Groothuis, who previously headed the Dutch Cyber Security Agency at the Ministry of Defence, says: ‘Of course we should be worried about an autocratic country’s censorship that uses technology to gain an increasing influence over our freedoms. We should not be naive. China is placing more and more emphasis on obtaining information via telecommunications. Government-affiliated hacker groups are draining telecom providers worldwide on an ever-increasing scale. When you look at it that way, the question of whether they are using the ability to retrieve data from smartphone companies is a no-brainer.’

‘To protect ourselves against this, we must investigate the possibility of banning companies in this sector that do not act in accordance with our democratic values,’ says Groothuis. As far as Xiaomi is concerned, he argues for independent research, for example, by the National Cyber Security Centre (NCSC) or the National Bureau for Communications Security (NBV), but also for investigations by their European counterparts: ‘You first need investigations by security services from all over Europe. They must speak out. Only then can you take action.’

​But he stresses, ‘whatever measures you eventually take against Chinese parties, it is preferable to do it via Brussels. Because as a single country, you cannot interfere with the free, internal market – and you would be risking retaliation. Due to our close economic ties with China, the Netherlands is not as critical as the Lithuanians, Norwegians, and Swedes. They are much less economically dependent.’

However, Matthijs Koot is sceptical about the results of an investigation into Xiaomi. ‘If the Netherlands were to conduct an independent investigation, that would be a good thing, but if it is done, the results might not be published or not published in full, because of other interests related to China that come into play.’

For cybersecurity expert Gabriel Cirlig, the matter is crystal clear. If you want your data to stay safe, do not buy a Xiaomi. ‘It is spyware in a box.’ And ‘if the product is free, you are the product. If something seems too good to be true, it usually is.’

FTM heeft vragen uitgezet bij Xiaomi, de NCTV en de AIVD. Xiaomi was niet bereikbaar voor commentaar; de NCTV heeft toegezegd later op maandag nog met antwoorden te komen. We zullen het stuk updaten als we die antwoorden binnenhebben.

• Update maandag 8 november,16 uur: de reactie van de AIVD hebben we hieronder opgenomen.
• Update woensdag 10 november, 11:00: een weggevallen alinea (beginnend met ‘Maar, zo benadrukt hij...’) is op z’n plaats gezet.
• Update woensdag 17 november: een vertegenwoordiger van Xiaomi heeft een inhoudelijke reactie met ons gedeeld. We hebben deze reactie integraal opgenomen in het kader hieronder.