It seemed like Xiaomis decision to migrate data from Beijing to US and Singapore was in response to the recent IAF notification. However, Xiaomi has denied this completely.
The process for data/server migration started in early 2014, part of this migration will be completed by the end of the year. We believe that this migration will help improve the performance of our services. It will also provide some peace of mind for users in India in ensuring that we treat their data with the utmost care and will always maintain the highest privacy standards, Manu Jain, head of Xiaomis India operation, told IndianExpress.com.
IndianExpress.com had reported earlier that the advisory issued by IAF might be based on an old F-Secure privacy report. The same has been confirmed by Xiaomi now.
We are not sure, but this might be some kind of misunderstanding. We do not have full information about the circular issued by IAF, however we believe that this advisory circular is based on events about 3 months back. We believe, it refers to the F-Secure test done on the Redmi 1S in July 2014 about the activation of our Cloud Messaging service by default, said Jain.
F-Secure had confirmed, in a week, that Xiaomi had fixed the issues in its RedMi 1S smartphones through an update. We immediately addressed the concerns raised by F-Secure. We scheduled an OTA system update on August 10, 2014 to implement a change, which ensured that all the users had to manually activate the Cloud services, instead of being activated by default. This change was directly acknowledged by F-Secure 4 days later, where they confirmed that their concerns were addressed, added Jain.
The same was confirmed by Su Gim Goh, Security Advisor, APAC, F-Secure during his visit to New Delhi on September 1.
If the IAF advisory is totally based on the old F-Secure report, then it makes little sense now as the issue has been confirmed to be solved by the same software secure company who was the first to report the privacy breach incidence. The IAF advisory claims to be based on inputs from Indian Computer Emergency Response Team (CERT-In). However, nothing specific has been mentioned.
The OTA update has now made Xiaomis cloud services as an opt-in feature, rather than a default one. Mi Cloud is turned off by default. Users must log in with their Mi accounts and manually turn on Mi Cloud. Users can also turn it off at any point of time.
Responding to the privacy concerns, Jain said, Xiaomi never uploads photos, text messages, or any other data without the users consent. The storage of data in Mi Cloud fully respects the local laws of each country and region. When the data is sent to the cloud, we take rigorous precautions to ensure that all data is secured when uploaded to Xiaomi servers and is not stored beyond the time required. Strict encryption algorithms are implemented to protect user privacy. This is no different from other cloud backup services. If users want, they can use cloud services from Google, Dropbox and many others.
Xiaomi is yet to reach out to IAF to get more clarity as to why the advisory was issued against using their smartphones. We would be happy to talk to IAF to explain the entire situation to them. I am confident that we would be able to resolve any concerns / questions that they might be having, said Jain.