After the serious accusations made by a cybersecurity agency of Lithuania last week, Xiaomi released a statement on Monday (27) in which it denied the points raised in the report and that it has hired an independent audit to investigate the allegations by the Lithuanian National Cyber Security Center (NCSC),
- Xiaomi questions the allegations in the Lithuanian report and says it has hired an independent audit;
- Company was accused by Lithuanian agency of including tool that could censor content;
- Manufacturer states that it follows the stipulations of the European data protection law (GDPR).
The NCSC cybersecurity report evaluated 5G devices from three Chinese manufacturers - Xiaomi, Huawei and OnePlus - and claims that the Xiaomi Mi 10T 5G device includes a word filter that could be used for censorship in apps, containing terms linked to political and social groups.
The NCSC report itself, however, makes it clear that the filter is not activated on models sold in Europe. The response of Xiaomi in turn, does not deny the presence of the word list - that according to the Lithuanian agency is distributed in a file named "MiAdBlacklistConfig". But the manufacturer explains that it uses a term management system that "can be used to protect users from inappropriate content such as pornography, violence, hate speech and references that may be offensive to local users".
Xiaomi said in the press release that it is seeking an independent expertise to disprove the points raised by the NCSC, but did not say when it expects the analysis to be released. In addition, the manufacturer emphasized that respects the standards of treatment of personal data in Europe - gathered in the general law of data protection (GDPR, or RGPD in Portuguese, equivalent to the Brazilian LGPD).
Full statement released by Xiaomi
Xiaomi ("we") are aware of the report "Cybersecurity assessment of 5G-enabled mobile devices" ("the report") recently published by the Lithuanian Information and Security Authority (NCSC).
We take seriously the allegations made in the report. While we question the characterization of some findings, we have sought an independent expert to evaluate the points raised in the report. We believe in the integrity of our products and our company's compliance practices in Lithuania and across Europe, and we believe a third party will confirm this for our users and partners.
In particular, Xiaomi would like to address two important points in the report:
1. Alleged censorship
Xiaomi's products do not restrict or filter communications to or from its users. Xiaomi has never restricted or blocked any personal activities of its smartphone users, such as: B. Searching, calling, surfing the Internet, or using third-party communications software. The NCSC report does not state that.
The report points out that Xiaomi uses advertising management software with limited ability to manage paid and push advertising sent to devices through Xiaomi's apps, such as Mi Video and Mi Browser.
This can be used to protect users from inappropriate content such as pornography, violence, hate speech and references that may be offensive to local users. This practice is common in the smartphone and internet industries around the world.¹
We review our advertising management system guidelines from time to time to ensure that they meet our users' needs and expectations.
Xiaomi is committed to acting responsibly and transparently in all countries. We are committed to continuous improvement and innovation and welcome exchanges with users, regulators and other stakeholders.
2. Data processing and data transmission
The report also falsely suggests [an inadequate] data processing procedure. In fact, Xiaomi complies with all requirements of the General Data Protection Regulation [GDPR], including the use, processing and transmission of end-user data. Our compliance applies to all systems, applications and services. Any use of personal data requires the valid consent of the end user and is always conducted in accordance with local or regional laws and regulations of the European Union and its member states.
Xiaomi works in accordance with ISO / IEC 27001 information security management standards and ISO / IEC 27701 privacy information management system. Xiaomi has also received the TrustArc Corporate Privacy Certification every year since 2016. This ensures the best possible privacy and security protection for the end user.
Xiaomi would like to emphasize once again that we are committed to the privacy and security of our users. We work to the highest standards and comply with all local and regional regulations.
¹ please see Article 13: Controversial content of Facebook Ads policies, available at https://www.facebook.com/policies/ads/; Political content clause of Google Ads policies, available at https://support.google.com/adspolicy/answer/6008942