Are Xiaomi browsers spyware? Yes, they are (2020)
palant.infoRelated to Xiaomi, the company is also doing some sketchy things in the smart home space under their brand "Aqara". I use HomeKit in my apartment and opted for Aqara branded wireless buttons and temp/humidity sensors because of the attractive hardware and good reviews. The devices require a wi-fi connected hub, not too strange for things that use Zigbee, so I gave that a go.
Well, on cursory examination, the Aqara/Xiaomi hub was talking to a bunch of Chinese servers constantly. I didn't dive too deep into what all they were actually for. When I blocked the device from phoning home with my router, all the connected devices stopped working! None of the buttons or sensors would work, the RGB light on the hub couldn't even be changed. As soon as it lost the ability to ping its servers in China, the thing actually started strobe light flashing blue. Re-enable the outside network access on it, starts working again. This was totally antithetical to why I use HomeKit in the first place, so I removed the hub and paired all the Aqara accessories with a generic open source Zigbee hub (ConBee II) and added it to HomeKit with HomeBridge.
In the future I plan to give brands more scrutiny before investing time/money in them and granting them unfettered access to my LAN...
I use some xiaomi connected lamps. First thing I did was connect them to home assistant via a dedicated VLAN that has no internet access. I see pages and pages of denied connections in the firewall from the smart lamps. They work with HA just fine, I just wonder what they’re trying to do with these servers. This is pure speculation but I’m convinced that all these smart devices from China are the largest state sponsored Trojan horse program in history. They’re probably not interested in you and me but since everyone and their dog has these devices, it’s possible to access and infiltrate any given high value target with these. No one even knows what’s in the firmware. I have no illusions other countries are doing the same, but none have the reach that Chinese branded electronics do. Bar google maybe.
I was thinking the same. The Mi ecosystem seems nice, has good reviews, and is relatively inexpensive. You can control everything from one app and they make things easy for you. Among many appliances they also have inexpensive IP cameras. When you think about it, it's really scary. They have all possible sensors and several actuators. With time, it may get much worse.
I love some of their non-smart devices that can't spy me. For example, their Mijia precision screwdrivers are exceptionally good quality (Wiha heads) and the price is fair.
Their phones running Android One are also fine and can be reflashed. But the rest of the items are quite shady. I have sniffed on the network traffic some devices generate and it's quite scary.
The same thing applies to other Chinese industrial equipment. For example, I know some labs put BGI sequencers inside airgapped subnetworks because of industrial espionage fears.
How do you reflash those androids?, It's been hard for me trying to find a trustworthy ROM for an Mi A2 Lite
Why not LineageOS?
There's no ROM for my model =(
the company is also doing some sketchy things in the smart home space under their brand "Aqara"
The whole idea of connecting everything to the internet is getting out of hand.
1. Internet and digital infrastructure has no integrity as how it is currently.
2. Anything for home, machinery, all should work when there is NO internet connection. Just like an app should work (to some extend) in airplane mode. It really comes down to the idea of data/device sovereignty.
Is this my device or not? If I need to ping some place in China to get this working. Then make it clear on your front page that it is is a lease.
The only company I would trust with home automation at this point is IKEA. They're the only ones doing this who are actually in the business of making their customers' homes nice, rather than collecting and monetizing their customers' data.
(And now I'm half expecting someone to respond that IKEA also collects our data. I don't know if they do, and I'd expect them not to, but I'd really like to know if they do.)
It's a company. With shareholders. Even if you can trust them now, that's no guarantee for the future. Trusting companies is just silly.
I guess this is technical true, but then you're a person and some people do terrible things, therefore you must be terrible?
I think what the GP is stating is that Ikea's model is based on selling home goods, so the incentives align to sell you home goods not collect data for the Dutch government. Apple could steal all your most private data as well, but their business is luxury electronics so it's not in their best interest. Could this change? asolutely, but are you more concerned with what could be, or what currently is?
> I guess this is technical true, but then you're a person and some people do terrible things, therefore you must be terrible?
People are on average far more predictable than companies. A company is like a person with a very unstable personality. And the predictable component of a company's behavior is usually selfish and evil, whereas the predictable component of a person's behavior is usually good.
> It's a company. With shareholders.
It's owned by a dutch foundation which serves to "promote and support innovation in the field of architectural and interior design" (via [0]). Oh and something about kids in developing countries.
[0]: https://en.wikipedia.org/wiki/Stichting_INGKA_Foundation
IKEA has a complex corporate structure which was created specifically because of the high Swedish taxes. Hence the Dutch connection.
Also, read the criticisms section of that link. Only after publication of the criticism in the Economist did the family who owns IKEA take action. Now imagine what happens if the family has less control in the future. Also, supporting innovation and supporting developing countries does not mean "don't track users", etc.
Shareholders care about public perception. Selling user data isn't that profitable. It makes sense that a company would weigh in the potential cost to the brand when determining whether to sell user data.
I could see IKEA using their "good behavior" as a marketing expenditure or selling point. Much like Apple does. This would align well with their general brand perception vis-a-vis sustainability and whatnot.
The only people that care about this sort of thing here, on hacker news. Or similar tech forums.
My mom isn't going to care, she's going to get something because she thinks it looks cool and the brand is eco-friendly or some shit.
There is a demand for bulletproof cars and blackout curtains, but judging by what I see in my neighborhood, I wouldn't invest heavily in a company that makes those things. But the latest fashions, made sustainably, in POC & women owned business, OMG SO AWESOMEMMEMEME
I realise this is an opinion du jour around here now, but it's a pretty paranoid take on the market economy.
I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke. They don't need to be good people, they just have to care about making money in the future. The fact that I think they care about that is why I can trust that the can of coke in fact contains coke with high probability.
> I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke.
Perhaps but if the company could sell you more coke by having your personal data, it would be silly to assume they would not explore that route.
When we buy genuine Xiaomi lightbulbs it’s definitely Xiaomi lightbulbs in the package, that’s not the argument.
The question is what happens at the purchase time, and afterwards. To bring back the coke you love, there’s Coca-Cola vending machine that will accept payment from a cell phone, linking with the vending machine through NFC.
What happens to you info when you download the app, what do they do with your purchase history ? Do your data stay in the ‘coke’ silo or move to all the other sister brands and partner marketing firms to infinity and beyond ? Do they scan the other apps on your phone to better profile you ? Do they lobby where you live to get rid of blocking rules when they track you buy less because of them ?
That’s the questions that would come with ‘buying a coke’
> I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke
You don't even know what coke is, since that formula is kept secret (well, Coca Cola's at least). Also, in some countries, you'll get high-fructose corn syrup instead of cane sugar, which is believed to increase the risk of fatty liver disease, obesity etc. (caveat: Some believe the evidence is not conclusive enough for certainty.)
And why don't they just "sell you coke" everywhere? Because it makes them more money. And the raison d'etre of a commercial company/corporation is pecuniary gain. Profiting. Making money. Management is obligated to act so as to maximize profit (under legal obligations etc. etc.)
This brings us to your first point:
> it's a pretty paranoid take on the market economy.
No, it's literally what commercial companies' charters and fundamental structure requires. No conspiracy theory or paranoia.
In context of spying - if the company has determined their profits would improve by them spying on you, and that they can get away with it - then it's pretty likely they will indeed spy on you.
The point is that if I want a can of sugar water (or aspartame) I can reliably find one. I'm unlikely to pop the tab and find kombucha or sand.
'Companies are out to make money' is not the debate trump card you seem to think it is. In fact the same view is embedded in my previous comment. The question is, given it's true what's the range of phenomena that result, what works well, what badly etc?
> market economy
If your argument for the market economy working in a way that shouldn't inspire paranoia is based on trust and distinguished consumer choice, you've not been paying attention to world news or you're arguing in bad faith.
> If your argument for the market economy working in a way that shouldn't inspire paranoia is based on trust and distinguished consumer choice, you've not been paying attention to world news or you're arguing in bad faith.
No, I think you missed the point. It's based on greedy organisations being predictable. Amazon will send stuff we order so that we buy more stuff from them. Electricity grid with zero regulation will fail to invest in preventative measures against extreme events. Trust or distrust arises from the particular game theoretic situation we're talking about. Simply thinking every corporation will screw us at every moment is the paranoia.
IKEA is a European company. Can't trust America- its bought and payed for by corporations- and the Chinese are enigmatic- who knows what they want?
Is this satire?
I have a cheap air quality meter which basically connects to an MQTT broker server in China to transmit its readings constantly. The phone app connects to the same MQTT server, subscribes to a topic and receives the readings. I guess this is a very simple way to do it. Too bad the MQTT server has no authentication so you can actually subscribe to any topic. Many IoT solutions seem to be made by developers not very experienced in security.
Are you saying you can actually read the air quality readings of other users? That's... quite an oversight. :-/
The actual MQTT payload seemed to have some sort of custom encryption on it (not the usual MQTT-over-TLS). I didn't dig deep enough to find out how it works, but it didn't seem very sophisticated.
Free big data for everyone.
The whole of Internet will know when you spoil the air :P
I know that you are joking, but the data from an air quality monitor can reveal a lot of useful things, such as when somebody is at home.
> the Aqara/Xiaomi hub was talking to a bunch of Chinese servers constantly
It's not only Xiaomi issue: many Chinese top and noname smartphones stealing user data and show ads inside their UIs. Cheap hardware & users data mining - great business model.
The same with apps: https://www.vietnambreakingnews.com/2019/01/es-file-explorer...
That’s why AI tech is much more advanced than any other Computing subjects in China, they get massive free data to train their networks.
It’s absolutely infuriating how many IoT devices round trip to the cloud for no good reason at all.
Not quite for no good reason at all. For someone else who programmed them to do this, it is for a very self-servingly good reason of data vacuuming obsession, it just happens to be no good reason for the customer.
The thing is, they really don't. They just stop working after few minutes of no connectivity.
No real roundtrip happening.
> temp/humidity sensors
If you're into writing your own code, https://ruuvi.com/ has bluetooth low energy sensors that transmit temperature/humidity/air pressure/3d-acceleration data with an open protocol, also their firmware is open source. They have a mobile app that displays readings from sensors, but for anything else you'd need to set up your own data logging or home automation server.
I can also recommend ESPhome, it supports many sensors and runs on basically anything with a ESP32 or 8266. It's open source and super easy to integrate with home assistant.
edit: and -> a
> The devices require a wi-fi connected hub, not too strange for things that use Zigbee
Wait, why would Zigbee devices require Wi-Fi connection? That would be a red flag for me, I would have avoided products like this.
They don't. You can use Aqara-branded zigbee devices just fine with Home Assistant (open source), no propietary cloud services required. With most manufacturer's own hubs it's a whole different story, basically they all talk to their cloud, that's how they are designed. I can see why, that's the easiest option for average consumer, plug & play.
Usually so you can control the devices from your smartphone. Phone talks to hub over local wi-fi, hub talks to devices over Zigbee. They might have a web interface where you can program schedules for the lights, define "scenes" and such. So it's not entirely pointless.
There is however no reason why the hub should have internet access though.
I believe they are used to allow the users to control their devices outside the network.
I blocked all Chinese subnets because of the constant tries to log in to my servers.
Obviously Xiaomi devices do not work in my network anymore.
How also can you make a guide of how to do it?
No guide needed.iptables -I INPUT -m geoip --src-cc CH -j DROP iptables -I OUTPUT -m geoip --src-cc CH -j DROPCH is not China but Switzerland.
CN then?
Correct, I messed up the original country code.
V2ray has the option to route based on geoip, but it creates a socks/http proxy, not a whole system solution.
Really, it’s probably just telemetry data. It’s probably for QA and maybe even follow-up sales.
Not that that is at all ok - it’s really not. But China is a country where there’s no concept of privacy - when companies are actually required to keep tabs on their customers and report data back to the state on a regular basis without legal oversight from an independent judiciary, the notion that the company isn’t entitled to peek in on you must be an alien idea.
My Xiaomi devices (air purifiers) are on a different network, which I created specifically for sketchy "IoT" devices. It is physically separated, with separate addressing, and connected only at the exit router, where it is firewalled from the rest of my network.
It doesn't mean Xiaomi doesn't learn everything about my air quality, temperature and humidity, but it at least decreases the attack surface.
I use a couple of Aqara sensors to report temperature back to my Home Assistant instance via a HUSBZB-1 USB Zigbee dongle[0]. They work pretty well, although they report data pretty infrequently absent any large temperature swings, so not great for data-viz purposes.
I'm not at all surprised the hub thing constantly chats with its family back in China, but a properly security-paranoid home automation aficionado wouldn't be caught dead giving some proprietary black box power and network inside their own home.
[0] https://shop.homeseer.com/products/nortek-usb-zigbee-zwave-i...
> but a properly security-paranoid home automation aficionado wouldn't be caught dead giving some proprietary black box power and network inside their own home.
That sounds like the definition of a cell phone.
Don't even get me started. :( It gives me pangs of cognitive dissonance every time I use my Android phone to type up a rant about how creepy Google is. I'd love to walk the talk, but my impression is that FOSS Linux phones aren't really viable yet if you're interested in things like, you know, functional power management or a Bluetooth stack that actually works.
About the smart home space, there is also Home Assistant which basically provides all the tools to keep everything isolated from internet.
Couldn't you just return the hardware to the store and receive payback where you live?
Does anyone know of any good resources on how to kit out a home with sensors that speak strictly locally/have no cloud connectivity?
Is the answer just to find zigbee-only gear?
> was talking to a bunch of Chinese servers constantly
Out of curiosity do you want Chinese companies to use US servers? Or where would servers be ideally placed for a Chinese brand to be accepted? I genuinely am curious to know.
Is this a serious question? How about don't contact any external server unless the user clicks an update button (or possibly on a schedule time the user has specifically allowed). After that, there is no legit reason for a device sensing the temperature in my home, a light switch, an electrical plug to ever call "home" about how it is being used. Maybe, just maybe, if the device detects that it is failing or other serious errors that might be okay, but if and ONLY if the user has specifically allowed that to happen. I don't care if the server is located in the US, China, Timbuktu, or Atlantis, and I don't care if the company is based in the US, China, or Martian. Just don't do it.
I think you're both on the same page here, but (and I'm also guessing here) I think OP implies there's a certain bias when it comes to chinese servers. And I too have this feeling, that if it's a server in the "western world" not a lot of people would bat an eye. But if it's a chinese or russian server, now that's something "we don't want".
This is what I am trying to figure out. I have a UK focused website therefore I use UK based servers, US focused website I use US based servers.
Aren't most processing chips/hardware made in China for all major western tech companies anyway? I get the RU/China server suspiciousness but as far as I can tell, US unicorns are up to the same tricks and openly/brazenly pillaging data without any threat or fear.
We're in a western/US-centric bubble here on HN. People are aware data collection is bad, they'd rather not have it at all even if they'll accept some from Google, MS, Amazon, etc., but most of all they'd rather not have China/Russia/NK/etc. have any that data. As you can already tell, just asking the question is enough to get flak.
Otherwise most consumer products (devices or software) phone home for one reason or another, whether it's telemetry and data collection, basic functionality that's implemented exclusively via cloud, or more advanced cloud features. It's down to deciding whether you trust western legal system and increased transparency to deal with the nefarious aspect of data collection, rather than the Russian, Chinese, etc. legal systems and transparency.
Almost every device or software with network connectivity I played with phoned home: the Philips Hue gateway (Netherlands), Tado (Germany), Apple Homepod (US), Amazon Alexa/Fire* stuff (US), Synology (Taiwan), Unifi Controller (US), LG/Samsung smart TVs (South Korea), Google Chromecast (US), random assortment of network connected cameras (China, Taiwan), and a big etc. here. Some do a better job than others and just connect for basic stuff as far as I can tell, some enabled telemetry without asking and after the backlash ask again after every update, some have no option to disable this connectivity, etc.
One thing that trips most people looking at this for the first time is when they start off with blocking internet connectivity for the least trustworthy devices (Chinese brands) and immediately see a zillion attempts being blocked, even if the device keeps working. They conclude the devices are trying to exfiltrate that much data. They're most likely constantly reattempting until they get a response. Some of my network cameras would try every second but after a successful connection the flood stopped and they barely sent anything.
I chose to "complicate" my life a bit and buy hardware that I can flash with some open source firmware cutting out the cloud features completely, or connecting via "home made" solutions everywhere I can then using my home VPN to control them if needed. Whether China or the US have that data is of little real consequence to me right now but it's a matter of principle and I'd rather not shift my principles based on geography.
Thank you for your response and clarification! Your point on the multiple attempts to connect etc seems to make sense. I would imagine a lot of people checking these requests may jump to conclusions that every piece of data is being pulled across.
> just asking the question is enough to get flak
You are definitely right about that!
Of course (almost?) no government is a saint. However, China is a totalitarian non-democratic government. I would fear the Chinese government much more than the US or UK governments, for example. But I might be too naive.
> I would fear the Chinese government
If you are outside of China then surely there is nothing to really be scared of? What could the Chinese government do with your data that could cause harm?
I get it's the principle but ultimately we are all scared of sharing our data with China and I am not sure why?
I don't get it either. Whenever someone uses the words "the West" I cringe because because every goddamn privacy invasion has come from our friendly American overlords. Who I might ad are not just like us.
> I cringe because because every goddamn privacy invasion has come from our friendly American overlords
Exactly! It seems that the propaganda machine is still rolling heavy.
There is a big difference. An open, democratic government can be peacefully corrected. A closed, totalitarian government cannot be. If the chinese and russian governments were open, then we could worry less about them.
Western governments operate mass surveillance programs seemingly without any public open oversight or democratic input.
The United Kingdom has more CCTV activity than any other European country, per capita. No-one bats an eyelid. They have also been using facial recognition to find people in the crowd with a really poor rate of success. No one seems to batter an eye lid, China does the same and everyone is going crazy.
The big difference is that you can say President USA is this and that and nothing will happen to you. But speak badly of the Chinese government and you would end up in a shithole for life. Or worst. Or say something bad about the N Korean leader for example. This is totally different.
With totalitarian governments, you never know.
Look what happened to Alexei Navalny.
Look what happened to Sergei and Yulia Skripal in UK?
Again, I am not saying the other governments are saints, but I feel you have much more options in democratic countries.
> Look what happened to Sergei and Yulia Skripal in UK?
The UK is Russia's poison playground so in this instance it would seem that realistically no one is safe, even if you reside in a democratic country. But then again these were people with major clout or enemies of the state.
I think most people assume totalitarian regime that's interested in at the very least being the economic powerhouse of the world, won't have good intentions with collecting everyone's data.
A far better assumption than: "well others do it too, therefore nothing about it can be more nefarious."
I do not want anyone getting their hands on my data, but in order of regions collected data this is my 'preference': EU >>> US > RU >> CN
If Chinese companies place servers in US, then these servers would just be a proxy to feed data to Chinese servers.
To each there own, but I think China will have to fundamentally change at this point for me to have any trust in any Chinese companies. Just look at Alibaba. If they are not safe from CCP influence, then it is safe to assume that all Chinese companies are just shells, or under influence of, the CCP.
I get the fear but what do you imagine would happen to you and your data if the Chinese government got their hands on it? Will they create an internal credit system for the West? If so, how would this affect you.
I'm genuinely curious what people fear will happen to them and their data if it went to a Chinese server. What are the consequences? What is the difference between Amazon running A/B tests to get as much money from you as quickly as possible VS TikTok trying to improve their suggestion algo to improve their engagement for increased ad revenue?
They collect data of all other countries. As their devices become pervasive, the data and thousands of RCEs serve as an aid to intelligence, if your country is competing with or in a fight with China, this is actively harmful.
Hahaha holy shit
Xiaomi did one thing wrong: It is a Chinese brand.
Amazon should be fined for selling IoT devices that do this. It is likely a threat to America’s infrastructure.
Imagine if China could stop all smart homes from working if a politician said something about concentration camps.
Do you think the average american cares more about their garage door opener working or the camps?
This paragraph stood out to me:
> The intention here seems to be that aigt is the timestamp when the ID was generated. So if that timestamp deviates from current time by more than 7776000000 milliseconds (90 days) a new ID is going to be generated. However, this implementation is buggy, it will update aigt on every call rather than only when a new ID is generated. So the only scenario where a new ID will be generated is: this method wasn’t called for 90 days, meaning that the browser wasn’t started for 90 days. And that’s rather unlikely, so one has to consider this ID permanent.
If we assume that Xiaomi aren't literally trying to spy for a government and are in fact just poorly calibrated on what's legitimate to collect for product analytics purposes, this paragraph highlights why that's still incredibly dangerous despite "good intentions".
I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice.
This paragraph seems to suggest a similar problem at Xiaomi. This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points. The fact it wasn't suggests that these stages either don't exist or are insufficient.
Genuinely, I really want to see Purism succeed and increasing numbers of competitors in that space, because we need tools that don't require so much blind trust. Whether caused by inept software devs, scope for malicious code / backdoors in firmware, analytics spyware, and whether this stuff is well intentioned or not, if it can be abused, it will be.
Open source and verifiable down to the firmware is the only chance we have at any real level of trust, otherwise as is always apparent in these conversations, it often falls otherwise to who you think could compromise your device and making your bed with it, like USA not China or vice versa
The problem is that purism doesn't pay as much as all the tracking, preinstalled bloatware, random 3rd party utilities and other stuff. This will never ever be solved through competition,because people either don't care, or there aren't enough of those who do. Legislation is the only way to make it work, but then again, that's hardly an option for most of the world.
Purism are trying to lobby for the legislation [0] and to change the industry [1].
[0] https://puri.sm/posts/purisms-ceo-todd-weaver-testifies-at-s...
There is clearly at least a niche market for "transparent devices". See https://www.crowdsupply.com/sutajio-kosagi/precursor for example.
> Open source and verifiable down to the firmware
While I agree with your intent, the problem is that, many open source software is not verifiable.
Remember that a Kaggle competitor was openly cheating with his published code? (cf. https://www.theregister.com/2020/01/21/ai_kaggle_contest_che... ) Eventually he got caught, but it's sometimes extremely difficult to spot a well-hidden malicious code in a plain sight. We need to be much better at analyzing software.
While having the source available is not a panacea, it would seem that, at least in the case you mentioned, not having the source code would have allowed for the cheating to continue with impunity, as there would have been no way for anyone to begin to discover what had been going on. That would suggest that having the source available is a necessary part of establishing real trust, even if it's not sufficient.
> While I agree with your intent, the problem is that, many open source software is not verifiable.
To me, this sentence reads as "That a nice idea, but untenable in practice." rather than "Open source is necessary, but shouldn't be considered sufficient." which strikes me as counter-productive to the objective of easily verifiable software.
> many open source software is not verifiable
Open source software is more verifiable than closed source though.
Yeah, you are definitely correct on the lack of verification tools and I hope research on that one day breaks out of academia and into more common usage. The Kaggle story is great. One mildly related thing is Purism's bootloader tampering detection with their "librem key". Naturally it does nothing to verify the running code, but it does feel like knowing you're running the code you thought you were has some merit.
I think maybe some replies have interpreted my comment as naively assuming that open source firmware would would mean complete trust. I just think it is a good step on the journey.
Purism is never going to end up with fully open source baseband firmware. It's not going to happen because the radios are subject to several regulations which means customers can't be able to modify that firmware. There's going to always be a trust hole.
You can still make the code and tool chain open source. Then require a key to write to the device. Reading could be allowed.
This can work where everything is in the open except a private firmware signing key.
People should push for open source as much as possible. At some point it will be easier to lobby for the new regulations when everything else is fully open source. See also: https://forum.pine64.org/showthread.php?tid=11815
The regulations around radios exist because the spectrum is limited and emissions propagate over a wide area. You and I (assuming you're in the US) have the same standing to use radio spectrum. If I go and modify my phone's firmware to increase the power output I could literally jam communications from your phone.
It's very different than if I modified the firmware on my hard drive or UEFI on a PC. I might fuck up my stuff but it doesn't affect you. I can fiddle with my hard drive firmware all day but I'm not going to block a 911 call you're trying to make.
Also a company giving out modem firmware is an exception and not a rule. It re-classes the device as a hobbyist/experimental device and if they go traipsing around with it they could potentially face fines (unlikely but possible).
Again it's not about lobbying it's about a limited spectrum and people being stupid/assholes not realizing or caring their pocket radio affects others. You live in a world where shitheads try to make their cars louder on purpose and you can pick up dozens of WAPs because everyone sets the power to the highest number the interface allows.
Using wrong spectrum and jamming communications of others can be illegal without forcing proprietary firmware. It's like making all cars illegal, because someone blocks access roads for a fire brigade.
It's not forcing proprietary firmware. The firmware could be entirely open so long as end users couldn't freely modify it on their devices. Competition between baseband manufacturers drives them to keep firmwares proprietary.
Preventing modification of the firmware is like making your car unrepairable and unopenable, so you couldn't mess with it.
Who said you cannot? Just do it, and see.
Every radio regulation agency on the planet? Most radio hardware is capable of operating outside of regulated limits. The device firmware is usually what keeps the devices running within their regulated limits and gets those components licenses to be sold. Anyone selling regulated devices running outside of their regulated envelope faces fines and even criminal charges.
Cell phones only work because the millions of devices run within strict limits and behave reasonably. There's not a lot of difference between a properly operating radio and a radio jammer. Purism isn't going to find a baseband vendor that's going to risk their licenses by allowing for open source firmware.
No, pretty of radio transmitting equipment are fully open soft modems.
As far as I know, there is no licensing whatsoever for baseband makers?
Where did you get that it is?
In the US a baseband processor's entire software stack that controls the radio front end must be certified. They'll also have the modems to talk to the cellular networks. BPs use their own CPU(s) and an RTOS firmware that's FCC certified.
This is why a baseband processor is a fully separate component from a device's application processor(s). Since the AP doesn't talk directly to the radio it doesn't need to be certified and can be updated without recertification. The BP can also get certification and any manufacturer using that BP doesn't need to re-certify it. The interfaces are also such that the AP can't (or shouldn't be able to) tell the BP firmware to boost the output power above legal limits or something.
Radios that have "open" soft modems don't typically have fully software controlled radio front ends. The radio front end will have its statutory limits baked in electrically or have very limited software control. The modulation on the back end isn't as important as the front end. Broken modulation just means you can't talk to anyone, an overdriven transmitter is effectively a radio jammer or can give someone an RF burn.
> In the US a baseband processor's entire software stack that controls the radio front end must be certified.
Can you point where it is stated?
47 CFR.
What rule in particular?
Part 2 covers recertification of changes to radio equipment (everything touching the front end of the radio). Part 24 cover broadband PCS while Part 15 covers WiFi and Bluetooth since they're ISM band components.
If you're actually interested read the regulations and look up some FCC IDs for devices.
> we need tools that don't require so much blind trust
Completely agree.
> Open source and verifiable down to the firmware is the only chance we have at any real level of trust
The hardware itself could be compromised though. There's just no way to know what's really inside these black boxes.
We'll never have real trust until we get the ability to fabricate our own processors in our own home just like we already have the ability to write our own software.
This doesn't help completely unless you fabricated the fabricator on trusted parts as well. Unless you trust it there is nothing to prove that the fabricator isn't inserting back doors into whatever it prints.
Well, I would love to print out my own cpu in the garage, but until then, I would also be happy, if the factories producing security critical HW, get frequent audits by qualified personel. Certifying and reviewing the build process.
Not very likely on a broader scale, though.
as much as I am eager to see open source mobile OS succeed, tracking happens at the app level.
What happens when I install the FB app on a Purism enabled device?
My way to go until now has been installing as many OSS apps on my smartphone as possible, to the point that even the keyboard and the launcher on my smartphone are installed through f-droid.
That's the main reason why I prefer Android phones over Apple ones.
I don't think Facebook is likely to release a Linux based app. If they did it would likely be electron style. There also lots of Facebook apps that wrap the mobile website inside of a stand-alone "app" available on F-Droid. I also wonder what type of permissions API even exist that would allow you to view contacts as an app inside of Purism. Maybe Gnome has something kind of API already for apps to access built-in contents but this far there hasnt been a lot of proprietary software released for Linux that embeds spyware because of the low # of users and increased difficulty and general lack of distribution platform. But Purism is also really far away from being a viable platform for non-techies at this point.
|This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points.|
If the very first people (presumably the "higher ups"/more prestigious designers) in the design process miss such things, it is very hard to call them out in a societal construct that is the business construct that has become Xiaomi and the Chinese Government.
It's hard enough in some companies for QA to question software engineers and not catch backlash in the US when making games. Companies like EA, Atari and Nintendo are notorious for it. Apple used to shitcan QA who didn't treat "the talent" nice enough, and they weren't a quasi governmental entity.
You're right, of course. But man, that's a big frog in your throat to go up to your manager and say, "Sir, I'm sorry but this whole process has issues. Here's the fix, but it means a redesign of a core process." That's tough. That's double tough.
This is something that a company with a mature security posture needs though. Yes it's hard, but that's the point.
There are many ways to work around this, having teams whos incentives are tied to finding issues, maybe in a different reporting chain or office or country to those writing the software is one way.
I think incentivizing and anonymizing issue finding by restructure sound like amazing ideas, to be honest. Having batch issues come in to the devs via bug tracking software and conversations be labeled with a user ID rather than name would make a world of difference; so would basic professionalism. An understanding that it isn't team against team. Sdets (and manual testers) are not adversaries to devs or management... Though, I think a lot of devs realize this but project management/producers have a harder time understanding this. This is where I think a basic understanding of coding and the development pipeline would help a lot.
But, here we are. In the real world =/
If your design is "accidentally" indistinguishable from intentional state-sponsored surveillance, does it really matter whether you arrived at it through malice or incompetence?
>I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice. This paragraph seems to suggest a similar problem at Xiaomi.
ASFAIK, Xiaomi does not sell any critical infrastructure equipment, nor is it installed anywhere; not entirely sure why GCHQ or NCSC would be involved, especially when there is ambiguity around which/what equipment they should be conducting a code review upon?
With regard to Huawei, there was no decisive conclusion, despite a comprehensive security review. Furthermore, it has been business as usual for currently installed equipment. All future decisions will be based around the 5G infrastructure.
Presumably phones used by government employees in relation to sensitive data are security critical? I'm not aware if their phones are being used in the wild in such a way but it's not hard to imagine such use cases.
Here in Europe, Huawei and Xiaomi are two of the most popular phone brands I see in shops. Even if the government isn't actually buying them to issue as "work phones" for employees, those employees are certainly buying them for personal use, carrying them to sensitive places, and leaking their own life details.
You'd have to be a complete idiot to believe that the CCP isn't happily digging through all the data they send back.
> If we assume that Xiaomi aren't literally trying to spy for a government
Is that even allowed by Chinese law?
I believe the implication would be they are spying for China in this case, and therefore as legal as they want it to be.
Right, I meant is it allowed by Chinese law to NOT spy for the government. As I understand it, to be allowed to operate in China as a Chinese company, you are under the obligation to provide any information you collect to the gov't upon request. Is that not the case?
You guys are familiar with the Snowden disclosures and how all telecom companies and very likely all major tech companies are spying for the US government right?
At this point, this is table stakes for big tech and it's completely anti-democratic. China may have a very good domestic dragnet but clearly it's playing catch up compared to the foreign intelligence assets the USG (and five eyes) has.
If you're going to cite Snowden, please be accurate.
Remember that one of the leaks was that the NSA tapped unencrypted Google backhaul in transit without Google's knowledge.
There's a difference between panopticon fearmongering and citing specific information we should be wary of. The former leads to apathy. The latter leads to action.
How about this one? https://en.wikipedia.org/wiki/Room_641A
That was ATT. It (and all the other exposed operations) hardly support the statement that "all telecom companies and very likely all major tech companies are spying for the US government".
The US defense and intelligence apparatuses have been deeply intertwined with private enterprise for many decades. This is a matter of historical fact. But I totally understand if it's more comfortable for you to believe that now things are different despite the fact that no one was ever held to account for what happened in the past.
There is no proof that I'm aware of that all telecom companies and very likely all major tech companies are spying for the US goverent.
To be clear, evidence that some telecoms have, or that some major tech companies have is insufficient.
Extrapolating some into all is unreasonable. Do you have more proof it's the latter?
Whoa. I'm surprised I'd never heard of this before. Thank you.
Right, that's why I said "very likely" instead of "proven". However, at the point it's pretty clear the tech companies are all competing for pentagon contracts (e.g. Project Maven, JEDI, etc) so the 2013 information has significant potential to be dated.
Also, there's these nuggets:
https://www.fastcompany.com/40481463/facebook-wants-to-hire-...
https://www.rt.com/usa/399256-mattis-amazon-bezos-trump/
Thinking America's largest monopolies and America's government and foreign policy are at odds over more than superficial things is probably not an accurate view of the world. America uses our corporations to advance nebulously defined "national security interests" and corporations use the government to get rich(er).
Australia has similar laws also.
Not sure why you're getting downvoted, what you stated is correct. https://phys.org/news/2018-12-australia-cyber-snooping-laws-...
So does the US. The only real difference between countries is not if it is different but how each has implemented it in law. The result is the same.
Google publishes a transparency report with aggregate information on government requests for user data, and regularly challenges requests to reduce their scope. To pretend that this is the same as China is a joke.
https://support.google.com/transparencyreport/answer/9713961
Yet google didn’t know their data was being hijacked and harvested by nsa and co... so hop down off that high horse of US exceptionalism.
Pointing out a difference is not what you assert.
> To pretend that this is the same as China is a joke.
... it is the same as China. Or is that the joke?
Splitting hairs here, but the wording of your question gives the impression that one could choose not to collect any data and then be free of said obligations, but I don't think that's the case. Does anyone know?
There is a difference between being required to collect data that they wouldn't otherwise need for a legitimate business purpose, and being required to provide access to data they've already collected to their government. I'm no expert but it seems like a Chinese company could design products that don't collect a bunch of extraneous information, without violating Chinese law.
That is the case.
Better question is, why are those devices allowed to be sold in EU/US/...
I believe they're required to comply if asked. In theory they could have not been asked...
if you mean this in the sense that "all chinese companies are automatically spy agencies", then no, that's certainly not true. But would they have to comply with a government request - yeah, probably, just like any other company.
That feels like a distinction without a difference. The gov't has access to all the the data of all Chinese companies, and those companies are not required to divulge that to their consumers.
Another possible explanation is this isn't a bug, but intended behavior. If the browser hasn't been used for 90 days, this might be a good indication that the phone has changed hands, and you need to generate a new ID.
I'm writing this from a Xiaomi smartphone.
I know Xiaomi is not the best brand to buy for privacy, but I consider their products one of the best in terms of value for money
I own a few Xiaomi devices, I simply install Blokada on each one of them and I think you would be surprised by how many non Chinese domains it blocks, Google being one of the worst offenders.
EDIT:
see this screenshot
EDIT 2: paradoxically knowing that Xiaomi is a Chinese company make buyers more aware of the privacy risks involved. It breaks that false sense of security associated with electronic devices that many people believe in.
About your second edit: If you live anywhere on earth that isn't in the geographical area of China it would likely be better to have data going to China than the big US corps. For most it is unlikely the data could be used against you in anything from ads to a police raid, unlike with something like Google collecting it where it will almost for sure be used and useful.
I hear this a lot, but it strikes me as being short sighted. That only works if the status quo remains so forever. Maybe 5 or 10 years from now, relations between the Chinese and US governments gets cozier, and part of their deal includes sharing of this kind of data.
Or maybe the US government knows it can't legally collect certain information on its own citizens, but can rely on China to collect it, and then purchase it from the Chinese government.
Then there's the overall argument against: I don't want any government collecting data about me, period. It's none of their damn business, regardless of the chances of me having to interact with them in any capacity.
The US and Chinese government will absolutely never have a rapprochement. Geopolitics states they will be at odd.
We know about five eyes.
The pessimist in me assumes that's because it's a good cover for the intelligence agencies data sharing agreements between the US, China, India, Russian, North Korea, et al.
How do you whether Xiaomi's spyware doesn't bypass Blockada ?
There are a lot of binaries other than Android that run on Smartphones that you cannot possibly control from within Android even with fully-privileged apps (let alone restricted user-space apps). And, even within Android, because Blokada doesn't support "Block connection without VPN", there's no guarantee that apps don't bypass the VPN it sets up. Besides, Blokada leaks DNS requests over TCP (only handles the UDP ones) [0]. All of this is discounting the fact that Blokada has a hard-coded list of applications it blanket allows by-default [1].
Also, these fingerprinting bits in their code-base doesn't inspire confidence either [2][3].
I'd not consider Blokada a serious security app at this point, though it does have the potential to be one.
disclosure: I co-develop a similar foss app.
[0] https://github.com/blokadaorg/blokada/blob/65992cdc/android5...
[1] https://github.com/blokadaorg/blokada/blob/8702350602b/andro...
[2] one identifier too many for a user-agent: https://github.com/blokadaorg/blokada/blob/8702350602b/andro...
[3] unique identifier per installation: https://github.com/blokadaorg/blokada/blob/04efb84e06e1/andr...
that's a very interesting analysis
what's the name of the app you co-developed?
> what's the name of the app you co-developed?
Honestly I don't, the same way I don't know if Google is bypassing them.
But according to the logs on my router Blokada is working.
p.s. blokada actually also blocks ads on the formula 1 official app that are served through websockets
> This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points.
Seems more likely this was done on purpose so if they got caught they could say "Junior engineer made a mistake. So sorry."
Hanlon's razor is a principle or rule of thumb that states "never attribute to malice that which is adequately explained by stupidity"
My corollary to Hanlon's Razor is "When you and/or your associates have been caught being malicious multiple times, Hanlon's Razor no longer applies to you."
I find it a bad principle which absolves responsibility. Stupidity is the same as malice, if the outcome is the same.
That can be explained as a bug, but tracking what you typed into youtube search boxes doesn't seem like a bug and has no justification in terms of performance optimization.
I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China. The MSS is no joke.
https://www.google.com/search?client=firefox-b-d&q=china+mss...
This is the same reason that Zoom is banned at my workplace and many other partner companies.
You've actually got two problems here. One is the commercial advertising/for-profit related data sharing problem described in the article. The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
Xiaomi phones are frighteningly popular here in Russia because they're very cheap. Like, a-phone-could-not-cost-this-little cheap. A 7000₽ (around $100) phone? Why not, seems legit! And not many people really understand what Xiaomi is actually doing to offset that cost. Heck, when you open the built-in calculator app in MIUI, it has a freakin privacy policy and refuses to operate if you don't accept that. Same for the gallery and the music player — you know, all the apps that have no business knowing that the internet at all exists.
Not defending Xiaomi in general, but it's worth mentioning that the stock calculator in MIUI (at least when I last used it) was much more than just a traditional calculator. It had all kinds of sophisticated functionality that goes beyond our arithmetic, such as currency conversion, which obviously requires network and an api that might very well be third party and require a privacy policy.
So while I assume they're tracking users, I don't think the calculator having a privacy policy is as shocking as it initially sounds.
Uh. An API that provides currency exchange rates is a textbook case of a read-only API. Unless that privacy policy is the nonsensical "we receive and process your IP address" (or course you do, that's how the internet works, duh), it has no reason to have one because no data flows in that direction.
Trying to get legal to sign-off on allowing no-privacy-policy access to anything is going to be hard every time, especially if you do keep personal information like IP addresses for any amount of time (hello gdpr).
But how can one prove whether a third party stores something? Especially if it's the IP address that it must receive anyway.
While I don't think there would be much investigation on a simple currency API storing user info, most companies aren't in the business of increasing legal risk for the tradeoff of user experience.
IP addresses are not identifying info under the GDPR. They are only potentially identifying. The address in your nginx logs does not count, if you are storing other data and can use the IP to identify an individual, now its identifying data.
The photo editor on my Sony phone keeps telling me it wants to send data to Sony and refuses to open when I decline. So the Chinese are no worse than the Americans and, apparently, the Japanese in this regard.
Wow, so because of this one example you conclude "So the Chinese are no worse than the Americans and, apparently, the Japanese in this regard."
You are saying that if you can find a single example of X happening in domain A and a single example of X happening in domain B, then "apparently" A and B must be "no different" with respect to X. People are murdered in Japan. People are murdered in Brazil. Thus Japan is no different than Brazil with respect to murders.
Please please tell me that you are just being inflammatory and that this "find one example" criteria isn't how you go about making assessments of things.
You're right; our natural bias would be to distrust the Chinese more, because culturally and politically they are so far removed from us. So actually we should be suspecting the Americans and Japanese more than China to counter our biases.
Could China possibly have infiltrated as much of global communications networks as the NSA & Five Eyes have for the past decade and a half? Not likely! If we didn't have such successful digital espionage programs, would we instead rely on our corporations to spy on our behalf? Very likely, seeing as we've already done that too.
It's not really that a phone could not cost this little. Xiaomi's pricing model is pretty transparent, they make a 5% or so profit from each device and also monetize via UI ads.
It's more that consumers around the world have been brainwashed into believing huge markups are the default and must be accepted.
That of course does not alleviate the data collection concerns about Xiaomi, but it is unfair to say that given the production apparatus to produce at scale and the ability to absorb losses initially, it is not possible to make devices this cheap.
I love Xiaomi phones, I've owned a couple. But I wouldn't dream of using them without first replacing MIUI with Lineage OS.
Any chance of getting Lineage OS support for the Poco X3?
In large software companies that have whole GUI/human interface design departments, they do lots of R&D and testing of interfaces. Traditional things like putting people with new software interfaces in rooms with video cameras and one-way mirrors of staff watching.
It would be very interesting to see a random sampling of 20 'non technical' users presented with such a phone, and given instructions simply "here is your new phone, please unbox it and connect it to the wifi and do things on the internet for three hours". Record a video of their interactions with the screen.
In my experience the vast, overwhelming majority of people when presented with a software popup like "Do you accept the license agreement to use this calculator?" will simply click yes/accept/okay/proceed as quickly as possible and disregard what it actually means.
I have a theory that a very small percentage of persons would actually balk or become suspicious of seeing something like a privacy policy agreement for a photo gallery or music player.
Now, I'm not a UX specialist, I'm merely a developer and these are just my own observations, but...
Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about. And that's why dark patterns work more often than not.
I roughly categorize UI/UX patterns into those that respect the user and those that don't. Showing a modal and making them decide something right now and right there is very disrespectful and off-putting. iOS of all things does this for system updates, low battery, and some urgent as hell alerts about your Apple ID. What you should be doing instead is use something non-blocking that can be ignored, like a notification, an icon badge, or a clickable bar at the top of the screen. Anyway, I digress.
And then, if you need a calculator, but the one that came with your phone quits unless accept the terms of use, what are you gonna do, as a non-technical person? Go to Google Play and look for a better one? Probably not.
> Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about.
I think most users even accept this as general setup things. When I, as a developer, want my device set up as quickly as possible, I mostly just proceed with everything.
Here in the US, a Moto G7 Play is $130 brand new from amazon.com, and seems to be much more reasonable from a privacy standpoint. I seem to remember being presented with a clear choice to disable phoning home to Motorola during initial setup.
How is that different from stock Android, besides this being per app and having to give blanket permission for all things Google right at installation of stock Android?
For one, Google Play services come with a disable button. So, apparently, yes, you can de-googlify your phone without flashing anything.
Sure, but you will still have a sort of chain of trust with Google that that disable button will actually do anything. Except bothering you in the future with a new, fancy enable button to make certain apps work.
The pinephone isn't much more expensive then that and doesn't have these problems.
You can't be serious about this right? Except from being a black rectangle, the ~$100-ish Xiaomi device isn't comparable to a PinePhone.
The Xiaomi phone is better and more attractive in any other way, except privacy.
Privacy and software selection. You can't run desktop Linux apps on android and it's becoming increasingly difficult to run CLI apps.
Could it be the same reason anyone outside of the US would voluntarily choose to run close-source software from a company that's subject to domestic laws and regulations in the US? The ECPA is no joke.
I would argue if you are American nor Chinese, the US has a greater ability to negatively influence your life. Chinese government has full control domestically but can’t (currently) do too much outside of their borders. The US on the other hand...
It goes the same for any of the "Eyes" countries. They share intelligence and tracking of citizens as well. It's not just the US, so don't act like it is.
Don't pretend any other country have as much surveillance capability as the US does. There are levels to the awfulness and not everyone is at final boss level. Most are random green scrubs comparatively.
> Don't pretend any other country have as much surveillance capability as the US does.
The level of surveillance in Xinjiang vastly exceed that of anywhere else in the world except for military installations.
You're drawing a parallel that doesn't exist. Xinjiang is a physical location that is controlled entirely by them.
US (or any) surveillance, especially over data, requires no such ownership or control.
Don't forget our laws here in Australia. (I know you mentioned eyes countries, which we are, but I wanted to highlight this).
Our laws are so damn barbaric in relation to security that it's scary.
It's gotten to the point where I nearly gave up on security. Who's compromised?
I definitely missed out on a job because I was Australian. (Confirmed later over drinks with one of the devs who I am friends with).
Can you relate anymore about the industry and size of company you applied for?
I'm an aussie dev, and I hadn't even considered my eligibility to foreign companies may be compromised.
I'm sure that a Chinese citizen would see the NSA as an equal or greater threat. The difference from my perspective is that as a citizen of a NATO country with a functioning democracy, I'm highly unlikely to be rounded up by my government and put in a prison or concentration camp for expressing my political opinions or religion.
You only need to look at the past several years of news from Hong Kong and the Uyghur/Xinjiang province situation to see the stark real world difference in human rights, political freedoms and press freedoms.
I'm not 100% sure from your comment whether you're making out that:
(a). China is bad (yes, known)
(b). The US is not quite as bad (debatable but for the sake of argument lets agree that this is true)
(c). The US is benign
My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true. Though terms such as "country with a functioning democracy" make me think you might...
My point was absolutely not (c). The US has a vast and complex array of sociopolitical, economic disparity, racism, police brutality issues, some of which have been highlighted throughout 2020. But I definitely consider it to be the lesser of two evils.
The lesser of two evils is still collecting literally as much data as it can on you. And helping the Saudis with it too:
https://theintercept.com/2014/07/25/nsas-new-partner-spying-...
US Intelligence has too long a history of its own largely consequence-free abuses too. Someone else having a surveillance state doesn't make the one at home any better.
Someone from outside the US will probably worry more about its history of backing coups than the domestic problems you mentioned. If the US puts a Pinochet in my country and their algorithms say I'm likely to be a communist sympathizer, am I at risk?
Definitely. Those of us from Latin American countries have a history with the US that we don't have with China, and so while China might be bad to us, we are (mostly) outside its sphere of direct influence; on the other hand, the US has a proven track record of supporting blood-thirsty and ruthless dictators in the relatively recent past, and meddling with our democratic institutions and electoral processes, so it's the "biggest threat" to us, so to speak.
Black and white sophism. No country is going to meet c), no country is benign. What matters is how much better the country in aspects like this. And the US still much better, NSA included.
> My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true.
The country is an imperfect union. Although the country attempts at every turn to work towards "A more perfect Union"; clearly we have similar issues that other countries do.
In a comparative analysis, OP was merely saying the US is head and shoulders above a country that suppresses freedom of speech, eliminates political dissent and the people who promote freedom and sends them away to actual concentration camps under the guise of "re-education".
2 million people. No less.
How are those different from American concentration camps, such as Guantanamo?
*Insert joke: [internet <- Chinese router - US router -> home network]
Responses like this are so predictable and shed no further light or provide no new insight.
They're unproductive and flame-war prone. I downvoted your comment.
Why is it unproductive? Parent makes a point that non-US consumers don't care whether it's a US or Chinese product. Both nations have access to domestic company's data.
The original message was saying they couldn't understand / couldn't empathise with someone making a conscious decision to use xiaomi. I gambled that they make the same conscious decisions using US software, but only see their decision to do so differently due to a set of pro-US biases that others won't have.
It's difficult to look past such biases if they're deeply ingrained but I think this can definitely be productive to do so. If you can empathise better with conscious xiaomi users, and understand why people use non-optimal software, such understanding can have a lot of benefits.
There is nothing new about the question "why would someone buy cheap phones when they come with spyware". So someone asks a shit question and gets a shit answer.
Well, to play devils advocate, as a random Irish guy it seems like my choice is between Chinese companies spying on me or US companies spying on me. I don't see that huge a difference - although I do acknowledge there's a difference in freedom of speech and culture in the US, that applies to US citizens and when it comes to spying on people outside the US the difference is much smaller.
Consider Document Number 9[1], and the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine. You already know what it's like living in a world which the US is a dominate super power, that's what the West has experience in the past 70 years and it had created some of the greatest prosperity both the US and West have experienced in their existence.
A dominant China is interested in promoting their own values of Xi thought. And they're working very hard to promulgate it. Their coercive ability is remarkable in how it's already transformed Hollywood. Their ability to do so will only increase.
> the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine
For the last decades, the US has been actively trying to undermine -- mostly covertly, sometimes more openly -- leftist parties and organizations in Latin America (more often than not completely unrelated to China), so...
> Consider Document Number 9[1], and the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine.
You have quite literally also just described the US.
"China and Communism are a threat which we should seek to undermine". It works both ways.
Xi Jingping considers the promotion of liberal values, human rights, and democracy at their core to be "arrogance, prejudice and hatred". This goes beyond one power vs another, every democracy is under threat.
[1]: https://www.politico.eu/article/xi-jinping-turned-me-into-a-...
This.
Similar boat, but I see a pretty big difference. Every time I have to fill out a FATCA form, I'm reminded of how much power the US government can wields over me - a non US citizen/resident.
> The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
If you're anywhere near any scene you might consider not liked by the current government (which surely also includes journalists and the likes), your domestic agencies are a far bigger threat than the MSS, as long as you don't choose to go to China - and even then, you're probably fine, unless you're fighting against the Chinese regime in particular.
And yes, the patriot act and the NSA are no joke. It's not like subpoenas are never head of (and the EU is, at least in parts, not much better).
> I truly don't understand, from a security and privacy perspective, why would anyone would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in the United States.
Fixed that for you. Xiaomi offer an official bootlock unloader for their shitty MIUI roms which no one else on the planet does and is one of two companies out there that sells stock android phones. They are the easiest mobiles on the planet to install LineageOS on.
Imagine being on HackerNews and not at least slightly acknowledging the fact this company makes the most hacker friendly phones on Earth. It's honestly embarrassing.
Feel free to sniff the packets on any other device and realise how prevalent phonehomes are and how the eyes can access all of it on a whim if it's going to non-Chinese companies.
If you were an activist in the Western world I would only recommend a Chinese phone to protect yourself.
Cointelpro is still roaring hard today.
I think it's important that you raised your point, but I don't see that Xiaomi providing stock android phones and the ability to unlock the bootloader on their MIUI phones forgives them from the clear privacy issues highlighted in the original post, particularly given that the vast majority of their customers stick with the default/popular option.
Same could be said for countries outside of the USA buying US tech equipment.
I agree, people give US companies way to much slack... But then what am I supposed to do if I'm European? The US and China pretty much covers the mobile market (and what's not covered is still not European).
From a purely pragmatic point of view: If you're European...?
Consider that your country is likely either already a five eyes member, or a "five eyes plus" member with a historical record going back 45+ years of intelligence/law enforcement data sharing between the various NATO governments' intelligence agencies.
And take a risk calculation, based on what you're doing in your life, if all your metadata and traffic was in the hands of the NSA, what's the most likely end result that might affect you adversely?
Are you actually at risk of being persecuted for anything you're doing socially, religiously, politically? For instance, if you're a German, is all of your data being in the hands of the BND going to result in anything bad happening to you?
From a purely pragmatic point of view, a lot of especially Eastern Europe and Eastern Germany are viscerally aware that "anything you're doing socially, religiously, politically" will always somehow include something illegal and worrying about surveillance results in self-censorship.
I really don't think that's unreasonable, the fall of the berlin wall was within living memory. I hope that the NSA isn't going to do anything too, but the idea that they can't or won't is clearly not true. Staying under the radar might feel pragmatic, but I think a lot of people realize that's entirely inadequate with constantly shifting political environments.
I am not a European but I am fairly sure I would have two very different opinions on this, relative to my personal perceived level of threat from my own national government, if I were a citizen and resident of the Netherlands or, for instance, Belarus.
Threat model, I get that.
The simple fact that this explanation can exist and is somewhat commonly agreed by tech-savvy people is... disturbing in some way.
I mean, underlying are freedom, rights, security, surveillance, But also geopolitics, economics, philosophy maybe.
Just behind some daily tech.
Considering the current target of deplatforming is the far-right, and given Germany's history specifically, they have a lot of reasons not to trust local hardware and software. The same goes for the Le Pen crowd in France, a somewhat adversarial government on the other side of the globe is often less risky than the status quo across the pond allied to the current French establishment.
I was wondering how long it would take until we got to the argument of "oh no, won't somebody please think of the unfortunate oppressed fascists! it's a good thing that xiaomi has phones and software for them, because their own local european government is against them".
The paradox of tolerance and an open society is that if you allow actual fascism to flourish (and Le Pen is absolutely a fascist, in my opinion), you risk ending up with something much worse in the long run.
That's not a very valid argument in a thread about information security.
Except anyone that you want to oppress will retroactively be labelled "fascist", or "far-right" by whatever loose system serves that purpose."oh no, won't somebody please think of the unfortunate oppressed fascists!..The latest version of "terrorist", "activist" or "heretic".
But whose opinion is canon in matters of censorship? Le Pen is also a valid political candidate with fair support in her electorate.and Le Pen is absolutely a fascist, in my opinionConsider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
so you say "if you allow actual fascism to flourish.. something much worse in the long run" - who gets to decide what is "allowed", and what isn't?
Seems to me the basis for such stability would have nothing to do with subjective judgements of what constitutes "fascism" - and more to do with principles of democracy - i.e. a fascist entity can be democratically elected - it just can't be given powers that would allow it to override democracy, or escape legal oversight. Perhaps the key word is "extralegal"?
The problem is that too many political entities (not just far-right) seek extralegal, overreaching powers; believing it OK so long as "they can be trusted"; but if the king of today is a good king, his heir might still be bad. And the good government that allows for overreach enables the bad government that does the same.
> Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
This actually happened in recent history. Just because Hitler (and yes I must unfortunately rely on such a reference, and no, Le Pen is not Hitler, but it provides a good example of far-right vs democracy) was elected doesn't mean the entire world should roll over.
Just to clarify, by "roll over" you mean "change their democratic systems to prevent the election of fascists"?
The election of the Nazis didn't justify the sweeping power transfer that resulted, including control of the press, a private party militia (Brownshirts) etc etc etc
I'm criticising efforts to interfere with who is allowed to be elected, versus limiting what powers can be obtained through election.
The paradox of oppressing in the name of opposing oppression is that it is already something much worse.
The US and China pretty much covers the mobile market (and what's not covered is still not European).
Remember when this was the other way around? How did we come to this in ~two decades?
I know first hand that Nokia top and middle management understood nothing about software development or quality. The tools and practices used in the whole development were horrible. After a couple of years they just drowned in bugs and new products came slower and slower, failed projects more and more frequent.
I have no idea whether it's equally bad at Google/Android or Apple. I have the feeling it's not.
I don't think China really dominates in software world-wide. Xiaomi seems more like an exception to me. Hardware is a different story.
That's not true, because US companies are allowed to export E2E technology in products. Chinese companies are not given the same leeway. All Chinese messenger clients are not encrypted and are fully surveilled. That is not true for US messenger clients.
IIRC American companies (specially service companies, but surely also hardware companies) can be forced to introduce backdoors and other spying mechanisms and then force them not to disclose such a thing (i.e. Lavabit, Groklaw, Room 641 and equivalent Google and Facebook programms).
For us that don't live in the US or China, it is just a matter of choosing between two evils. And in being pragmatics, the 90% of the population outside of China and the US does not give a damn if the US or China are spying in their mundane conversations.
> IIRC American companies (specially service companies, but surely also hardware companies) can be forced to introduce backdoors and other spying mechanisms and then force them not to disclose such a thing (i.e. Lavabit, Groklaw, Room 641 and equivalent Google and Facebook programms).
You recall incorrectly. By extension of the First Amendment, US companies are protected from being forced to introduce functionality so as to collect or decrypt information (or for any other purpose). Carrying out original work for the government is considered to be speech, and as a result cannot be compelled. If the data is already collected and available in a decrypted form to the company a court order can compel the data to be turned over as evidence, as is the case with any data (or any thing) held by anyone (with narrow exceptions related to the 5th amendment).
This was a topic of national attention several years ago when the FBI tried (and failed) to compel Apple to create and sign a custom software update to unlock an iPhone.
https://en.m.wikipedia.org/wiki/FBI–Apple_encryption_dispute
And yet from the free to export US we keep finding backdoors and hardcoded admin passwords in things that are supposed to be way more secure than a random chat client. Even if all of them are actually bugs I'm not sure that is any better. No E2EE to share my shopping list with my girlfriend versus the piss poor security in enterprise hardware from manufacturers like Cisco etc? At least I can download another chat client. Purging US enterprise equipment from my company, home and ISP? Not so much.
Huawei's security doesn't come close to Cisco's security practices. Mostly because the vast majority of their hardware and software was sourced from stolen IP (Huawei had cash bounties for employees to provide stolen IP to the company). If you sell stolen technology, you don't truly understand how it works or how to secure it.
Given the choice, I'd choose Cisco every day of the week. It's not perfect but then again there's no such thing as perfect security.
With an E2E messenger, you can be sure that most likely your communications are not being intercepted. With a Chinese company, your communications are never secure.
Not only are Chinese software products not secure, but they'll lie to you about their security. Zoom claimed to have E2E encryption on calls which turned out to be an egregious fabrication (on top of them exporting calls to Chinese servers).
What are your thoughts on Ubiquity?
I am using Xiaomi phone for roughly the same reasons as I am using Gmail.
I dislike results of either, replacement of both is on my oversized TODO list - and was there since at least two years.
I dislike that USA government, China government and God knows who else has full (partial?) copy of whatever I ever typed on my phone but I did nothing beyond selecting Android Zero, declining "send all what I typed to Google" and declining gloud sync.
(I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited)
I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
Anyway, you're right. In practice, protecting your privacy is a massive hassle. I just do it step by step, knowing that even half-assing it is better than nothing.
I really hope that privacy situation will start getting better - or at least not getting worse.
For email I basically gave up (for now) as it will likely leak on other side anyway.
But I aggressively avoid cloud sync, and my files on cloud are either public or locally encrypted before uploading. Well, at least it protects against non-targeted attacks.
> I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
:)
Just in case that you have an Android phone - I recommend StreetComplete, it allows limited editing with zero OSM-specific knowledge. Registering for OSM account is the most difficult part.
It works by asking about already mapped elements, while you are in front of them. See https://github.com/streetcomplete/StreetComplete#screenshots
I do contribute through OsmAnd. I mapped a few gas stations in more desolate areas. However this is a much more exciting way to contribute. Thanks for sharing!
Thank you for mapping! Especially in remote areas.
I am glad that you like SC :)
> why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China
Because outside US it doesn't really matter whether it's Chinese or American company that has your data.
It is critically important depending on your country's relationship with either country.
Yes, if you are in a country friendly with the US it is better to have Xiaomi harvest the data than Apple.
This question is particularly pertinent in a country like Australia. Both the US and China have strong interest in controlling our loyalty and GDP, and I for one dont want to be a subject of either regime.
if your Country has good relationships with both of them it doesn't really matter.
EDIT: you have to understand that the cold war is over and you can't replace USSR with modern China, my country has good relationships with both the US and China so it doesn't really matters who's spying on you, they are "good friends" anyway...
But in context:
- Australia has similar laws.
- Snowden releases showed the US don’t even ask, they just take it.
So it’s not like there is a huge amount of difference around the world.
> But in context: > > - Australia has similar laws. > > - Snowden releases showed the US don’t even ask, they just take it. > > So it’s not like there is a huge amount of difference around the world.
I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
Snowdon case made the US government look bad, please don't use the same reason to make the Chinese Communist Party look good or OK.
It's kind weird when something bad happens, everyone just points at the US and says they do that too! The CCP did something bad, Somehow it's OK because the US government did something bad.
If you are an US national and living in the US, you can complain and bitch about your government all you want and not worrying about your safety, hence you can talk about the Snowdon case or berate the president, and things might change. Would you dare doing that in Chinese soil even if your are not Chinese.
No, I was pointing out the "Don't by Xiaomi because you can't trust them" is logically flawed... because you can't trust any of the countries involved with the manufacture of phones.
This isn't excusing the behaviour, it's pointing out that "privacy" is not a justification for not using Chinese goods, because American goods have evidence of exactly the same compromise.
All mobile phone manufacturers are spying on you does not automatically follow from the fact that Xiaomi browsers are spyware.
Pretty sure I didn't state that. But I agree with what you're stating.
> I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
I assume it's the Australian Assistance and Access Bill that's being referred to here. It has nothing to do with privacy. It's prime job (which isn't hidden - it's spelt out in the explanatory notes) is to circumvent encryption by accessing the data at the end points, where it isn't encrypted. It must be unencrypted at the end points because humans can't read or listen to encrypted data. https://searchsecurity.techtarget.com/definition/Australian-...
The bill gives several government agencies the legal right to coerce any software company to "assist" them by writing a bug that is invisible to the OS. The "access" part gives them right to coerce a software company to distribute software to any device they target (there is legal oversight on who they can target).
To fill this out with a concrete example, they could compel Google to provide a version of the Android Google Keyboard that records all key strokes and the name of the application it is are sending them to. They can then force Google to install that keyboard via their auto update mechanism. Notice that using an open source program like Signal that securely and correctly encrypts everything, and comes from a trusted source is not a useful defence against this.
Both of these powers are accompanied by an automatic gag mechanism, meaning if Google revealed they were asked to do either of these things someone would go to jail. The provisions in the act for reporting when and where these powers are used, so the voters could have some say are to put it mildly weak.
Although Australia is very clearly a country that operates around "the rule of law", in the end the only difference that has made is we know they are doing it, whereas China could deny they are doing it. In reality, I don't think China tries to deny the Great Firewall of China, or the invasive probes they force citizens to install to support their social credits system.
So yeah in my view OP is quite correct. If there are differences they revolve around how widely these things are deployed, not over whether they exist. I presume my home country, Australia, deploys them a lot less, but they go to a great deal of trouble to ensure there is no way to be sure.
I’m running a Xiaomi air filter. Not connected to wifi.
Even without wifi access it is vastly superior to previous choices. At similar pricing to my previous one.
I’m quite wary of the whole monitoring scene but my next air filter purchase will be a Xiaomi again.
Can’t really speak to their other products but on that front they have made a convert out of me despite my aversion to questionable data practices.
Also apparently it’s home assistant compatible. So HA it and firewall it off is the plan
From what I recall, the Xiaomi air filter is known to underperform heavily.
https://smartairfilters.com/en/blog/xiaomi-purifier-auto-mod...
Why does an air filter need wifi?
Same reason a ceiling light does.
I know, I know, you're thinking that doesn't either, but you can control it remotely through an app or website, and automate certain actions. You might want your air cleaner to start running when you leave your office, for example so that your air is dust-free when you get home.
I've actually used a Xiaomi light remote-controlled over the internet to simulate being home while on another continent so that anyone casing the place for a burglary might be dissuaded. I disabled its internet connectivity when I was done with that.
I wanted to switch it off automatically at night. Doesn't seem to be necessary though so haven't connected it
I use a xiaomi phone and the reason I use it is because it is significantly cheaper compared to a samsung or apple phone. Example: A $200 xiaomi phone is equivalent in specs to a $600 Samsung.
Also it is likely the Chinese are spying on me indirectly (data collection where the chinses military can access the data if they want to) but I really have nothing significant on me that the Chinese would want to be concerned with me.
> significantly cheaper compared to a samsung or apple phone.
Shouldn't that be a huge red flag? Any time someone offers something too good to be true, it never is.
> Also it is likely the Chinese are spying on me indirectly
Why?
> I really have nothing significant on me that the Chinese would want to be concerned with me.
It's not just about you, dammit. [0]
By accepting their offer, you validate their actions. You give them bigger reach and make it easier for them to get people that might be of interest.
[0] https://en.wikipedia.org/wiki/Nothing_to_hide_argumentEveryone of yours statements is equally applicable to Chrome, right?
Yeap. Don't use Chrome if you can avoid it. I'm using Brave for years already and I am very happy with it.
Except Brave itself also collects telemetry and has been caught whitelisting cross site apis from sites like Facebook.
https://nakedsecurity.sophos.com/2019/02/12/privacy-browser-...
Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable. Privacy should mean privacy, even if that means losing functionality on a select few sites.
Oh, give me a break.
> collects telemetry
https://brave.com/privacy-preserving-product-analytics-p3a/
> Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable.* P3A doesn’t collect any personal information. * You can turn P3A off at any time in the “Privacy and Security” section of the browser preferences. * All the P3A code will be open source (...) you can check that your browser is only sharing the specific things we promise.The claim was never about absolute privacy but rather as strong as default as possible while keeping the web functional. And in that department they are delivering more than any alternative - more than even Firefox out of the box. Not to mention that TFA itself states that the implementation was far from ideal.
Anyway, the biggest question I have for those that are so quick to criticize Brave is "what else do we have with a business model that can disrupt Surveillance Capitalism?". Apple could if they wanted, but where is Safari for Windows/Linux? Any of the others? Doubtful. Even Mozilla's dependency on ad revenue from Google makes them less credible. So why shit on Brave when there is absolutely zero potential alternatives?
> Shouldn't that be a huge red flag? Any time someone offers something too good to be true, it never is
does that include the free tiers that many US companies are offering?
For example: Google, Facebook, Twitter, YouTube
Yes. It also includes any free social media, any free messenger platform and any ad-based "freemium" service.
Surveillance Capitalism is bad and we should be fighting it.
I really have nothing significant on me that the Chinese would want to be concerned with me.
So you give them your email passwords? After all, you have nothing to hide.
> A $200 xiaomi phone is equivalent in specs to a $600 Samsung.
Xiaomi phones have much higher audio latency than Samsung phones.[1] As a VoIP user, I would rather use an entry level Samsung phone (e.g., a $150 A02s) than a Xiaomi flagship.
There's reason to be concerned about all software.
But I agree that software from significantly non free nations is extra concerning.
Ignorance and cost. Chinese phones are popular in Europe, where Apple/Google/Samsung flagship phones are prohibitive, and similarly spec'ed Chinese ones are a fraction of the cost.
And we can't forget many Euro citizens simply don't care.
Maybe they are spreading rhe risk, now i can be spied on by agencies with conflicting interests, so noone has a complete picture?
Because it has cost benefit. Redmi Note here in Brazil are super popular. The only alternative for that, it's Samsung, but is not exactly better. I believe Xiaomi devices are still cheaper than Samsung here.
It's a choice between being spied on by the West or the East.
Because the products are literally 10x cheaper than the same thing from Apple or Samsung. The price gap is too large to ignore for most people.
I agree with your statement, but I'd like to get it a bit further. Why run any closed-sourced software from (or have servers in) countries that can request you data without a fair trial (e.g. secret courts). I feel just as uncomfortable about national security letters and the NSA/CIA as the MSS, this from someone who is not living in China or the US.
I do think this shows the perks of open source software and being able to self-host or federated solutions.
> Why
Because it is much easier. I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited.
I have no time to learn how to and run and maintain my own mail server.
Can you tell me which countries definitely won't force you to secretly do things you don't want to in matters of national security?
Maybe ask OP, as they did bring up MSS. I myself try to self-host as much as possible, and try to use open-source roms/software on my phone/desktop.
> I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China.
They make cheap phones.
I recently bought a Xiaomi phone (Poco m3) for development. I was shocked to learn that in order to enable USB debug mode in developer settings, I needed to BOTH:
1) make a Xiaomi account with
and
2) insert a SIM card to the device (!)
Is that not insane? Other people seem to think so too: https://android.stackexchange.com/a/186052
Apparently the only alternative to this is rooting the device, which may break it.
I've been told that the reasoning behind this is shady resellers loading unremovable system malware to the system partition (which runs as device admin++) before reselling this to you.
Apparently this is a huge problem in China, where there seems to be quite literally no trust at all on online shopping. This actually does seem to be the case if you try buying devices from any NON-xiaomi-official store Aliexpress shop. They're usually $0.01-$1.00 cheaper, and are guaranteed to be packed with massive amounts of malware. None of which can be pressed "disable" or "uninstall" (greyed out).
They use fake reviews and fake buyers much like Amazon in the west, to inflate their order count and ratings to be sorted above Xiaomi official store
This is exactly what Android verified boot is meant to prevent: https://source.android.com/security/verifiedboot. Why can't Xiaomi just do that?
Jesus, do you have any sources (Chinese is fine) for this? This is horribly anti-consumer and I'm surprised there's not more of a push back if it's so common.
Try search for phrase "fakerom" or "fake rom" or "rottensys" with xiaomi.
The resellers get paid a few dollars for the malware install. I think the most common is people reselling to ship out to other countries, and not sold in China itself.
The aliexpress shops get shut down, negative feedback, but they just open another. Note that aliexpress actually shuts these down in the first place and is "reputable" end of things. Never ever buy devices from gearbest, wish, etc. - ever .
another reason being some eBay/re-sellers buy in low cost places (like India/China) - reinstall EU ROM and sell it at high cost. (Even now many devices in Asian markets come with a label like - Only for India-SIM)
Anti-consumer? By the capitalist businesses? Of course. It's just like buying crap from Amazon. If you use it you support it.
Xiaomi phones have unlockable bootloaders, so rooting is really trivial, but guess what? You need a Xiaomi account to unlock the bootloader too! And they make you wait several days to do it.
And no, you can't break an Android device by rooting it. Worst case you'll have to reflash the system partition through recovery.
Went through this recently. Had to download xiaomi unlock software to unlock the bootloader. Probably sent an image of my hard drive back to china in the process. And the 7 day wait period. Really is an example of price too good to be true because they collect your data and probably get huge government subsidies to do so. Nice phone though once you flash it.
Yeah I did do that too several years ago too, but I ran it on a VM because I didn't have a real Windows machine anyway.
>Probably sent an image of my hard drive back to china in the process.
Come on. Do better.
I just bought the same phone as a gift for my girlfriend, and was considering getting one for me one day since it's a really nice piece of hardware for the price. Some searches around brought this link of a community of non official developers attempting to clean up the system from some preinstalled junk.
You are probably better off wiping it and installing stock android or some popular custom ROM over trying to hack away the MIUI spyware.
Is there any tested and safe way to reflash it with a custom ROM (suggestions?). The chance of bricking a new phone doesn't look that appealing.
ps: Sadly, the Pinephone is permanently out of stock, otherwise I wouldn't even consider anything else.
I bought a Poco X3 NFC about a month ago, and also was confronted with the Xiaomi account signup request when I tried to enable USB debugging.
For me this was enough of a reason to send the device back, but I started fiddling around and ended up being able to use USB debugging without an Xiaomi account. I don't remember how I managed to do this, I think I had to disable a specific MIUI optimization. No ADB had to be used for this. I think it was this https://android.stackexchange.com/a/185876
I'm also pretty sure that I did not insert a SIM card at that point, because I was still using the device-to-be-replaced on that and the following days.
I think it's just a lot of tactics which they use in order to push you to create an account, but ultimately it's not required.
That being said, I really despise their MIUI, all their modifications. Everything about it attempts to make you use their products, even if Google's apps are already installed.
For me, the Android experience which the Pixel devices give you are all I want. Even Motorola's minor enhancements are something I don't want on a new phone.
> Is that not insane?
Yes I personnaly find it very schocking.
Bought a Samsung A20 for the same purpose, no need for a sim or any sort of dev account.
Plugged the usb cable and a few minutes later my nativescript app was running.
Same for the mi pad plus 4 to root it. You have to have it tied to an account for a month.
>2) insert a SIM card to the device (!)
You need to insert a SIM AND use mobile data on it (ie. turn off wifi, enable mobile data). Just inserting a dummy SIM card won't work.
That's terrible. Is it possible to even root it without enabling debug mode though? I've always had to use "adb reboot-bootloader" to get into the bootloader because the stupid key combination doesn't seem to work on recent phones, or maybe it's just that my fingers aren't fast enough.
I ran into the exact same thing. And because I don't have a SIM card (it's an at-home "tablet"), I have no way to enable USB debugging. Pretty frustrating.
If Lineage starts supporting this device, I'll definitely move over from MIUI.
Yes, I returned it and got a Samsung instead for this exact reason.
Any model to recommend? Not sure if our usecases are the same -- I wanted to find a cheap "lower end of the market" phone to test my mobile game on. Frankly, the poco m3 might even be too powerful for that purpose...
Not a Samsung in my experience. They get slow quick and the bluetooth chip on mine died literally out of nowhere. After 3 months of use, no less.
Get a pixel or a oneplus.
I have a Galaxy A21s now. It was just slightly more expensive than the Xiaomi i tried. Not sure how low end it is though.
Mind, it's strictly a development phone. It sits on my desk plugged in, unless I debug those Android apps. No sim card in either. My personal phone is an iPhone XS.
I recently ordered the 2020 version of the Moto G Power (XT2041-4) from Costco for personal use, upgrading from the Moto G6 Play.
And although Lenovo is now China-owned, the Moto line is still pure Android and no bloat.
Did a lot of research and the the last gen G Power is the best spec'd budget phone around this price point that is not a Samsung and sold in typical NA big box stores.
A10 or A01 are pretty slow
Chinese browser collects your data? Spyware.
American company collects your data? $1,400,000,000,000 valuation.
This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
1.) Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
2.) People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc.
3.) We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Why are you so upset about Xiaomi getting called out?
>Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
I'm referring to Google with that valuation.
>We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Propaganda? An oligarch is a rich person with a lot of political influence. Sounds like an average billionaire to me.
>People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc
I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
>Why are you so upset about Xiaomi getting called out?
Only annoyed at the obviously biased language.
I know you were referring to Google, that is why I made the point about Google. Xiaomi is a tech company with a personal data spying program and is worth maybe 50 billion, and supposedly the "4th most valuable startup in the world," if you trust Wikipedia. My point is that the valuation is based on the profit potential that investors see, not how ethical either company actually is. And both derive a non-zero amount of that value from spying on humans.
The Russian oligarchs are a group of people that grabbed large amounts of wealth by reaping the downfall of the Soviet Union. They are a very specific, well connected group of people outside of normal Russian billionaires. The reason specifically that they are oligarchs instead of just normal billionaires is that they are very plugged into the government and sway its operation. And I know there's some cynics out there that will be like "well that's just billionaires in general" but I encourage you to learn about the leverage this group of people have on normal government operations.
With regards to the observation that no one refers to Google as spyware, I don't think I see this either. But I do see tons of mainstream articles raising the point that Google spies on users. The problem is that (it feels like, at least) only us tech-inclined seem to care:
https://www.forbes.com/sites/jenniferhicks/2020/10/27/heres-...
>The report found that 80% of Americans think at least one tech giant is listening in on their conversations: Facebook at 68%; TikTok at 53%; and Google at 45%. But only 18% said they had deleted Facebook because of privacy concerns.
I fully agree Google is just an advertising company dressed up, and also further propose that its open source contributions and tech projects are its robing. I think there's still room to criticize other companies however, especially since privacy issues from companies like Xiaomi don't often get featured on HN.
There's a big difference between Google exploiting private data to sell you more things, and a different company exploiting private data to hand over to a police agency that arrests individuals for having the wrong political views.
I'm not suggesting the former is without fault, and fault by one does not absolve another. But you're right in that these are two very, very different things.
Oh, yeah definitely. I just dislike getting into those weeds specifically because it gets people weighing wrong on scales instead of actually calling out both wrongs individually.
Did we forget about PRISM[0]? It's all the same, just different labels depending which side you're on.
[0] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
How much political influence do you think someone like Bezos really has? Everyone in washington hates him. No one wants to do favors for him. They drag him in front of congress do get a bunch of soundbites to play next election cycle.
They win elections on shutting down his headquarter plans. They want to break up his company, raise his taxes on unrealized capital gains, they want to force him to divest his personal investments like WaPo.
Same goes for other billionaires. You think there's a lot of love for Ken Griffin? Or the Google founders? Or Jamie Dimon? Of course not.
Billionaires are a common bogeyman for the populists that have ruled the capitol for the last 10 years or so.
On the flip side, there were municipal governments literally giving Amazon powers over taxation and spending[1] to get them to set up their headquarters in their city. I think this is quite a bit of political power myself.
[1] https://www.huffingtonpost.ca/entry/amazon-city-benefits-sec...
I wouldn't call someone with sway over municipal governments an oligarch though.
> Everyone in washington hates him.
In public, sure. Behind the scenes, they're taking meetings with his lobbyists, and somehow the tax raise never happens despite politicians talking about ad nauseam.
Part of modern politics is running a kabuki theatre of performative populism on the campaign trail. Not much happens once they are in office, because you need quick wins ahead of the next election.
You write this on the same day the President called for Amazon workers to unionize.
Which is a performative act of solidarity with warehouse workers. What happens if those in right-to-work states unionize and get sacked? Biden isn't shouldering any of the risks they are.
Actions matter more than words. At this time, it's not even clear if Biden will go to the mat for a nationwide $15/hr minimum. That would do far more to incentivize Amazon to improve working conditions, as its $15/hr starting rates would no longer be competitive.
This is some 5d chess rationalization. There would be no calls to unionize Amazon if the govt was in Bezos' pocket.
+ 1
also note that the Asian billionaires are learning for people like bezos/gates. In public they may be hate figures - but everyone orders from Amazon. Tax breaks for large companies.
(i.e) use thinktank to pass legislation to make everything they do legal.
>the populists that have ruled the capitol for the last 10 years or so.
So the instant someone is elected they start calling Random Joe for funding their next campaign? Of course not. Politicians talk to people who help fund them, that or they are out. Having a politician's ear is power that Random Joe doesn't have. Using Bezos is disingenious. How about Musk or Bill Gates or one of the many rich oligarch families who have the same name as former presidents? Don't pretend money has less power in US politics than in Russian politics. If anything it is worse.
> I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
You seem pretty active on HN so I'm a bit skeptical that you honestly believe this. But I'll respond in good faith anyways. Here's the first result from Google (didn't even use DDG)
- (Washington Post) Goodbye, Chrome: Google’s Web browser has become spy software[0]
But since you're active I'm sure you know about The Social Dilemma, Snowden, etc. I've seen episodes on 60 Minutes, CNN, Fox, and pretty much everywhere that calls criticism to companies like Google and Facebook. Does China get called out more often? Yeah. Why? Because we're in a cold war with them. But still in many of these pieces I've seen them make slights at American tech companies. Things like saying that what they do is bad, but what China does is worse.
[0] https://www.washingtonpost.com/technology/2019/06/21/google-...
"Russian Oligarch" has a more specific meaning: https://en.wikipedia.org/wiki/Russian_oligarch
I see people calling out Google regularly but rarely is Chrome explicitly termed "spyware", although it very much is: I had to configure G Suite managed browser settings recently and there are like 4 different backdoor ways that big G can "incidentally" process your web traffic and keystrokes: enhanced safe browsing, image alt text accessibility service, uploading your downloads to a scanning service, browser profile history sync, "make the web better" history upload opt-in, et c et c et c.
We should be more consistent in our terminology.
Re (3), explore why Russians themselves call them oligarchs in first place.
>1.) Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
They're referring to Alphabet's (Google) market cap, not Xiaomi's.
Pretty clear that GP understands this, since his next point specifically addresses Google. I think he's saying that Xiaomi is also a big company, albeit less big. Seems like a fair point.
This is a very interesting chain on how people interpret comments. To me (and you) it is obvious that GP only had one reason to mention Google (the 1.4 trillion valuation), but both the OP and the person you are responding to were convinced the GP "didn't get it". Fascinating.
Actually, it's certainly not "pretty clear".
The GP responded to each line in the original comment with a number. So, their point about Google (point #2) was seemingly unrelated to their point about Xiaomi's market cap (point #1) as they addressed different parts of the original comment.
The GP mentioned Google perhaps not because of the market cap mentioned in point #1, but rather as a response to the original comment's mention of American companies.
This is further evidenced by their use of point #3 to refer to the term oligarch, which was the third topic raised in the original comment.
You can see how not clear this is based on other replies to the comment as well.
Chinese browser collects data for CCP which will use it for spying and for action against you, your family and your country.
American company will collect data to show you ads and profit.
Are they really same?
>American company will collect data to show you ads and profit
Unless you get a target on your back, in which case the American company will provide the American law enforcement agencies with whatever data they want to take action against you and your family.
Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
FWIW I didn't read the gp as supporting data collection, only noting a difference between corporations gathering data and governments. I don't support data collection, but I do think the distinction is useful.
> Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
Really, that is what you got from my comment.
In the case of CCP it can even be who you are, as in Tibetan, Uighur and so on.. Or, a national of a different country that China wants to spy on, or a relative of someone that China thinks has a differing opinion from CCP and so on..
It's not even on the same planet, let along in the same ballpark..
well under the trump administration, we were at the state where ICE was getting tips from unlawful traffic stops and deporting said immigrants/refugees.
They're both evil, just that US is less so.
Immigration violations are crimes the world over. Disliking the CCP's policies, not so much.
> American company will collect data to show you ads and profit.
7 years later and it's like Snowden never even existed.
Fair enough, if we want argue along those lines - if you're in country X, would you like to be spied on by your country's gov AND China?
I, for one, would prefer, if I have a choice, it to be just my Gov and not a foreign Gov that I consider to be hostile..
> I, for one, would prefer, if I have a choice, it to be just my Gov and not a foreign Gov that I consider to be hostile..
This seems intuitive at first sight but doesn't make sense to me: is it your Gov or a foreign Gov that can more likely bother your life?
Would I rather have some data harvested by the local three letter agency and some by a random Chinese company versus all my data harvested by an American entity (most western three letter agencies share with the US)? I would most definitely rather have them out of the reach of US spying even if it means sending it to China instead. You might consider PRC hostile but how much do you think it takes for your data to get US agents come knocking on your door versus PRC agents? Sure today it might not happen but in your parents youth it could have. In your children's lifetime your words today might harm them.
The short version is that unless you live inside the PRC data harvested on you is highly unlikely to matter no matter what you do. Inside the US or US allies? Be careful.
I would go the other way. What can China do to me unless I go there? Vs what can the US do to me since I live there, and even if I don’t live there, the US government reach is a lot wider.
American agencies routinely collect data from the internet that results in actions against people.
One could say the motives are different, but to act as if American groups collect data purely for profit isn't true.
>Are they really the same?
No, but acting similarly doesn't imply identical similarity.
I think this point is very debatable, but I do think there's at least 2 good distinctions. 1) there's a difference between a corporate entity gathering data and a government. There's a difference those entities could potentially have on your life. In the latter case there is a bit of an arms race, like Google trying to grab all your data but also not sharing it with Facebook. In the latter case a government can consolidate all the data. 2) There's a big difference between your government collecting my data and my government collecting my data. This can go both ways too, but there's a lot of factors that dictate this: are our governments friendly with one another? Do I trust my government? How much? Do I trust your government? Etc.
They really aren't the same and personally I'd rather not have my data collected, but I'd rather it be dispersed with a corporate arms race who aren't allowed to set laws than an aggregate that belongs to a party that has much more control over my life.
Remember anything about Snowden's leaks? American companies happily share all the data they collect with local police departments and intelligence agencies, in bulk, with absolute impunity.
If anything, you face a much greater threat from the American intelligence apparatus than one in a foreign country.
> American company will collect data to show you ads and profit. Are they really same?
And your kids data. Grades, searches, web history, pics, diaries. I can totally see new private APIs for recruiters, banks, insurances - like personal assessment scores.
to show you ads and profit, filter what you see online, decide your eligibility for housing and credit, imply your guilt by association or poor classification... and so on.
Don't try to whitewash it.
I don't grant your premise that the U.S. government's level of access to Google data is the same as the Chinese government's access to Xiaomi's. I also don't grant that the two governments are equivalent threats to privacy. You would need to demonstrate both of those things for me to be on board with your argument.
But, the point I actually want to make is that this implies that people aren't concerned with Google's use of their private data, which I think is demonstrably not true, given that they've got multiple open lawsuits against them over it.
> I also don't grant that the two governments are equivalent threats to privacy
So for someone like me, living in a 14 eyes country, are you saying it is worse for my privacy that a government on the other side of the earth that my government doesn't really like might have access to some of my data is better compared to a country my government are sharing data with who also have access to pretty much everything that happens online? I know for a fact that no matter what I say or do online PRC agents will never knock down my door. US agents? That would be quite a lot easier. In less serious waters, privacy is also worse as we know from Snowden that the US not only harvest everything it can but it also share it with US businesses. Will I ever see ads based on an algorithm trained on data from both sides? No idea, but I know which one would be worse for me by a long shot.
I'm not sure oligarch means what you are thinking it does. Here is a wiki article which might help clarify why you'll sometimes hear the term used when describing certain Russian billionaires and why you won't generally hear the term used for billionaires from other countries: https://en.wikipedia.org/wiki/Russian_oligarch
Note: it also isn't a derogatory term, as it appears to be implied here, it just is an identifier of how wealth was accumulated.
> This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
Russian billionaires came to their wealth purely through corruption - i.e. using via their connections during the crucial years of transformation to market economy to buy huge state-owned industrial companies for 0.1-1% of their real value.
Ummm, Xaomi also has a high valuation, and Google gets called out on privacy all the time, including many times in this very discussion.
Russian Oligarchs are called that because they are about two dozen people who looted about 95% of the country's wealth and are basically a transnational crime syndicate masquerading as a govt.
I can't tell of you are deeply clueless, trolling, or spreading dezinformatziya. Either way, perhaps you should remember this quote from famous American author Mark Twain: "It is better to remain silent and let people think you are a fool, than to open your mouth and remove all doubt".
But does the Chinese company fund your pension plans, pay wealth back to the government, and employ tax paying citizens in America? Where do you want to asset valuations to be located - in your own nation, or another?
> This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
Seriously, this is what you're going with?
Russigan oligarchs are people who just straight out stole national assets from the Soviet Union/Russia, with the help of the current ruler. There's a relatively clear definition:
I don't know why you're being downvoted, the word has a very precise meaning. As much as we can whine about Google and such, all of them solved a valid problem many people were facing, and they did it brilliantly. For a really long time Google Search really was the only game in town.
The problem we have is with their externalities. For oligarchs, the main line of business <<is>> the problem.
They're just labels. Good polls are hard to do, and so it is quite hard to know whether these labels hold value in mainstream thought. For e.g. Do people under oppressive/spying regimes see Google in the same light when it comes to data collection?
I find both to be disturbing and wrong. What do I win?
You can start championing for a resource-based economy?
"What about..."
Yes, I think everyone got the memo about American companies. Thanks though..
I use a Huawei matebook D14 as my personal device. Its primary use is in a WiFi-network (as in 99% of the time). Since I also use MS devices in the same network I log all IPs being accessed from my network (https://www.raspberrypi.org/documentation/configuration/wire...)
I'll leave the log results of accessed IPs as an exercise to the reader. Hint: no chinese/russian IP addresses are being accessed.
I'd guess a lot more people use Huawei devices (before they were outlawed) than explicitly using a Xiaomi browser.
And a lot of people didn't forget Snowden.
Addendum: I use a MacBook pro (32gig, I7) and a Win10 pro work device (32gig, I7) as well. Neither contacts China or russia. Both of them submit ~10x of unknown traffic than the Huawei device.
I don't want to paint the chinese dictatorship as "good", not at all. But I do want to remind that the US is - as experienced by an EU consumer - worse. Not now, but maybe in the future, at least according to collected data.
> Hint: no chinese/russian IP addresses are being accessed.
As Snowden revealed, the NSA itself is way above that playing field. They (quite unsurprisingly) use IPs in the respective country, or just false-flag IPs in "enemy" countries. And the data is not actually sent as plain packets but tacked in the form of metadata onto normal, innocent packets going elsewhere. Then servers on intermediate hops exfiltrate that data. And none of it might happen if you're not actually targeted.
That of course underlines your main point. I don't see "sends nothing to foreign IPs" as an argument though.
I suspect that your point is that "a Chinese device doesn't mean it's reporting to China." I think it's good not to make this assumption.
That said, I also think it's incredibly naive to think that a collection system wouldn't make use of a local proxy to mask the ultimate destination of the information. It's such a trivial task to do, and provides a host of benefits to obfuscate and sow doubt as to where the data is going and will be ultimately used for.
I'm not assuming that "it must be reporting back to China through a proxy!", but rather, the absence of certain national IPs in that list shouldn't be used to rule out scenarios either. An idea scenario for me would be that the device didn't call back period, or if it did, it did so to endpoints that could be authenticated and audited.
It's incredibly naive to assume NSA/* doesn't do the same, even if that affects your daily life as a human/business owner about as much.
I despise the chinese government - may it concern Uighurs or the treatment of Tibetans. Still I have a hard time believing none of my data collected by google is used by the US administration, which, as we know, is not always lead by a trustful person. Still, if I had to choose whom to embargo, I'd definitely choose china/russia.
Since it's so easy to cheat traffic, there are two options: only china/russia needs to cover traffic, or ...?
The difference between china and US collecting data is one is evil one is not but in reality that kind of data collection is unethical no matter who is doing it.
To some of us there is not much difference.
Which is which? I'm very curious.
I have a 5 years old oppo phone and decide to use it as podcast device. A few odd thing about this phone:
1) My Google, IG accounts both sent me security alert about successful login attempt from from Thailand, Vietnam. I 100% sure I only created the IG from this phone once and have not used that password from anywhere else. IG Username / password was taken from this phone and attempt to be login from somewhere else.
2) I can't get the phone to disconnect from wifi. I put the phone on airplane mode, disable wifi, bt, etc. Manually change the wifi password to something else. it always successfully reconnected back after a few days with old password. There are logic in the phone can try very hard to state connected online. It remembers old password and successfully connect successfully with it after a few days.
Only rename the wifi ap in my router seems to finally permanently disconnect it from the network.
Why don't we address the root of the problem? Who controls computer? If user of computer (with phone features) doesn't have a full control over it then this situation can and will be abused by some one who does. It seems a logical consequence of not having full control over your own computer.
Why we discuss mostly the degree of such abuse and not the core of the problem ?
Another core of the problem is dealing with communist regimes. We never learn? Communists are literally responsible for millions of deaths in the 20th century.(https://www.youtube.com/watch?v=NDTbNmUgeXk) They have a good record of disrespecting human rights. Why someone sane would expect them to respect any of his rights now?
Because there is a lot more money to be made when you don't control the computer.
We are in the middle of a data gold rush. Business types can't resist.
Reminds me a bit logic of a thief which just can't resist.
Because it hardly makes a difference to power users, let alone average people. The Pixel phones come loaded with Google spyware, but you can flash your own rom on it to do whatever you want. But unless someone is out there developing an alternative rom without spyware that does everything you need, it may as well be locked down.
I couldn't agree more. Software companies have latched on to the idea that they can sell software but the users can never own the software. This naturally led to worse abuses when the software could be loaded over a network. But the core problem is the assertion of ownership and control.
Xiaomi phones are insane, at least BlackShark. They replace virtually all the major user level stuff of Android with extreme data collecting alternatives. They then make it so that you cannot disable many of them (via adp, custom ROMs etc.) without bricking the phone, I'm talking wallpaper or clock apps that run with full, non-modifiable privileges. They subsidize cheap hardware with truly insane level of tracking.
They will also stop allowing custom ROMs once they've built up enough reputation, some newer models already will never have custom ROMs.
So how is it different from a regular Android again?
stock android apps have sensible default permissions and are modifiable, e.g. clock does not have unmodifiable access to every aspect of your phone. clearer?
If you cannot replace the software on the Black Shark with alternatives without possibly bricking the phone, I would say that's a substantial deviation from the norm where most other devices have unlockable bootloaders and Rom support using LineageOS.
A run of the mill iphone is much worse in that regard.
Really interesting. But whether what Xiaomi browser does it's a spyware, what's is Google?
Does Google collects our navigation data? (Yes if we are using chrome or android and logged in)
Does Google knows what videos and what kind of videos do we watch? (Do you need an answer?)
Call it's a spyware because is a chinese company? Really? Nah. Google does the same or at least worst than it.
I'm neither defending Xiami nor Google. The question is: almost every application does data collection. And if you call it as spyware, therefore every app which does data collection is a spyware.
They're definitely both spyware at this point. Shoutout to Firefox, which makes a conscious effort to block tracking cookies and not collect data.
By the grace of their benefactor (Google)?
Could you elaborate your point?
Apologies for not finding citations, but as an example of... suspicious behavior... Firefox had a big campaign about blocking Facebook tracking with a big push to install an addon to reduce Facebook data collection. They did not do that with Google. That's the one that stood out to me as especially asymmetric, others may have other examples they remember.
Don't get me wrong, Firefox is clearly the best of the options available. I use it all the time. But I'm also very aware that there is a bigger bias against Facebook (don't actually care since I don't go near it and block its javascript and cookies) than against Google. Of course, it's not obvious that this is Firefox's fault, Google is extremely good at finding probably-shouldn't-be-legal workarounds to just about any attempt to retain privacy.
You'd think making clear you want to retain your privacy should be enough, legally, but I guess there are no consequences.
Firefox puts Google in its own container just like Facebook. It also block third party cookies and is way better at avoiding fingerprinting than chrome.
Google pays a lot of money to Mozilla to be the default search provider in Firefox. This creates a conflict of interest.
https://www.zdnet.com/article/sources-mozilla-extends-its-go...
Yes, they are both spyware. Call a spade a spade.
What does Google have to do with Xiaomi spyware?
Or Google being spyware somehow makes Xiaomi spyware less shitty?
I think it comes down to which companies and governments are on the other end. I'm far from trusting the US government, but I trust the Chinese government even less.
I'm sure you have your reasons but for me I feel like I have nothing to worry about from China living permanently outside of their jurisdiction.
There is a natural tendency to compare and contrast. And especially in cases where people are speculating about political motives, you're going to see that.
> Or Google being spyware somehow makes Xiaomi spyware less shitty?
Absolutely not, but both of them doing it defangs certain types of criticism.
>What does Google have to do with Xiaomi spyware?
False equivalence. If people in here actually broke down the differences, they would have to admit that their "Grr, Google just as bad!" hyperbole is more than just a tad disingenuous.
Yes, it does matter that it's outside of US laws. Just like the inverse matters too. ( an American company collecting Chinese user data should matter to Chinese users ).
This "whataboutism" is getting tiring. What Xiaomi does here is really bad. if google does/did the same thing it would ALSO be bad.
There is no "but they do it too!". It's bad, period.
Well yes, I also call Chrome a spyware and don't use it. That's why I use firefox. And from what I read on HN, other people say the same thing about Chrome.
Google doing something bad is not an excuse for others doing the same thing.
Also Google isn't under the control of an authoritarian government who is committing genocide as we speak.
I'm no Google fan and I dislike what big tech have become but I rather let Google have my data than the CCP.
>>The article accuses Xiaomi of exfiltrating a history of all visited websites.
Is this our definition of spyware? I see countless articles float by on HN about super cookies, spy pixels and browser fingerprinting. Those do effectively the same things, track users against their expressed wishes, but we just don't call them spyware.
>We just don't call them spyware.
Who doesn't call trackers spyware? Everyone with a slightly-above-average sense of privacy has been calling them spyware and blocking them for years.
Chrome is popular on HN so you are wrong, sadly.
Unfortunately, xiaomi's business model is to sell hardwares with little to none profit margin and make profit as a internet company, I.e. advertising and so on. I give them the benefit of doubt that 90 days renewal was added and didn't work due to not unit tested maybe. Still, it is the same ad business as fb. I love the look of their phones, but I would pay for an iPhone for the benefit of secure os and better privacy
They give away low cost hardware because it's a military branch of the government whose purpose is establishing a global surveillance network. Being profitable is a nice to have but not a primary purpose as they get subsidized by the state regardless.
Okay. So Chinese government keeps pumping money into Huawei, Xiaomi, Tencent, Alibaba, Tiktok and many other businesses so that they can ..... make money? You have to ask an economist for how this works, I am not intelligent enough to figure it out.
I'm using a firewall to block tens of IP addresses and several apps.
Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?
I'll be getting rid of this phone by the end of the month.
Most Xiaomi phones are relatively easy to root/unlock and install a new rom on.
I have had 3 Xiaomi phones over the years. Their proprietary bootloader-unlocker tool has always taken a good day or two of work to get the phone unlocked when I don't have adb tools /drivers installed from the get-go. Their utility gives me failures/errors/denials/"your social credit is too low" (i don't live in/near China) dozens and dozens of times before it finally decides to unlock my phone for me. I'm pretty sure my next phone won't be a Xiaomi, though it's hard to find sanely priced non-Chinese phones with good ROM coverage these days.
Yep, here's the link to the LineageOS device list with installation instructions. https://wiki.lineageos.org/devices/#xiaomi
But why would you have to root and reflash it? Couldn't they, you know, respect their customer instead?
They're basically the only company allowing you to root a phone without loosing warranty. And it's not like other manufacturers come without FB installed as system app - yes, they're a bit worse on privacy by default, but it's not like they're the black sheep within a pile of innocents.
They respect their customer by selling hardware 50% off compared to Samsung and 80% off compared to apple. Having this with custom rom is a bargain imho.
How do you trust the hardware? Granted, how do you trust the hardware in any phone. But the risk may be higher if the entire production chain is in the one country with privacy/surveillance abuses.
Well you don't, but 1) no one can be trusted anyway. 2) one can analyze traffic after flashing to see if it is still phoning home. I won't expect it to, it's just too much hassle compared to doing it with software, just for sake of someone who flashed custom ROM. If you have real reasons to be worried about Chinese spying (like business/government work) then obviously you wouldn't buy any hardware like that anyway.
Like which other manufacturer of the size and scale of Xiaomi? Every single one of them has locked bootloaders, Samsung even bundles ads, and all of them without fail use Google Play Services and all kinds of other proprietary nonsense that can and maybe should be categorized as spyware.
>Couldn't they, you know, respect their customer instead?
I think the phone vendors that do that are in the vast minority.
I don't know. I agree that it's not a customer friendly policy. But if your already stuck with a Xiaomi phone you have to either return it or bite the bullet, not much else you can do.
Unfortunately Google is making it much harder to run ROMs now due to the new Safety-Net bootloader checks. You'll no longer to be able to use many bank apps (or even the McDonalds app!).
You can never be sure what's hiding in the hardware, if you already don't trust the software.
Yeah, that's what I wanted to do but the power button doesn't work anymore so if I turn it off, there's no way to bring it back to life.
> Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?
Because, unlike Google, they don't use app bundles and partial updates?
Chrome is the definition of spyware, just by widely know facts. Doesn't make Xiaomi browsers better, I know.
Still 90%+ use Chrome. I know noone using a Xiaomi browser.
Did you really need to investigate this to realize it's spyware?
This and chrome and most web browsers are spyware at this point.
Chromes "Software Reporter Tool" basically scans your whole computer and sends that data off to Google/NSA. It's literal spyware.
Firefox doesn't do this.
Instead Firefox uploads your geographical location to their servers every time it starts up. And before you ask, this telemetry cannot be stopped.
And when you finally manage to do some therapeutic dissonance from the above default behaviour.
Whenever you use the inbuilt DoH on Firefox, FF shares this stats with Cloudflare too.
Thankfully geographic location is simple on the internet
Quick scrolling through the comments, I wonder how many people actually RTFA?
Looking at the list of things they collect, how could it possibly be legitimate, or compared to what "western" or any other companies are doing?
- Full URL history
- Full search history: engine and terms etc
- Full download history
- Full youtube activities: search, which video, for how long
What's worse is that the whole OS is actually spying on you, not just the Mi browser. Even when idle my phone is trying to send bits of data to their servers.
Xiaomi are great but for me this is the end of the line with their phones. Privacy comes at a premium nowadays and lots of us are willing to pay for it.
Those affected can block the following domains from resolving:
- data.mistat.intl.xiaomi.com
- sdkconfig.ad.intl.xiaomi.com
Using pihole is effective but don't try blocking a Chromecast like this. I did and even using two piholes the network got killed by these hundreds of DNS requests per second to Google.
> data.mistat.intl.xiaomi.com
Ah. I'd recognize this spy domain anywhere since it regularly features in my pihole's top 5 blacklisted ones
Also tracking.intl.miui.com
I wonder more about their routers. For their specs they are extremely price competitive. Their AX6000 features a 2,5GBE Port, 4*4 5GHZ Antennas with supposedly 4800mbit/s max throughput over all clients for 120€ with shipping to the EU. The Netgear Orbi Pro is the only AP I could find that is similarly equipped and costs a handsome 400€.
The mostly chinese and russian reviews on YouTube seem to show those numbers to be at least not ouright lies, but people on the OpenWRT Forums talk about the Routers talking quite a lot back to China.
I really wish for somebody credible to do a teardown to look into these boxes.
Well, if you're patient enough to sit through all the Chinese text, here is the teardown (with picture) you've been looking for: https://www.acwifi.net/12621.html.
Also that router is currently on sell on JD.COM (https://item.jd.com/100017450204.html) priced at ¥599.00, about 80€ I guess.
There are rumors says Xiao Mi has somewhat subsidized their line ups with intention to create their own ecosystem. If true, that's one of the reason why their devices can have such low price.
On the other hand, ¥599 is not exactly cheap in China. Somebody can literally survive a entire month on that amount of money. A "normal" price for a "regular" router is around ¥70~¥200.
On the other hand, ¥599 is not exactly cheap in China. Somebody can literally survive a entire month on that amount of money. -> Not in any major tier 1 or tier 2 cities. Used to be possible a long time ago but nowadays, that'd be really tough
For anyone trying to be privacy conscious, by deleting their FB accounts, not using all the Google services etc. It should be obvious that a good rule of thumb would also be to not use software built in China.
Even if they were not built with malicious purpose, they have both excellent state-funded hackers and poor security practices in most of their consumer products.
Unfortunately, from what I've seen, I think the same can be said about software from Korea/Japan...
> Xiaomi now announced that they will turn off collection of visited websites in incognito mode. That’s a step in the right direction, albeit a tiny one.
They may also collect fingerprints and other biometrics (voice, pictures) in a similar misleading way. There's a lot of wise tricks others have learned from Google. IMO only strict laws forbidding data collection from smartphones completely will change that.
That's amongst the reason I do my AOSP GSI ( https://github.com/phhusson/treble_experimentations/releases... ; Generic System Image, an Android that works on pretty much all recent Android phones).
Xiaomi devices are usually at sweet spots price/performance-wise (not really great hardware imo, but well). With custom ROMs (including my GSIs, but other custom ROMs are fine as well), buy a phone for their hardware, not for their software. (BTW my daily driver is a Pixel 5... not running Google adwares! Only high-end-ish device that fits my hand).
However, Xiaomi devices are bricks for like a month, because before being able to install your own software, you need to be approved (connecting a smartphone on a Windows computer), and it's only once you get your smartphone that you can install your own software.
My problem with GSI was last I checked (1 year ago) it still did not support storage encryption (Max 3), and SELinux was off.
Awesome project though.
Uh, both have been forever wrong using my GSIs?
I've never made any GSI without storage encryption, and My GSI have always been running SELinux enforcing. Some kinds of GSIs have those kind of issues, but it's only those that are binary ports from OEM ROMs, like port from Xiaomi or OnePlus ROMs, but proper source-based GSIs shouldn't have those issues.
Hm, I distinctly remember using specifically your GSIs mid 2019 (and would love to return to them) on Mi Max 3.
In early 2020 XDA thread [1] I was suggested to use phh-securise to reenable SELinux, which suggests that it was not enabled by default at least back then. Never got to try phh-securise, since the encryption part of the response was not definitive.
[1] https://forum.xda-developers.com/t/guide-nitrogen-10-10-phh-...
Prompted by your comment I reflashed my Xiaomi today with the latest A/B GSI [1], and the phone seems to be encrypted. Many thanks for your great work!
https://github.com/phhusson/treble_experimentations/releases...
Replace Xiaomi with Google and article will still be valid.
Are [computers] spyware? Yes, they are (2000) should be the title.
If you use a computer, smartphone or IoT device then yes, it collects data, just as Facebook runs ads.
What's collected these days:
Your social circle,
every time you connect to the mobile network, when, which tower you connected to, tx/rx bytes, who you phoned, where the callee is located
Whether you're in a car, walking (sensors)
Whether your sleeping...(a recent Google blog post talked about a new "sleep tracking" API).
You generate data as a human, interested parties (governments) collect that and will store it for the rest of time. I suspect there's a database of every URL visited by any human in the last 20 years.
This is not surprising and should surprise nobody.
Do you mind providing citations?
In other news, Xiaomi Roborock vacuum cleaners require you to enable GPS permissions and transmit back Wi-Fi PASSWORDS and floor maps back to their server.
They've really been on a privacy invasion spree lately.
...I returned a scale to amazon that required an app on my phone and location be on when its registered. For a scale. Wouldn't work without it.
Did it require SMS confirmation too? lol
In any case I hope you gave it a 1-star review.
I did but looking for truth in amazon reviews is a work in futility anywas
Xiaomi is awesome phone for it's price tag you just needs to flash custom ROM like LineageOS. And they don't even make this problem contrary to other manufacturers like Samsung.
> Xiaomi is awesome phone for it's price tag you just needs to flash custom ROM like LineageOS.
There is likely tonnes of binaries that run outside of Android, so OEM you choose matters too.
I believe Xiaomi being Chinese is kind of red herring here.
The thing about big data is you never know in advance what kind of data can turn into a gold mine for your business. So the strategy "collect as much as you can afford and get away with" is economically reasonable if not optimal. Until this changes, nothing will change. And Xiaomi is not an exception here.
Quote: "However, you have to make sure that you have “Incognito Mode” turned on and “Enhanced Incognito Mode” turned off – that’s the only configuration where you can have your privacy."
Does the article's author really believe this or is put there because of outside pressure? I, for one, would not believe that for a single second.
I know close to nothing about Android development in general and absolute nothing about Xiaomi in particular.
When looking at the code snippets in the article I wonder about the variable names. This doesn't look like decompiled code. And I don't think their whole browser is open source. What am I missing here?
To make discoveries like that harder and protect software from commercial standpoint, its code obfuscated before shipping. Something similar modern JS frameworks do to make code smaller and ship it through network faster
Sure, that's what one would expect. But the code snippets in the article where surprisingly readable. That's what I didn't understand.
Xiami is widespread brand in many countries because its products are really cheap and looks like this trend will continue for the next years. It's very frustrating to see this. Western world should impose standards to prevent it.
A very good rule of thumb: Freedom-respecting (fully, 100% open-source) software won't screw you.
Simply knowing someone could be watching you and your source code reduces the chance of malicious code.
The Linux kernel is 100% open-source. Yet it's growing user-hostile features --- https://news.ycombinator.com/item?id=26285683 --- and guess what all the locked-down Android phones run...?
Open-source doesn't mean anything for freedom if all you can do is look, because you don't have the signing keys and such to modify what you want. It just means they get to show you exactly how they put the noose on you, that's all.
Firefox is also chock-full of "telemetry" and it's 100% open-source. That one you do get to modify, but it's still a bloody bastard to strip it all out and recompile to your liking.
> The Linux kernel is 100% open-source. Yet it's growing user-hostile features --- https://news.ycombinator.com/item?id=26285683 --- and guess what all the locked-down Android phones run...?
That feature is optional, and depends on proprietary, closed-source TPM firmware. You just proved my point– it has to be 100% open-source to respect your freedom.
> Open-source doesn't mean anything for freedom if all you can do is look, because you don't have the signing keys and such to modify what you want. It just means they get to show you exactly how they put the noose on you, that's all.
I agree. That's why I prefer the term freedom-respecting software. Under the free software definition, that is no longer FLOSS, because users do not have the right to modify the software.
> and guess what all the locked-down Android phones run...?
Alas, Linux is not under GPLv3, which ensures that users have an equal right to modify their software.
> Firefox is also chock-full of "telemetry" and it's 100% open-source. That one you do get to modify, but it's still a bloody bastard to strip it all out and recompile to your liking.
Get a prebuilt build of LibreWolf: https://librewolf-community.gitlab.io/
That it's fully open-source checks Mozilla's power to do abusive things. Telemetry can be disabled in Firefox settings.
I've used both of your examples to advance my point further. 100.0% open-source = freedom-respecting and non-abusive.
My old Huawei phone is still my favorite phone ever. I don't care if they spy on me. Take my data, I don't care! I just want another phone that good and that cheap.
I assume that anything is spyware unless proven innocent, especially on mobile where surveillanceware is effectively the whole purpose for the platform's existence.
> If you use Mint Browser (and presumably Mi Browser Pro similarly), Xiaomi doesn’t merely know which websites you visit but also what you search for, which videos you watch, what you download and what sites you added to the Quick Dial page
Yet people in Europe they LOVE Xiaomi. I swear I’ve seen so many of my friends with those high end 500$ phones.
Even if they are tech guys it’s like they just don’t care , they want the most powerful phone with the most features at the cheapest price.
At this game Xiaomi and other Chinese brands have become very good.
That being said Google as been doing the exact same thing for 30 years. Nobody ever considered banning google from anything.
I live in Europe. If I weren't a privacy nut I'd pick Xiaomi any day over Apple or Google. Now I use Android with OPNsense in front of it via VPN. Chinese phones doesn't log more than the other smartphones.
block every company that tries to compete with US companies. First it was Huawei, now its Xiaomi. Fb, Google are both US companies nd they literally track the hell out of their users to target ads but they are doing great, never had much issue except Zuckerberg was in the news a few months ago but US didn't block them, because they are US companies nd bring $$$ into the country
That's why I will never vecomr a billionaire. I would never do something to someone else, that I don't eant to be done to me.
I can tell your age by this comment. I'll leave you with this quote.
"You either die a hero, or you live long enough to see yourself become the villain"
Xiaomi makes money off services. Tracking subsidizes hardware. It's a business model. There's always option to unlock.
I am truly appalled at the level of discussion from intellectuals as I consider on HN. Comments here are repeatedly evaluating whether the same thing would apply to US.
I expect more from HN. Can we please discuss the problem in isolation and especially the interesting technical bits? Ask yourself, this kind of exploitation is bad regardless of whether any country does something similar. It's anti-user in every possible interpretation.
> Can we please discuss the problem in isolation and especially the interesting technical bits?
Sure, but you also see this problem doesn't exists in a vacuum. Noted by you bringing up concentration camp numbers in this exact comment section. Maybe you should listen to your own advice?
I think this is a general trend in China based discussions. Problem does exist in a vaccuum. Xiaomi phones have nothing to do with Google or any US based tech.
I am highlighting the absurdity of evaluating US ad-tech to 2 million people in concentration camps.
The only difference there is what the exfiltrated data is being used for. The real problem is one level higher, that the data is being exfiltrated in the first place.
i think it provides context, if what they are doing is status quo, then maybe we should question the status quo rather than an individual company.
Oh, well. I was just about to buy a Poco m3 2 days ago. I guess I wont. A Moto G Power I guess.
Sorry, but... it's not the same thing Google and Facebook are doing from the last forever?
As an app developer, I found no serious APP did not collect user actions for optimizing.
It is not just Xiaomi; oppo/vivvo/realm too, track every things.
Xiaomi devices are officially sold in EU. Wouldn't a GDPR violation basically kill the company??
Note that Xiaomi is a Chinese startup hub, started by former googlers. 90% of what they sell is produced by Chinese startups.
(That being said, I would use never Xiaomi software myself. I only use their hardware with open source 3rd party apps)
How does this compare to google chrome's data collection?
On its own? Worse than Google. With all things Google have access to from else where? Way better.
What does that have to do with the subject at hand?
Spyware is based off intent. Collecting data doesn't necessarily make you spyware. You can literally call anything spyware depending on how schizo you want to be at this point.
This is bad argument nowadays.
Even if they just collect the data now, they might sell it 5 years down the line.
You have to consider the worst possible interpretation, even if its not true today. Companies can be sold or taken over, go bust and their assets get sold.
Companies can change too. Look at google. In 2000's I trusted google a lot more than I trust it now. You can bet google still has all my data from 2000's.
And so is Google Chrome. Basically everything Android. Just don’t use that platform if you care about your privacy. And stop pretending just because millions use it or because it is supposedly more customizable. Google is Google.
I think that its the first time I see a headline with a question mark and the answer next to it...
Not surprising.
I don't see how you can expect any less of this, even in the US. American companies collect vast amount of information that are either acquired by the state later on, acquired via some deal with the state, or some network of revolving doors is further entrenching US-style state capitalism which erases the distinction. Frankly, American corporations are effectively more powerful than the government at this point, at least in certain domains (like where freedom of speech is concerned). It'll only get worse until something gives.
And given that American greed funded the wealth and power of the CCP in the first place, given the massive investments in China, I do not expect the globalist American imperial oligarchy to change course. Why would they? They like what the CCP is doing. They share more in common with the Chinese ruling class than with most Americans.
This surprises no one.
Are all chinese products spyware? Yes, they are.
Don't use chinese brands for phones, software, etc.
Exactly! Fully agree with you pid_0.
People, please just use Google Chrome and stop with all these Chinese spyware!
This comments section is getting hit hard with people trying to deflect by using Google Chrome as a scapegoat.
Hmm, I mean why Chinese capitalism is so powerful? Because the government sanctioned and allowed the capital's all-reaching power.
Do you believe CCP is so capable to utilize such tools?
If the answer is yes, then you should ask yourself is there any realistic chance of overpowering such a technologically advanced "government". And how much more powerful the private sectors would be. Think about how much gap is between silicon valley and US government in technological capabilities.
This framing of pin everything as government sponsored activities make it very difficult to correct such behavior effectively. Because they were easily brushed off as intentional attack on the nation.
Why not just put it as what is?
I mean 996 in Chinese high tech industry is killing the quality of the work. That's obviously the right reasoning right?
I don't think whatever point you're trying to make is very clear. There's a lot of insinuations and suggestions, but you're not actually making a point here.
The whole notion of "spyware" in today's world is relative. Everything is a spyware these days.
Interesting to see the quite loaded (and slightly archaic in 2020?) term "spyware" used to refer to Chinese software. I haven't seen it used to describe Facebook or Google software, even alongside all of the recent news stories highlighting their apps' tracking footprint by Apple's newer iPhone AppStore requirements.
Our schools are dumbing down math and removing advanced classes (if you can even go to school) because of “white supremacy”, meanwhile China is investing full speed into engineering disciplines and is performing extremely effective espionage against virtually all Americans.
I don’t know if there will ever be a sino-American war, but if there ever is one it’s going to be very painful for us.