Earlier today, a report from The Sunday Standard started making rounds on the Twitterverse citing Indian Air Force (IAF) circular branding Xiaomi a security threat. The circular was apparently sent by IAF to its personnel and their family members, warning them not to use the handsets and devices manufactured by the emerging tech giant. Xiaomi has responded by dismissing the concerns.

In its circular, the IAF had accused Xiaomi of sending user data to remote servers located in China. The note was prepared by the intelligence unit based on the inputs from Indian Computer Emergency Response Team (CERT-In), and quotes several reports in the past which have put question marks over Xiaomi’s handling of user’s private data.

“F-secure, a leading security solution company, recently carried out a test of Xiaomi Redmi 1s, the company’s budget smartphone, and found that the phone was forwarding carrier name, phone number, IMEI (the device identifier) plus numbers from address book and text messages back to Beijing,” the IAF note says.

Speaking to Technology Personalized, Manu Jain, general manager and head of India operations of Xiaomi, tried to defend the company and clarify few things.

First of all – we are extremely cautious about protecting user data; we are 100% compliant with all local laws, including the ones related to data security.

This is pretty similar to what Xiaomi has been saying ever since the concerns broke out earlier this year. Manu went on to say:

We offer various internet based services such as Mi Cloud, cloud based message etc., which require data to be stored in the cloud. However, we take rigorous steps to ensure that the data is encrypted and secured while being sent to the server, and is not stored beyond the time required. In fact, we made changes to our system to ensure that Mi Cloud is by default deactivated, and does not send data to servers automatically. Only when a consumer consciously activates Mi Cloud services, the data is backed-up.

The changes he mentions above came right after F-secure’s report in August this year which IAF cites in its note. Below are the two blog posts from Hugo Barra, Xiaomi’s global face, which details the changes made.

July 30, 2014 – https://plus.google.com/+HugoBarra/posts/9GL9h2fT8H6

August 20, 2014 – https://plus.google.com/+HugoBarra/posts/bkJTXzyXXmj



F-secure clarified in a following report that the OTA released by Xiaomi had in fact addressed the privacy concerns, specifically the one which revolved around Mi Cloud messaging service.

We are not sure when exactly the IAF note was released, but it doesn’t include the references to the changes made by the company since August this year.

Interestingly, Hugo Barra has just posted about Xiaomi’s decision to move its data centers and servers outside of China. Is it a mere co-incidence or was Xiaomi forced to announce this after the news about IAF note got publicized? Your guess is as good as mine. In his post, Hugo Barra explains-

In early 2014, we kicked off a massive internal effort to expand our server infrastructure globally in order to better serve Mi fans everywhere… Our primary goal in moving to a multi-site server architecture was to improve the performance of our services for Mi fans around the world, cut down latency and reduce failure rates. At the same time, it also better equips us to maintain high privacy standards and comply with local data protection regulations.

Xiaomi is planning the server and data migration process across three phases – E-commerce migration, MIUI services migration and local data centers. To achieve this, Xiaomi is looking to move the data servers to Amazon Web Services (AWS) based in California, USA. By end of this year, MIUI services and corresponding data of all non-Chinese users are expected to be moved from Beijing to Amazon AWS data centers in Oregon (USA) and Singapore.

This is a significant move to address the privacy concerns of users. Indian market is pretty significant for Xiaomi and they just can’t carry on with security and privacy concerns hanging above their head. It is true that the company has responded fast to release fix for most of these issues, but hasn’t really managed to explain or defend itself as to why such an issue was present in the first place. Currently, the company is facing cyber security investigation in Taiwan for similar reasons.

Under the law in mainland China, firms storing data on China’s soil are to comply with any data requests from the government. By moving the data completely away from Chinese territories, Xiaomi will exhibit the seriousness associated with such issues.

Although, it has kicked off its Indian operations in style, Xiaomi has a huge task at hand to get rid of its Chinese tags completely and looked upon as a global company. As per Hugo Barra, in 2015, the company is planning to work with local data center providers to completely localize the server infrastructure particularly in India and Brazil. In addition to speeding up the service for users in these markets, it can hopefully cut off the Chinese angle, at least to an extent. Mere talks about valuing data security of users just won’t cut it. Real actions as planned above are much needed.