Xiaomi is accused of having, among other things, implemented a keyword filter system to censor certain content in its smartphones, according to a damning report released by the Lithuanian authorities, a country that has been under heavy diplomatic tension with China for several months.
Various news agencies such as Reuters have reported the publication this Wednesday, September 22, of a report by the NCSC, attached to the Lithuanian Ministry of Defense, on the security of 5G smartphones sold in Lithuania. The report is available in full on the official NCSC website.
The Lithuanian Ministry of Defense has published on its official Twitter account a statement summarizing the findings of the NCSC report and thus the accusations against Xiaomi but also Huawei.
Lithuanian @cert_lt investigated 5G cell phones made by 🇨🇳 manufacturers Xiaomi, Huawei & OnePlus. The initial results of the investigation show some cyber and personal data security risks. Study was initiated to ensure the safe use of 5G mobile devices and software sold in 🇱🇹. pic.twitter.com/ukw7InzQAk— Lithuanian MOD (@Lithuanian_MoD) September 21, 2021
We've obviously contacted Xiaomi (in Germany), and here are the clarifications from the brand about this matter:
Xiaomi devices do not censor communications to or from its users. Xiaomi has never restricted or blocked the personal behaviors of users of its smartphones, such as searching, calling, browsing the Internet or using third-party communication software, and never will. We respect and are committed to fully protecting the legal rights of our community. Xiaomi fully complies with the General Data Protection Regulation (GDPR) of the European Union.
Where do these accusations against Xiaomi come from?
Specifically, the report concludes an investigation into cybersecurity related to Chinese 5G smartphones sold in Lithuania. The study focused on 3 manufacturers, Xiaomi, Huawei and OnePlus, and 1 of their 5G smartphone models each, the Xiaomi Mi 10T 5G, the Huawei P40 5G and the OnePlus 8T 5G.
The report goes on to say that the study focused on four main types of cybersecurity risks related to the security of the default installed applications, personal data leakage and restrictions on freedom of expression.
"A decomposition analysis performed on devices manufactured by Huawei, Xiaomi and OnePlus identified 10 instances of increased cybersecurity risk," the report reads. The NCSC conducted its tests on the European versions of each smartphone with the global ROM installed for each.
What is Xiaomi being accused of?
The NCSC initially criticizes the manufacturer that some of its default installed applications "send statistical data on the activity of certain applications installed on the device to the servers of the Chinese cloud services provider Tencent, located in Singapore, the United States, the United Kingdom, the Netherlands, Germany and India."
But the NCSC's biggest gripe with Xiaomi is the implementation of a blacklist of keywords that can be censored. Xiaomi's native apps (Security, MiBrowser, Cleaner, MIUI Package Installer, and Themes) reportedly regularly download a configuration file updated by the manufacturer called "MiAdBlacklistConfig" from a server located in Singapore.
This file contains a list of titles, names and other information about various religious and political groups and social movements (449 items were identified in the MiAdBlacklistConfig file during the investigation). According to the Lithuanian cybersecurity authority, this would allow Xiaomi's native apps to filter multimedia content based on the keywords in the blacklist and block it.
However, the report states that the content filtering feature has been disabled on Xiaomi phones sold in Lithuania and the EU in general. But it also claims that Xiaomi has the ability to enable the feature remotely.
The report is also alarmed by the amount of data collected by MiBrowser and the sending of an encrypted SMS from the user's device when signing up for Xiaomi's cloud service. In the latter case, the cybersecurity organization believes that there is a risk of personal data leakage, as there is no way to know what exactly is being sent in the message.
Are these accusations against Xiaomi true?
Future (and new) scandal for Xiaomi around privacy and confidentiality issues? Or a political accusation motivated by tensions between two countries that have been clashing since this summer over the issue of Taiwan? It's hard to say what the intent and possible consequences of the revelations made by the NCSC, the Lithuanian National Cyber Security Council, are.
But before we get into speculation, let's rest some facts (because I see you MiFans coming). The NCSC is a cybersecurity authority that operates under the Lithuanian Ministry of Defense. So we're not talking about a report from a private agency with private interests, but a public entity under a state, Lithuania, which has been part of the European Union since 2004.
The NCSC report also echoes a declaration by the European Council on 19 July calling on the Chinese authorities, on behalf of the EU and its member states, to take action against cyberattacks on Europe from China.
So, it was necessary to lay the groundwork so that we could all agree that the NCSC report is not a simple pamphlet written in haste by a private company with a potential conflict of interest.
The grey areas of the Lithuanian NCSC report
It should be kept in mind that this report comes at a time when diplomatic tensions between Lithuania and China are at their highest. The two countries are at loggerheads over the issue of Taiwan, and the relationship that the European state has with Taiwan, which China considers an integral part of its territory and refuses to recognize its status.
China also imposed economic sanctions on Lithuania last August. Personally, I find it hard not to assume that the publication of the NCSC report a little less than a month after China's economic sanctions is timely, to say the least.
We can also qualify that most Android manufacturers have pre-installed apps on their smartphones, this is not exclusive to Xiaomi. And all these apps more or less analyze what the user is doing on his smartphone. Even Apple has been scanning your photos for at least a year, that's telling you. On the other hand, we should still remember that Xiaomi was pinned last year on the issue of personal data via its Mi Browser.
The fact that the famous file of banned keywords is called "MiAdBlocklist" can also raise some doubts about the intention behind this blacklist. The word "ad" may very well refer to advertising and we know that Xiaomi offers options to filter ads that it displays itself in its own interface.
Finally, let's take Huawei. The manufacturer is accused of redirecting its users to third-party APK stores when a desired app is not found on the AppGallery, and that many of these third-party stores contain malicious apps. But the report doesn't seem to take into account that Huawei has no choice and that this state of affairs is a consequence of the US embargo that Huawei has been under for almost 3 years now.
Article updated at 11:50 AM (EDT) with the official statement from Xiaomi Germany.