Since I’ve started eelo.io, at the end of 2017, I had many discussions about the privacy of Chinese smartphone firmwares. Many people told me: if it’s technically possible to put some anti-privacy features into the firmware, they do it.

What would be the benefit of running eelo on such smartphones if their proprietary firmware drivers leak some personal data to corporates or to the Chinese government?

I agree that this is the limit of our project – regarding Chinese hardware of course – and that’s the reason why it would be great for eelo to enventually have their own brand of smartphones: this would mean we could access low-level drivers code and make sure it’s Privacy-compliant.

Today I’m feeling better on this topic: the news has circulated that Xiaomi, one of the new big smartphone makers has updated their Privacy Policy terms.

This will take effect on May, 25th, and before you read them, please sit down!

Quick excerpts:

“We may collect the following types of information (which may or may not be personal information):

(…)all personal information you provide to us, like your name, mobile phone number, email address, delivery address, ID card, driver license, passport details, Mi Account details (e.g. your security related information, name, birthday, gender), order, invoicing details, materials or data you may sync through Mi Cloud or other apps (e.g. photos, contact lists)(…)

Financial information: information related to completing purchases. For example, bank account number, account holder name, credit card number etc.(…)

Social information: information related to your social activities. For example, current employer, current job title, education background, professional training background etc.(…)

Location information…(…)”

What does it mean? In short: they collect mostly everything, any piece of your personal data.

Why am I feeling better for eelo about this topic? They obviously think that sucking and processing personal data massively is a normal situation. Which is coherent with recent announces that the Chinese goverment was putting in place a general social scoring system for Chinese people.

But, why would they add data-leaking features to their low-level firmwares? It’s totally useless and costly when it’s already present at operating-system level, and this is going to be everywhere in the Xiaomi MIUI system, in our case. So why would they care for a bunch of 0.00001% users who will replace MIUI by another ROM?

Probably we need to confirm this by auditing network activities of those mobile phones, but as eelo is going to replace the full OS when people flash their device, we will remove all the “features” that damage our Privacy, and it’s likely we’ll get “clean” smartphones.

–Gaël