[HN Gopher] Are Xiaomi browsers spyware? Yes, they are (2020)
___________________________________________________________________
Are Xiaomi browsers spyware? Yes, they are (2020)
Author : autoditype
Score : 480 points
Date : 2021-03-01 18:59 UTC (4 hours ago)
(HTM) web link (palant.info)
(TXT) w3m dump (palant.info)
| danpalmer wrote:
| This paragraph stood out to me:
|
| > The intention here seems to be that aigt is the timestamp when
| the ID was generated. So if that timestamp deviates from current
| time by more than 7776000000 milliseconds (90 days) a new ID is
| going to be generated. However, this implementation is buggy, it
| will update aigt on every call rather than only when a new ID is
| generated. So the only scenario where a new ID will be generated
| is: this method wasn't called for 90 days, meaning that the
| browser wasn't started for 90 days. And that's rather unlikely,
| so one has to consider this ID permanent.
|
| If we assume that Xiaomi aren't literally trying to spy for a
| government and are in fact just poorly calibrated on what's
| legitimate to collect for product analytics purposes, this
| paragraph highlights why that's still incredibly dangerous
| despite "good intentions".
|
| I remember the UK government investigation into Huawei concluding
| that not only was their security posture insufficient for
| critical infrastructure, but their engineering practices were
| likely a decade away from being at a point where they could start
| to claim good security practice.
|
| This paragraph seems to suggest a similar problem at Xiaomi. This
| should have been caught at a security review stage during design,
| it should have been caught at the code review stage, it should
| have been caught by automated tests, it should have been caught
| by QA, it should have been caught once live by data tests, it
| should have been seen once live by analysts, it should have been
| fixed at so many different points. The fact it wasn't suggests
| that these stages either don't exist or are insufficient.
| michaelcampbell wrote:
| > If we assume that Xiaomi aren't literally trying to spy for a
| government
|
| Is that even allowed by Chinese law?
| wonnage wrote:
| if you mean this in the sense that "all chinese companies are
| automatically spy agencies", then no, that's certainly not
| true. But would they have to comply with a government request
| - yeah, probably, just like any other company.
| duxup wrote:
| I believe they're required to comply if asked. In theory they
| could have not been asked...
| Craighead wrote:
| No
| ajsnigrutin wrote:
| Better question is, why are those devices allowed to be sold
| in EU/US/...
| buildbot wrote:
| I believe the implication would be they are spying for China
| in this case, and therefore as legal as they want it to be.
| michaelcampbell wrote:
| Right, I meant is it allowed by Chinese law to NOT spy for
| the government. As I understand it, to be allowed to
| operate in China as a Chinese company, you are under the
| obligation to provide any information you collect to the
| gov't upon request. Is that not the case?
| tehjoker wrote:
| You guys are familiar with the Snowden disclosures and
| how all telecom companies and very likely all major tech
| companies are spying for the US government right?
|
| At this point, this is table stakes for big tech and it's
| completely anti-democratic. China may have a very good
| domestic dragnet but clearly it's playing catch up
| compared to the foreign intelligence assets the USG (and
| five eyes) has.
| thoughtstheseus wrote:
| That is the case.
| onethought wrote:
| Australia has similar laws also.
| stjohnswarts wrote:
| Not sure why you're getting downvoted, what you stated is
| correct. https://phys.org/news/2018-12-australia-cyber-
| snooping-laws-...
| Daho0n wrote:
| So does the US. The only real difference between
| countries is not if it is different but how each has
| implemented it in law. The result is the same.
| sleepydog wrote:
| Splitting hairs here, but the wording of your question
| gives the impression that one could choose not to collect
| any data and then be free of said obligations, but I
| don't think that's the case. Does anyone know?
| africanboy wrote:
| I'm writing this from a Xiaomi smartphone.
|
| I know Xiaomi is not the best brand to buy for privacy, but I
| consider their products one of the best in terms of value for
| money
|
| I own a few Xiaomi devices, I simply install Blokada on each
| one of them and I think you would be surprised by how many non
| Chinese domains it blocks, Google being one of the worst
| offenders.
|
| EDIT:
|
| see this screenshot
|
| https://imgur.com/a/UO0BGCy
|
| EDIT 2: paradoxically knowing that Xiaomi is a Chinese company
| make buyers more aware of the privacy risks involved. It breaks
| that false sense of security associated with electronic devices
| that many people believe in.
| petra wrote:
| How do you whether Xiaomi's spyware doesn't bypass Blockada ?
| africanboy wrote:
| Honestly I don't, the same way I don't know if Google is
| bypassing them.
|
| But according to the logs on my router Blokada is working.
|
| p.s. blokada actually also blocks ads on the formula 1
| official app that are served through websockets
| Daho0n wrote:
| About your second edit: If you live anywhere on earth that
| isn't in the geographical area of China it would likely be
| better to have data going to China than the big US corps. For
| most it is unlikely the data could be used against you in
| anything from ads to a police raid, unlike with something
| like Google collecting it where it will almost for sure be
| used and useful.
| kelnos wrote:
| I hear this a lot, but it strikes me as being short
| sighted. That only works if the status quo remains so
| forever. Maybe 5 or 10 years from now, relations between
| the Chinese and US governments gets cozier, and part of
| their deal includes sharing of this kind of data.
|
| Or maybe the US government knows it can't legally collect
| certain information on its own citizens, but can rely on
| China to collect it, and then purchase it from the Chinese
| government.
|
| Then there's the overall argument against: I don't want
| _any_ government collecting data about me, period. It 's
| none of their damn business, regardless of the chances of
| me having to interact with them in any capacity.
| sammorrowdrums wrote:
| Genuinely, I really want to see Purism succeed and increasing
| numbers of competitors in that space, because we need tools
| that don't require so much blind trust. Whether caused by inept
| software devs, scope for malicious code / backdoors in
| firmware, analytics spyware, and whether this stuff is well
| intentioned or not, if it can be abused, it will be.
|
| Open source and verifiable down to the firmware is the only
| chance we have at any real level of trust, otherwise as is
| always apparent in these conversations, it often falls
| otherwise to who you think could compromise your device and
| making your bed with it, like USA not China or vice versa
| cosmodisk wrote:
| The problem is that purism doesn't pay as much as all the
| tracking, preinstalled bloatware, random 3rd party utilities
| and other stuff. This will never ever be solved through
| competition,because people either don't care, or there aren't
| enough of those who do. Legislation is the only way making it
| work, but then again, that's hardly an option for most of the
| world.
| africanboy wrote:
| as much as I am eager to see open source mobile OS succeed,
| tracking happens at the app level.
|
| What happens when I install the FB app on a Purism enabled
| device?
|
| My way to go until now has been installing as many OSS apps
| on my smartphone as possible, to the point that even the
| keyboard and the launcher on my smartphone are installed
| through f-droid.
|
| That's the main reason why I prefer Android phones over Apple
| ones.
| UnpossibleJim wrote:
| |This should have been caught at a security review stage during
| design, it should have been caught at the code review stage, it
| should have been caught by automated tests, it should have been
| caught by QA, it should have been caught once live by data
| tests, it should have been seen once live by analysts, it
| should have been fixed at so many different points.|
|
| If the very first people (presumably the "higher ups"/more
| prestigious designers) in the design process miss such things,
| it is very hard to call them out in a societal construct that
| is the business construct that has become Xiaomi and the
| Chinese Government.
|
| It's hard enough in some companies for QA to question software
| engineers and not catch backlash in the US when making games.
| Companies like EA, Atari and Nintendo are notorious for it.
| Apple used to shitcan QA who didn't treat "the talent" nice
| enough, and they weren't a quasi governmental entity.
|
| You're right, of course. But man, that's a big frog in your
| throat to go up to your manager and say, "Sir, I'm sorry but
| this whole process has issues. Here's the fix, but it means a
| redesign of a core process." That's tough. That's double tough.
| systemvoltage wrote:
| I am truly appalled at the level of discussion from intellectuals
| as I consider on HN. Comments here are repeatedly evaluating
| whether the same thing would apply to US.
|
| I expect more from HN. Can we please discuss the problem in
| isolation and especially the interesting technical bits? Ask
| yourself, this kind of exploitation is bad regardless of whether
| any country does something similar. It's anti-user in every
| possible interpretation.
| hungryhobo wrote:
| i think it provides context, if what they are doing is status
| quo, then maybe we should question the status quo rather than
| an individual company.
| La1n wrote:
| > Can we please discuss the problem in isolation and especially
| the interesting technical bits?
|
| Sure, but you also see this problem doesn't exists in a vacuum.
| Noted by you bringing up concentration camp numbers in this
| exact comment section. Maybe you should listen to your own
| advice?
| systemvoltage wrote:
| I think this is a general trend in China based discussions.
| Problem does exist in a vaccuum. Xiaomi phones have nothing
| to do with Google or any US based tech.
|
| I am highlighting the absurdity of evaluating US ad-tech to 2
| million people in concentration camps.
| Karunamon wrote:
| The only difference there is what the exfiltrated data is
| being used for. The real problem is one level higher, that
| the data is being exfiltrated in the first place.
| firebaze wrote:
| Chrome is the definition of spyware, just by widely know facts.
| Doesn't make Xiaomi browsers better, I know.
|
| Still 90%+ use Chrome. I know noone using a Xiaomi browser.
| kzawisto wrote:
| Xiaomi is awesome phone for it's price tag you just needs to
| flash custom ROM like LineageOS. And they don't even make this
| problem contrary to other manufacturers like Samsung.
| ignoramous wrote:
| > _Xiaomi is awesome phone for it 's price tag you just needs
| to flash custom ROM like LineageOS._
|
| There is likely tonnes of binaries that run outside of Android,
| so OEM you choose matters too.
| sandworm101 wrote:
| >>The article accuses Xiaomi of exfiltrating a history of all
| visited websites.
|
| Is this our definition of spyware? I see countless articles float
| by on HN about super cookies, spy pixels and browser
| fingerprinting. Those do effectively the same things, track users
| against their expressed wishes, but we just don't call them
| spyware.
| [deleted]
| gkbrk wrote:
| >We just don't call them spyware.
|
| Who doesn't call trackers spyware? Everyone with a slightly-
| above-average sense of privacy has been calling them spyware
| and blocking them for years.
| bronlund wrote:
| This is stupid. Google and Android is way worse than this.
| aboringusername wrote:
| Are [computers] spyware? Yes, they are (2000) should be the
| title.
|
| If you use a computer, smartphone or IoT device then yes, it
| collects data, just as Facebook runs ads.
|
| What's collected these days:
|
| Your social circle,
|
| every time you connect to the mobile network, when, which tower
| you connected to, tx/rx bytes, who you phoned, where the callee
| is located
|
| Whether you're in a car, walking (sensors)
|
| Whether your sleeping...(a recent Google blog post talked about a
| new "sleep tracking" API).
|
| You generate data as a human, interested parties (governments)
| collect that and will store it for the rest of time. I suspect
| there's a database of every URL visited by any human in the last
| 20 years.
|
| This is not surprising and should surprise nobody.
| [deleted]
| t0astbread wrote:
| Do you mind providing citations?
| cwhiz wrote:
| Chinese browser collects your data? Spyware.
|
| American company collects your data? $1,400,000,000,000
| valuation.
|
| This reminds me of how we call Russian billionaires "oligarchs"
| but we just call American billionaires...billionaires.
| yumraj wrote:
| Chinese browser collects data for CCP which will use it for
| spying and for action against you, your family and your
| country.
|
| American company will collect data to show you ads and profit.
|
| Are they really same?
| itsoktocry wrote:
| > _American company will collect data to show you ads and
| profit_
|
| Unless you get a target on your back, in which case the
| American company will provide the American law enforcement
| agencies with whatever data they want to take action against
| you and your family.
|
| Your assertion is just a variation of "if you're not doing
| anything wrong you shouldn't worry about spying".
| godelski wrote:
| FWIW I didn't read the gp as supporting data collection,
| only noting a difference between corporations gathering
| data and governments. I don't support data collection, but
| I do think the distinction is useful.
| yumraj wrote:
| > Your assertion is just a variation of "if you're not
| doing anything wrong you shouldn't worry about spying".
|
| Really, that is what you got from my comment.
|
| In the case of CCP it can even be _who_ you are, as in
| Tibetan, Uighur and so on.. Or, a national of a different
| country that China wants to spy on, or a relative of
| someone that China thinks has a differing opinion from CCP
| and so on..
|
| It's not even on the same planet, let along in the same
| ballpark..
| AlexandrB wrote:
| > American company will collect data to show you ads and
| profit.
|
| 7 years later and it's like Snowden never even existed.
|
| https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
| yumraj wrote:
| Fair enough, if we want argue along those lines - if you're
| in country X, would you like to be spied on by your
| country's gov AND China?
|
| I, for one, would prefer, if I have a choice, it to be just
| my Gov and not a foreign Gov that I consider to be
| hostile..
| wbsun wrote:
| > I, for one, would prefer, if I have a choice, it to be
| just my Gov and not a foreign Gov that I consider to be
| hostile..
|
| This seems intuitive at first sight but doesn't make
| sense to me: is it your Gov or a foreign Gov that can
| more likely bother your life?
| godelski wrote:
| I think this point is very debatable, but I do think there's
| at least 2 good distinctions. 1) there's a difference between
| a corporate entity gathering data and a government. There's a
| difference those entities _could_ potentially have on your
| life. In the latter case there is a bit of an arms race, like
| Google trying to grab all your data but also not sharing it
| with Facebook. In the latter case a government can
| consolidate all the data. 2) There 's a big difference
| between _your_ government collecting my data and _my_
| government collecting my data. This can go both ways too, but
| there 's a lot of factors that dictate this: are our
| governments friendly with one another? Do I trust my
| government? How much? Do I trust your government? Etc.
|
| They really aren't the same and personally I'd rather not
| have my data collected, but I'd rather it be dispersed with a
| corporate arms race who aren't allowed to set laws than an
| aggregate that belongs to a party that has much more control
| over my life.
| serf wrote:
| American agencies routinely collect data from the internet
| that results in actions against people.
|
| One could say the motives are different, but to act as if
| American groups collect data purely for profit isn't true.
|
| >Are they really the same?
|
| No, but acting similarly doesn't imply identical similarity.
| chomp wrote:
| 1.) Xiaomi worth billions of dollars, not 1.4 trillion, but way
| more than most companies.
|
| 2.) People call out Google all. the. time. There's an article
| here weekly about dumping Google, finding alternatives, praying
| for antitrust regulation, etc.
|
| 3.) We don't commonly call billionaires who live in the middle
| east, china, and other non-western countries "oligarchs", do
| you know why?
|
| Why are you so upset about Xiaomi getting called out?
| cwhiz wrote:
| >Xiaomi worth billions of dollars, not 1.4 trillion, but way
| more than most companies.
|
| I'm referring to Google with that valuation.
|
| >We don't commonly call billionaires who live in the middle
| east, china, and other non-western countries "oligarchs", do
| you know why?
|
| Propaganda? An oligarch is a rich person with a lot of
| political influence. Sounds like an average billionaire to
| me.
|
| >People call out Google all. the. time. There's an article
| here weekly about dumping Google, finding alternatives,
| praying for antitrust regulation, etc
|
| I don't think I have ever seen a mainstream publication refer
| to Google apps and services as spyware. Which of course is
| what they are.
|
| >Why are you so upset about Xiaomi getting called out?
|
| Only annoyed at the obviously biased language.
| KoftaBob wrote:
| "Russian Oligarch" has a more specific meaning:
| https://en.wikipedia.org/wiki/Russian_oligarch
| missedthecue wrote:
| How much political influence do you think someone like
| Bezos really has? Everyone in washington hates him. No one
| wants to do favors for him. They drag him in front of
| congress do get a bunch of soundbites to play next election
| cycle.
|
| They win elections on shutting down his headquarter plans.
| They want to break up his company, raise his taxes on
| unrealized capital gains, they want to force him to divest
| his personal investments like WaPo.
|
| Same goes for other billionaires. You think there's a lot
| of love for Ken Griffin? Or the Google founders? Or Jamie
| Dimon? Of course not.
|
| Billionaires are a common bogeyman for the populists that
| have ruled the capitol for the last 10 years or so.
| Daho0n wrote:
| >the populists that have ruled the capitol for the last
| 10 years or so.
|
| So the instant someone is elected they start calling
| Random Joe for funding their next campaign? Of course
| not. Politicians talk to people who help fund them, that
| or they are out. Having a politician's ear is power that
| Random Joe doesn't have. Using Bezos is ingenious. How
| about Musk or Bill Gates or one of the many rich oligarch
| families who have the same name as former presidents?
| Don't pretend money has less power in US politics than in
| Russian politics. If anything it is worse.
| AlexandrB wrote:
| On the flip side, there were municipal governments
| literally giving Amazon powers over taxation and
| spending[1] to get them to set up their headquarters in
| their city. I think this is quite a bit of political
| power myself.
|
| [1] https://www.huffingtonpost.ca/entry/amazon-city-
| benefits-sec...
| missedthecue wrote:
| I wouldn't call someone with sway over municipal
| governments an oligarch though.
| rchaud wrote:
| > Everyone in washington hates him.
|
| In public, sure. Behind the scenes, they're taking
| meetings with his lobbyists, and somehow the tax raise
| never happens despite politicians talking about ad
| nauseam.
|
| Part of modern politics is running a kabuki theatre of
| performative populism on the campaign trail. Not much
| happens once they are in office, because you need quick
| wins ahead of the next election.
| godelski wrote:
| > I don't think I have ever seen a mainstream publication
| refer to Google apps and services as spyware. Which of
| course is what they are.
|
| You seem pretty active on HN so I'm a bit skeptical that
| you honestly believe this. But I'll respond in good faith
| anyways. Here's the first result from Google (didn't even
| use DDG)
|
| - (Washington Post) Goodbye, Chrome: Google's Web browser
| has become spy software[0]
|
| But since you're active I'm sure you know about The Social
| Dilemma, Snowden, etc. I've seen episodes on 60 Minutes,
| CNN, Fox, and pretty much everywhere that calls criticism
| to companies like Google and Facebook. Does China get
| called out more often? Yeah. Why? Because we're in a cold
| war with them. But still in many of these pieces I've seen
| them make slights at American tech companies. Things like
| saying that what they do is bad, but what China does is
| worse.
|
| [0] https://www.washingtonpost.com/technology/2019/06/21/go
| ogle-...
| chomp wrote:
| I know you were referring to Google, that is why I made the
| point about Google. Xiaomi is a tech company with a
| personal data spying program and is worth maybe 50 billion,
| and supposedly the "4th most valuable startup in the
| world," if you trust Wikipedia. My point is that the
| valuation is based on the profit potential that investors
| see, not how ethical either company actually is. And both
| derive a non-zero amount of that value from spying on
| humans.
|
| The Russian oligarchs are a group of people that grabbed
| large amounts of wealth by reaping the downfall of the
| Soviet Union. They are a very specific, well connected
| group of people outside of normal Russian billionaires. The
| reason specifically that they are oligarchs instead of just
| normal billionaires is that they are very plugged into the
| government and sway its operation. And I know there's some
| cynics out there that will be like "well that's just
| billionaires in general" but I encourage you to learn about
| the leverage this group of people have on normal government
| operations.
|
| With regards to the observation that no one refers to
| Google as spyware, I don't think I see this either. But I
| do see tons of mainstream articles raising the point that
| Google spies on users. The problem is that (it feels like,
| at least) only us tech-inclined seem to care:
|
| https://www.forbes.com/sites/jenniferhicks/2020/10/27/heres
| -...
|
| >The report found that 80% of Americans think at least one
| tech giant is listening in on their conversations: Facebook
| at 68%; TikTok at 53%; and Google at 45%. But only 18% said
| they had deleted Facebook because of privacy concerns.
|
| I fully agree Google is just an advertising company dressed
| up, and also further propose that its open source
| contributions and tech projects are its robing. I think
| there's still room to criticize other companies however,
| especially since privacy issues from companies like Xiaomi
| don't often get featured on HN.
| ckozlowski wrote:
| There's a big difference between Google exploiting
| private data to sell you more things, and a different
| company exploiting private data to hand over to a police
| agency that arrests individuals for having the wrong
| political views.
|
| I'm not suggesting the former is without fault, and fault
| by one does not absolve another. But you're right in that
| these are two very, very different things.
| chomp wrote:
| Oh, yeah definitely. I just dislike getting into those
| weeds specifically because it gets people weighing wrong
| on scales instead of actually calling out both wrongs
| individually.
| sneak wrote:
| I see people calling out Google regularly but rarely is
| Chrome explicitly termed "spyware", although it very much is:
| I had to configure G Suite managed browser settings recently
| and there are like 4 different backdoor ways that big G can
| "incidentally" process your web traffic and keystrokes:
| enhanced safe browsing, image alt text accessibility service,
| uploading your downloads to a scanning service, browser
| profile history sync, "make the web better" history upload
| opt-in, et c et c et c.
|
| We should be more consistent in our terminology.
| stevewodil wrote:
| >1.) Xiaomi worth billions of dollars, not 1.4 trillion, but
| way more than most companies.
|
| They're referring to Alphabet's (Google) market cap, not
| Xiaomi's.
| totalZero wrote:
| Pretty clear that GP understands this, since his next point
| specifically addresses Google. I think he's saying that
| Xiaomi is also a big company, albeit less big. Seems like a
| fair point.
| pedrosorio wrote:
| This is a very interesting chain on how people interpret
| comments. To me (and you) it is obvious that GP only had
| one reason to mention Google (the 1.4 trillion
| valuation), but both the OP and the person you are
| responding to were convinced the GP "didn't get it".
| Fascinating.
| stevewodil wrote:
| Actually, it's certainly not "pretty clear".
|
| The GP responded to each line in the original comment
| with a number. So, their point about Google (point #2)
| was seemingly unrelated to their point about Xiaomi's
| market cap (point #1) as they addressed different parts
| of the original comment.
|
| The GP mentioned Google perhaps not because of the market
| cap mentioned in point #1, but rather as a response to
| the original comment's mention of American companies.
|
| This is further evidenced by their use of point #3 to
| refer to the term oligarch, which was the third topic
| raised in the original comment.
|
| You can see how not clear this is based on other replies
| to the comment as well.
| varjag wrote:
| Re (3), explore why Russians themselves call them oligarchs
| in first place.
| karaterobot wrote:
| I don't grant your premise that the U.S. government's level of
| access to Google data is the same as the Chinese government's
| access to Xiaomi's. I also don't grant that the two governments
| are equivalent threats to privacy. You would need to
| demonstrate both of those things for me to be on board with
| your argument.
|
| But, the point I actually want to make is that this implies
| that people aren't concerned with Google's use of their private
| data, which I think is demonstrably not true, given that
| they've got multiple open lawsuits against them over it.
| somethingwitty1 wrote:
| I'm not sure oligarch means what you are thinking it does. Here
| is a wiki article which might help clarify why you'll sometimes
| hear the term used when describing certain Russian billionaires
| and why you won't generally hear the term used for billionaires
| from other countries:
| https://en.wikipedia.org/wiki/Russian_oligarch
|
| Note: it also isn't a derogatory term, as it appears to be
| implied here, it just is an identifier of how wealth was
| accumulated.
| wendyshu wrote:
| "What about..."
| theropost wrote:
| But does the Chinese company fund your pension plans, pay
| wealth back to the government, and employ tax paying citizens
| in America? Where do you want to asset valuations to be located
| - in your own nation, or another?
| passivate wrote:
| They're just labels. Good polls are hard to do, and so it is
| quite hard to know whether these labels hold value in
| mainstream thought. For e.g. Do people under oppressive/spying
| regimes see Google in the same light when it comes to data
| collection?
| tpmx wrote:
| > This reminds me of how we call Russian billionaires
| "oligarchs" but we just call American
| billionaires...billionaires.
|
| Seriously, this is what you're going with?
|
| Russigan oligarchs are people who just straight out stole
| national assets from the Soviet Union/Russia, with the help of
| the current ruler. There's a relatively clear definition:
|
| https://en.wikipedia.org/wiki/Russian_oligarch
| oblio wrote:
| I don't know why you're being downvoted, the word has a very
| precise meaning. As much as we can whine about Google and
| such, all of them solved a valid problem many people were
| facing, and they did it brilliantly. For a really long time
| Google Search really was the only game in town.
|
| The problem we have is with their externalities. For
| oligarchs, the main line of business <<is>> the problem.
| burntoutfire wrote:
| > This reminds me of how we call Russian billionaires
| "oligarchs" but we just call American
| billionaires...billionaires.
|
| Russian billionaires came to their wealth purely through
| corruption - i.e. using via their connections during the
| crucial years of transformation to market economy to buy huge
| state-owned industrial companies for 0.1-1% of their real
| value.
| mads wrote:
| Yes, I think everyone got the memo about American companies.
| Thanks though..
| crazypython wrote:
| A very good rule of thumb: Freedom-respecting (fully, 100% open-
| source) software won't screw you.
|
| Simply knowing someone could be watching you and your source code
| reduces the chance of malicious code.
| novaRom wrote:
| > Xiaomi now announced that they will turn off collection of
| visited websites in incognito mode. That's a step in the right
| direction, albeit a tiny one.
|
| They may also collect fingerprints and other biometrics (voice,
| pictures) in a similar misleading way. There's a lot of wise
| tricks others have learned from Google. IMO only strict laws
| forbidding data collection from smartphones completely will
| change that.
| monkeyingaround wrote:
| Xiaomi phones are insane, at least BlackShark. They replace
| virtually all the major user level stuff of Android with extreme
| data collecting alternatives. They then make it so that you
| cannot disable many of them (via adp, custom ROMs etc.) without
| bricking the phone, I'm talking wallpaper or clock apps that run
| with full, non-modifiable privileges. They subsidize cheap
| hardware with truly insane level of tracking.
|
| They will also stop allowing custom ROMs once they've built up
| enough reputation, some newer models already will never have
| custom ROMs.
| api wrote:
| I assume that anything is spyware unless proven innocent,
| especially on mobile where surveillanceware is effectively the
| whole purpose for the platform's existence.
| phpisatrash wrote:
| Really interesting. But whether what Xiaomi browser does it's a
| spyware, what's is Google?
|
| Does Google collects our navigation data? (Yes if we are using
| chrome or android and logged in)
|
| Does Google knows what videos and what kind of videos do we
| watch? (Do you need an answer?)
|
| Call it's a spyware because is a chinese company? Really? Nah.
| Google does the same or at least worst than it.
|
| I'm neither defending Xiami nor Google. The question is: almost
| every application does data collection. And if you call it as
| spyware, therefore every app which does data collection is a
| spyware.
| keepper wrote:
| Yes, it does matter that it's outside of US laws. Just like the
| inverse matters too. ( an American company collecting Chinese
| user data should matter to Chinese users ).
|
| This "whataboutism" is getting tiring. What Xiaomi does here
| _is really bad_. if google does /did the same thing it would
| ALSO be bad.
|
| There is no "but they do it too!". It's bad, period.
| jzebedee wrote:
| Yes, they are both spyware. Call a spade a spade.
| EvilEy3 wrote:
| What does Google have to do with Xiaomi spyware?
|
| Or Google being spyware somehow makes Xiaomi spyware less
| shitty?
| Decker87 wrote:
| I think it comes down to which companies and governments are
| on the other end. I'm far from trusting the US government,
| but I trust the Chinese government even less.
| guerrilla wrote:
| I'm sure you have your reasons but for me I feel like I
| have nothing to worry about from China living permanently
| outside of their jurisdiction.
| _jal wrote:
| There is a natural tendency to compare and contrast. And
| especially in cases where people are speculating about
| political motives, you're going to see that.
|
| > Or Google being spyware somehow makes Xiaomi spyware less
| shitty?
|
| Absolutely not, but both of them doing it defangs certain
| types of criticism.
| dangwu wrote:
| They're definitely both spyware at this point. Shoutout to
| Firefox, which makes a conscious effort to block tracking
| cookies and not collect data.
| okl wrote:
| By the grace of their benefactor (Google)?
| Kelamir wrote:
| Could you elaborate your point?
| okl wrote:
| Google pays a lot of money to Mozilla to be the default
| search provider in Firefox. This creates a conflict of
| interest.
|
| https://www.zdnet.com/article/sources-mozilla-extends-
| its-go...
| neltnerb wrote:
| Apologies for not finding citations, but as an example
| of... suspicious behavior... Firefox had a big campaign
| about blocking Facebook tracking with a big push to
| install an addon to reduce Facebook data collection. They
| did not do that with Google. That's the one that stood
| out to me as especially asymmetric, others may have other
| examples they remember.
|
| Don't get me wrong, Firefox is clearly the best of the
| options available. I use it all the time. But I'm also
| very aware that there is a bigger bias against Facebook
| (don't actually care since I don't go near it and block
| its javascript and cookies) than against Google. Of
| course, it's not obvious that this is Firefox's fault,
| Google is extremely good at finding probably-
| shouldn't-be-legal workarounds to just about any attempt
| to retain privacy.
|
| You'd think making clear you want to retain your privacy
| should be enough, legally, but I guess there are no
| consequences.
| Darmody wrote:
| Google doing something bad is not an excuse for others doing
| the same thing.
|
| Also Google isn't under the control of an authoritarian
| government who is committing genocide as we speak.
|
| I'm no Google fan and I dislike what big tech have become but I
| rather let Google have my data than the CCP.
| Darmody wrote:
| I'm using a firewall to block tens of IP addresses and several
| apps.
|
| Why would Xiaomi tell me to download a 26MB update from their
| store if the one from Google Play, where I downloaded the app
| it's less than 15MB?
|
| I'll be getting rid of this phone by the end of the month.
| La1n wrote:
| Most Xiaomi phones are relatively easy to root/unlock and
| install a new rom on.
| okl wrote:
| Yep, here's the link to the LineageOS device list with
| installation instructions.
| https://wiki.lineageos.org/devices/#xiaomi
| nottorp wrote:
| But why would you have to root and reflash it? Couldn't
| they, you know, respect their customer instead?
| Sebb767 wrote:
| They're basically the only company allowing you to root a
| phone without loosing warranty. And it's not like other
| manufacturers come without FB installed as system app -
| yes, they're a bit worse on privacy by default, but it's
| not like they're the black sheep within a pile of
| innocents.
| kzawisto wrote:
| They respect their customer by selling hardware 50% off
| compared to Samsung and 80% off compared to apple. Having
| this with custom rom is a bargain imho.
| sodality2 wrote:
| How do you trust the hardware? Granted, how do you trust
| the hardware in any phone. But the risk may be higher if
| the entire production chain is in the one country with
| privacy/surveillance abuses.
| kzawisto wrote:
| Well you don't, but 1) no one can be trusted anyway. 2)
| one can analyze traffic after flashing to see if it is
| still phoning home. I won't expect it to, it's just too
| much hassle compared to doing it with software, just for
| sake of someone who flashed custom ROM. If you have real
| reasons to be worried about Chinese spying (like
| business/government work) then obviously you wouldn't buy
| any hardware like that anyway.
| La1n wrote:
| >Couldn't they, you know, respect their customer instead?
|
| I think the phone vendors that do that are in the vast
| minority.
| okl wrote:
| I don't know. I agree that it's not a customer friendly
| policy. But if your already stuck with a Xiaomi phone you
| have to either return it or bite the bullet, not much
| else you can do.
| LegitShady wrote:
| You can never be sure what's hiding in the hardware, if you
| already don't trust the software.
| xioxox wrote:
| Unfortunately Google is making it much harder to run ROMs now
| due to the new Safety-Net bootloader checks. You'll no longer
| to be able to use many bank apps (or even the McDonalds
| app!).
| Darmody wrote:
| Yeah, that's what I wanted to do but the power button doesn't
| work anymore so if I turn it off, there's no way to bring it
| back to life.
| kuratkull wrote:
| I have had 3 Xiaomi phones over the years. Their proprietary
| bootloader-unlocker tool has always taken a good day or two
| of work to get the phone unlocked when I don't have adb tools
| /drivers installed from the get-go. Their utility gives me
| failures/errors/denials/"your social credit is too low" (i
| don't live in/near China) dozens and dozens of times before
| it finally decides to unlock my phone for me. I'm pretty sure
| my next phone won't be a Xiaomi, though it's hard to find
| sanely priced non-Chinese phones with good ROM coverage these
| days.
| [deleted]
| tkinom wrote:
| I have a 5 years old oppo phone and decide to use it as podcast
| device. A few odd thing about this phone:
|
| 1) My Google, IG accounts both sent me security alert about
| successful login attempt from from Thailand, Vietnam. I 100% sure
| I only created the IG from this phone once and have not used that
| password from anywhere else. IG Username / password was taken
| from this phone and attempt to be login from somewhere else.
|
| 2) I can't get the phone to disconnect from wifi. I put the phone
| on airplane mode, disable wifi, bt, etc. Manually change the wifi
| password to something else. it always successfully reconnected
| back after a few days with old password. There are logic in the
| phone can try very hard to state connected online. It remembers
| old password and successfully connect successfully with it after
| a few days. Only rename the wifi ap in my router
| seems to finally permanently disconnect it from the network.
|
| 3) I have let the phone back online and created Google account
| that is 100% unique to this phone. Love know how long would it
| take for the login attempt for that G account from
| Thailand/Vietnam start to show up.
| phh wrote:
| That's amongst the reason I do my AOSP GSI (
| https://github.com/phhusson/treble_experimentations/releases... ;
| Generic System Image, an Android that works on pretty much all
| recent Android phones).
|
| Xiaomi devices are usually at sweet spots price/performance-wise
| (not really great hardware imo, but well). With custom ROMs
| (including my GSIs, but other custom ROMs are fine as well), buy
| a phone for their hardware, not for their software. (BTW my daily
| driver is a Pixel 5... not running Google adwares! Only high-end-
| ish device that fits my hand).
|
| However, Xiaomi devices are bricks for like a month, because
| before being able to install your own software, you need to be
| approved (connecting a smartphone on a Windows computer), and
| it's only once you get your smartphone that you can install your
| own software.
| lostmsu wrote:
| My problem with GSI was last I checked (1 year ago) it still
| did not support storage encryption (Max 3), and SELinux was
| off.
|
| Awesome project though.
| anovikov wrote:
| The whole notion of "spyware" in today's world is relative.
| Everything is a spyware these days.
| antonzabirko wrote:
| Did you really need to investigate this to realize it's spyware?
|
| This and chrome and most web browsers are spyware at this point.
| walrus01 wrote:
| I truly don't understand, from a security and privacy
| perspective, why would anyone outside of China would voluntarily
| choose to run closed-source software from a company that's
| subject to domestic laws and regulations in China. The MSS is no
| joke.
|
| https://www.google.com/search?client=firefox-b-d&q=china+mss...
|
| This is the same reason that Zoom is banned at my workplace and
| many other partner companies.
|
| You've actually got two problems here. One is the commercial
| advertising/for-profit related data sharing problem described in
| the article. The second is that Xiaomi, as a company with that
| collected data resident in China on its servers, is obliged to
| provide a pipeline for a copy of their database to the MSS upon
| request.
| lucideer wrote:
| Could it be the same reason anyone outside of the US would
| voluntarily choose to run close-source software from a company
| that's subject to domestic laws and regulations in the US? The
| ECPA is no joke.
| walrus01 wrote:
| I'm sure that a Chinese citizen would see the NSA as an equal
| or greater threat. The difference from my perspective is that
| as a citizen of a NATO country with a functioning democracy,
| I'm highly unlikely to be rounded up by my government and put
| in a prison or concentration camp for expressing my political
| opinions or religion.
|
| You only need to look at the past several years of news from
| Hong Kong and the Uyghur/Xinjiang province situation to see
| the stark real world difference in human rights, political
| freedoms and press freedoms.
| checkyoursudo wrote:
| *Insert joke: [internet <- Chinese router - US router ->
| home network]
| lucideer wrote:
| I'm not 100% sure from your comment whether you're making
| out that:
|
| (a). China is bad (yes, known)
|
| (b). The US is not quite as bad (debatable but for the sake
| of argument lets agree that this is true)
|
| (c). The US is benign
|
| My comment was only refuting the 3rd supposition. I'm not
| sure if you actually believe this is true. Though terms
| such as "country with a functioning democracy" make me
| think you might...
| walrus01 wrote:
| My point was absolutely not (c). The US has a vast and
| complex array of sociopolitical, economic disparity,
| racism, police brutality issues, some of which have been
| highlighted throughout 2020. But I definitely consider it
| to be the lesser of two evils.
| chungus_khan wrote:
| The lesser of two evils is still collecting literally as
| much data as it can on you. And helping the Saudis with
| it too:
|
| https://theintercept.com/2014/07/25/nsas-new-partner-
| spying-...
|
| US Intelligence has too long a history of its own largely
| consequence-free abuses too. Someone else having a
| surveillance state doesn't make the one at home any
| better.
| esclerofilo wrote:
| Someone from outside the US will probably worry more
| about its history of backing coups than the domestic
| problems you mentioned. If the US puts a Pinochet in my
| country and their algorithms say I'm likely to be a
| communist sympathizer, am I at risk?
| at-fates-hands wrote:
| > My comment was only refuting the 3rd supposition. I'm
| not sure if you actually believe this is true.
|
| The country is an imperfect union. Although the country
| attempts at every turn to work towards "A more perfect
| Union"; clearly we have similar issues that other
| countries do.
|
| In a comparative analysis, OP was merely saying the US is
| head and shoulders above a country that suppresses
| freedom of speech, eliminates political dissent and the
| people who promote freedom and sends them away to actual
| concentration camps under the guise of "re-education".
| systemvoltage wrote:
| 2 million people. No less.
| stjohnswarts wrote:
| It goes the same for any of the "Eyes" countries. They share
| intelligence and tracking of citizens as well. It's not just
| the US, so don't act like it is.
| Daho0n wrote:
| Don't pretend any other country have as much surveillance
| capability as the US does. There are levels to the
| awfulness and not everyone is at final boss level. Most are
| random green scrubs comparatively.
| systemvoltage wrote:
| Responses like this are so predictable and shed no further
| light or provide no new insight.
|
| They're unproductive and flame-war prone. I downvoted your
| comment.
| eznzt wrote:
| There is nothing new about the question "why would someone
| buy cheap phones when they come with spyware". So someone
| asks a shit question and gets a shit answer.
| f6v wrote:
| Why is it unproductive? Parent makes a point that non-US
| consumers don't care whether it's a US or Chinese product.
| Both nations have access to domestic company's data.
| duxup wrote:
| There's reason to be concerned about all software.
|
| But I agree that software from significantly non free nations
| is extra concerning.
| MisterTea wrote:
| Same could be said for countries outside of the USA buying US
| tech equipment.
| 0xy wrote:
| That's not true, because US companies are allowed to export
| E2E technology in products. Chinese companies are not given
| the same leeway. All Chinese messenger clients are not
| encrypted and are fully surveilled. That is not true for US
| messenger clients.
| Daho0n wrote:
| And yet from the free to export US we keep finding
| backdoors and hardcoded admin passwords in things that are
| supposed to be way more secure than a random chat client.
| Even if all of them are actually bugs I'm not sure that is
| any better. No E2EE to share my shopping list with my
| girlfriend versus the piss poor security in enterprise
| hardware from manufacturers like Cisco etc? At least I can
| download another chat client. Purging US enterprise
| equipment from my company, home and ISP? Not so much.
| xtracto wrote:
| IIRC American companies (specially service companies, but
| surely also hardware companies) can be forced to introduce
| backdoors and other spying mechanisms and then force them
| not to disclose such a thing (i.e. Lavabit, Groklaw, Room
| 641 and equivalent Google and Facebook programms).
|
| For us that don't live in the US or China, it is just a
| matter of choosing between two evils. And in being
| pragmatics, the 90% of the population outside of China and
| the US does not give a damn if the US or China are spying
| in their mundane conversations.
| serial_dev wrote:
| I agree, people give US companies way to much slack... But
| then what am I supposed to do if I'm European? The US and
| China pretty much covers the mobile market (and what's not
| covered is still not European).
| Keyframe wrote:
| _The US and China pretty much covers the mobile market (and
| what 's not covered is still not European)._
|
| Remember when this was the other way around? How did we
| come to this in ~two decades?
| walrus01 wrote:
| From a purely pragmatic point of view: If you're
| European...?
|
| Consider that your country is likely either already a five
| eyes member, or a "five eyes plus" member with a historical
| record going back 45+ years of intelligence/law enforcement
| data sharing between the various NATO governments'
| intelligence agencies.
|
| And take a risk calculation, based on what you're doing in
| your life, if all your metadata and traffic was in the
| hands of the NSA, what's the most likely end result that
| might affect you adversely?
|
| Are you actually at risk of being persecuted for anything
| you're doing socially, religiously, politically? For
| instance, if you're a German, is all of your data being in
| the hands of the BND going to result in anything bad
| happening to you?
| ampdepolymerase wrote:
| Considering the current target of deplatforming is the
| far-right, and given Germany's history specifically, they
| have a lot of reasons not to trust local hardware and
| software. The same goes for the Le Pen crowd in France, a
| somewhat adversarial government on the other side of the
| globe is often less risky than the status quo across the
| pond allied to the current French establishment.
| walrus01 wrote:
| I was wondering how long it would take until we got to
| the argument of "oh no, won't somebody please think of
| the unfortunate oppressed fascists! it's a good thing
| that xiaomi has phones and software for them, because
| their own local european government is against them".
|
| The paradox of tolerance and an open society is that if
| you allow actual fascism to flourish (and Le Pen is
| absolutely a fascist, in my opinion), you risk ending up
| with something much worse in the long run.
| ampdepolymerase wrote:
| That's not a very valid argument in a thread about
| information security.
| neltnerb wrote:
| From a purely pragmatic point of view, a lot of
| especially Eastern Europe and Eastern Germany are
| viscerally aware that "anything you're doing socially,
| religiously, politically" will always somehow include
| something illegal and worrying about surveillance results
| in self-censorship.
|
| I really don't think that's unreasonable, the fall of the
| berlin wall was within living memory. I hope that the NSA
| isn't going to do anything too, but the idea that they
| can't or won't is clearly not true. Staying under the
| radar might feel pragmatic, but I think a lot of people
| realize that's entirely inadequate with constantly
| shifting political environments.
| walrus01 wrote:
| I am not a European but I am fairly sure I would have two
| very different opinions on this, relative to my personal
| perceived level of threat from my own national
| government, if I were a citizen and resident of the
| Netherlands or, for instance, Belarus.
| vitorgrs wrote:
| Because it has cost benefit. Redmi Note here in Brazil are
| super popular. The only alternative for that, it's Samsung, but
| is not exactly better. I believe Xiaomi devices are still
| cheaper than Samsung here.
| La1n wrote:
| I agree with your statement, but I'd like to get it a bit
| further. Why run any closed-sourced software from (or have
| servers in) countries that can request you data without a fair
| trial (e.g. secret courts). I feel just as uncomfortable about
| national security letters and the NSA/CIA as the MSS, this from
| someone who is not living in China or the US.
|
| I do think this shows the perks of open source software and
| being able to self-host or federated solutions.
| matkoniecz wrote:
| > Why
|
| Because it is much easier. I am already spending plenty of
| time on badgering local government about green spaces and
| bicycle infrastructure, massive amount of time on
| OpenStreetMap - and my time is limited.
|
| I have no time to learn how to and run and maintain my own
| mail server.
| tiagod wrote:
| Can you tell me which countries definitely won't force you to
| secretly do things you don't want to in matters of national
| security?
| La1n wrote:
| Maybe ask OP, as they did bring up MSS. I myself try to
| self-host as much as possible, and try to use open-source
| roms/software on my phone/desktop.
|
| https://github.com/awesome-selfhosted/awesome-selfhosted
| f6v wrote:
| > why would anyone outside of China would voluntarily choose to
| run closed-source software from a company that's subject to
| domestic laws and regulations in China
|
| Because outside US it doesn't really matter whether it's
| Chinese or American company that has your data.
| cle wrote:
| It is critically important depending on your country's
| relationship with either country.
| Daho0n wrote:
| Yes, if you are in a country friendly with the US it is
| better to have Xiaomi harvest the data than Apple.
| africanboy wrote:
| if your Country has good relationships with both of them it
| doesn't really matter.
|
| EDIT: you have to understand that the cold war is over and
| you can't replace USSR with modern China, my country has
| good relationships with both the US and China so it doesn't
| really matters who's spying on you, they are "good friends"
| anyway...
| taotau wrote:
| This question is particularly pertinent in a country like
| Australia. Both the US and China have strong interest in
| controlling our loyalty and GDP, and I for one dont want to
| be a subject of either regime.
| ClumsyPilot wrote:
| Maybe they are spreading rhe risk, now i can be spied on by
| agencies with conflicting interests, so noone has a complete
| picture?
| onethought wrote:
| But in context:
|
| - Australia has similar laws.
|
| - Snowden releases showed the US don't even ask, they just take
| it.
|
| So it's not like there is a huge amount of difference around
| the world.
| matkoniecz wrote:
| I am using Xiaomi phone for roughly the same reasons as I am
| using Gmail.
|
| I dislike results of either, replacement of both is on my
| oversized TODO list - and was there since at least two years.
|
| I dislike that USA government, China government and God knows
| who else has full (partial?) copy of whatever I ever typed on
| my phone but I did nothing beyond selecting Android Zero,
| declining "send all what I typed to Google" and declining gloud
| sync.
|
| (I am already spending plenty of time on badgering local
| government about green spaces and bicycle infrastructure,
| massive amount of time on OpenStreetMap - and my time is
| limited)
| eznzt wrote:
| > I truly don't understand, from a security and privacy
| perspective, why would anyone outside of China would
| voluntarily choose to run closed-source software from a company
| that's subject to domestic laws and regulations in China.
|
| They make cheap phones.
| notsureaboutpg wrote:
| All you have to do is look at it from more than a
| security/privacy perspective.
|
| Chrome is the most used browser despite Firefox doing nearly
| everything Chrome does the same and everyone knowing that
| Firefox doesn't track you like Chrome does.
|
| It's obvious why. It's a little faster, it has more money
| behind it, it comes pre-installed (and unremovable) on most
| phones, etc.
| HNfriend234 wrote:
| I use a xiaomi phone and the reason I use it is because it is
| significantly cheaper compared to a samsung or apple phone.
| Example: A $200 xiaomi phone is equivalent in specs to a $600
| Samsung.
|
| Also it is likely the Chinese are spying on me indirectly (data
| collection where the chinses military can access the data if
| they want to) but I really have nothing significant on me that
| the Chinese would want to be concerned with me.
| rglullis wrote:
| > significantly cheaper compared to a samsung or apple phone.
|
| Shouldn't that be a huge red flag? Any time someone offers
| something too good to be true, it never is.
|
| > Also it is likely the Chinese are spying on me indirectly
|
| Why?
|
| > I really have nothing significant on me that the Chinese
| would want to be concerned with me.
|
| It's not just about you, dammit. [0]
|
| By accepting their offer, you validate their actions. You
| give them bigger reach and make it easier for them to get
| people that _might_ be of interest. [0]
| https://en.wikipedia.org/wiki/Nothing_to_hide_argument
| pagutierrezn wrote:
| Everyone of yours statements is equally applicable to
| Chrome, right?
| rglullis wrote:
| Yeap. Don't use Chrome if you can avoid it. I'm using
| Brave for years already and I am very happy with it.
| africanboy wrote:
| > Shouldn't that be a huge red flag? Any time someone
| offers something too good to be true, it never is
|
| does that include the free tiers that many US companies are
| offering?
|
| For example: Google, Facebook, Twitter, YouTube
| rglullis wrote:
| Yes. It also includes any free social media, any free
| messenger platform and any ad-based "freemium" service.
|
| Surveillance Capitalism is bad and we should be fighting
| it.
| reaperducer wrote:
| _I really have nothing significant on me that the Chinese
| would want to be concerned with me._
|
| So you give them your email passwords? After all, you have
| nothing to hide.
| subsection1h wrote:
| > _A $200 xiaomi phone is equivalent in specs to a $600
| Samsung._
|
| Xiaomi phones have much higher audio latency than Samsung
| phones.[1] As a VoIP user, I would rather use an entry level
| Samsung phone (e.g., a $150 A02s) than a Xiaomi flagship.
|
| [1] https://superpowered.com/latency
| Sebb767 wrote:
| > The second is that Xiaomi, as a company with that collected
| data resident in China on its servers, is obliged to provide a
| pipeline for a copy of their database to the MSS upon request.
|
| If you're anywhere near any scene you might consider not liked
| by the current government (which surely also includes
| journalists and the likes), your domestic agencies are a far
| bigger threat than the MSS, as long as you don't choose to go
| to China - and even then, you're probably fine, unless you're
| fighting against the Chinese regime in particular.
|
| And yes, the patriot act and the NSA are no joke. It's not like
| subpoenas are never head of (and the EU is, at least in parts,
| not much better).
| grishka wrote:
| Xiaomi phones are frighteningly popular here in Russia because
| they're very cheap. Like, a-phone-could-not-cost-this-little
| cheap. A 7000[?] (around $100) phone? Why not, seems legit! And
| not many people really understand what Xiaomi is actually doing
| to offset that cost. Heck, when you open the _built-in
| calculator app_ in MIUI, it has a freakin _privacy policy_ and
| refuses to operate if you don 't accept that. Same for the
| gallery and the music player -- you know, all the apps that
| have no business knowing that the internet at all exists.
| walrus01 wrote:
| In large software companies that have whole GUI/human
| interface design departments, they do lots of R&D and testing
| of interfaces. Traditional things like putting people with
| new software interfaces in rooms with video cameras and one-
| way mirrors of staff watching.
|
| It would be very interesting to see a random sampling of 20
| 'non technical' users presented with such a phone, and given
| instructions simply "here is your new phone, please unbox it
| and connect it to the wifi and do things on the internet for
| three hours". Record a video of their interactions with the
| screen.
|
| In my experience the vast, overwhelming majority of people
| when presented with a software popup like "Do you accept the
| license agreement to use this calculator?" will simply click
| yes/accept/okay/proceed as quickly as possible and disregard
| what it actually _means_.
|
| I have a theory that a very small percentage of persons would
| actually balk or become suspicious of seeing something like a
| privacy policy agreement for a photo gallery or music player.
| grishka wrote:
| Now, I'm not a UX specialist, I'm merely a developer and
| these are just my own observations, but...
|
| Generally, if you interrupt the user's flow of thought (if
| that's a thing) with something unrelated, they'll do the
| easiest thing possible to rid themselves of that annoyance,
| like a modal alert you threw at them, to get back on track
| doing whatever they intended to do. That's what all those
| consent popups are about. And that's why dark patterns work
| more often than not.
|
| I roughly categorize UI/UX patterns into those that respect
| the user and those that don't. Showing a modal and making
| them decide something _right now and right there_ is very
| disrespectful and off-putting. iOS of all things does this
| for system updates, low battery, and some _urgent as hell_
| alerts about your Apple ID. What you should be doing
| instead is use something non-blocking that can be ignored,
| like a notification, an icon badge, or a clickable bar at
| the top of the screen. Anyway, I digress.
|
| And then, if you need a calculator, but the one that came
| with your phone quits unless accept the terms of use, what
| are you gonna do, as a non-technical person? Go to Google
| Play and look for a better one? Probably not.
| names_are_hard wrote:
| Not defending Xiaomi in general, but it's worth mentioning
| that the stock calculator in MIUI (at least when I last used
| it) was much more than just a traditional calculator. It had
| all kinds of sophisticated functionality that goes beyond our
| arithmetic, such as currency conversion, which obviously
| requires network and an api that might very well be third
| party and require a privacy policy.
|
| So while I assume they're tracking users, I don't think the
| calculator having a privacy policy is as shocking as it
| initially sounds.
| grishka wrote:
| Uh. An API that provides currency exchange rates is a
| textbook case of a read-only API. Unless that privacy
| policy is the nonsensical "we receive and process your IP
| address" (or course you do, that's how the internet works,
| duh), it has no reason to have one because no data flows in
| that direction.
| judge2020 wrote:
| Trying to get legal to sign-off on allowing no-privacy-
| policy access to anything is going to be hard every time,
| especially if you do keep personal information like IP
| addresses for any amount of time (hello gdpr).
| grishka wrote:
| But how can one prove whether a third party stores
| something? Especially if it's the IP address that it must
| receive anyway.
| judge2020 wrote:
| While I don't think there would be much investigation on
| a simple currency API storing user info, most companies
| aren't in the business of increasing legal risk for the
| tradeoff of user experience.
| ptx wrote:
| The photo editor on my Sony phone keeps telling me it wants
| to send data to Sony and refuses to open when I decline. So
| the Chinese are no worse than the Americans and, apparently,
| the Japanese in this regard.
| justicezyx wrote:
| Hmm, I mean why Chinese capitalism is so powerful? Because the
| government sanctioned and allowed the capital's all-reaching
| power.
|
| Do you believe CCP is so capable to utilize such tools?
|
| If the answer is yes, then you should ask yourself is there any
| realistic chance of overpowering such a technologically advanced
| "government". And how much more powerful the private sectors
| would be. Think about how much gap is between silicon valley and
| US government in technological capabilities.
|
| This framing of pin everything as government sponsored activities
| make it very difficult to correct such behavior effectively.
| Because they were easily brushed off as intentional attack on the
| nation.
|
| Why not just put it as what is?
|
| I mean 996 in Chinese high tech industry is killing the quality
| of the work. That's obviously the right reasoning right?
| LegitShady wrote:
| I don't think whatever point you're trying to make is very
| clear. There's a lot of insinuations and suggestions, but
| you're not actually making a point here.
| o_p wrote:
| Xiaomis are pretty good and cheap, funny that one would care
| about the browser (which is optional, as you can install any
| browser you want) while Google owns your entire OS, but China bad
| US good amrite?
| monkeyingaround wrote:
| i can't remember the last time i felt fear expressing my
| beliefs on my phone here in the USA so you tell me
| o_p wrote:
| Sure unless you are someone whos beliefs actually matters
| like a reporter and the CIA hacks your car driving assistance
| or you are found dead by suicide of two shots in the head.
| monkeyingaround wrote:
| ...and the goalposts shift
| guerrilla wrote:
| I guess that means you're pretty mainstream then. Sucks for
| Muslims, anarchists, journalists, activists, etc.
| monkeyingaround wrote:
| as a muslim i can confirm you have nothing of content
| behind your ideology
| dheera wrote:
| In other news, Xiaomi Roborock vacuum cleaners require you to
| enable GPS permissions and transmit back Wi-Fi PASSWORDS and
| floor maps back to their server.
|
| They've really been on a privacy invasion spree lately.
| LegitShady wrote:
| ...I returned a scale to amazon that required an app on my
| phone and location be on when its registered. For a scale.
| Wouldn't work without it.
| dheera wrote:
| Did it require SMS confirmation too? lol
|
| In any case I hope you gave it a 1-star review.
| LegitShady wrote:
| I did but looking for truth in amazon reviews is a work in
| futility anywas
| samstave wrote:
| ARE YOU FN KIDDING ME:
|
| Anything from CCP is pyware - especially when the FN namesake is
| XI Jinpooh.
| ed25519FUUU wrote:
| Our schools are dumbing down math and removing advanced classes
| (if you can even go to school) because of "white supremacy",
| meanwhile China is investing full speed into engineering
| disciplines and is performing extremely effective espionage
| against virtually all Americans.
|
| I don't know if there will ever be a sino-American war, but if
| there ever is one it's going to be very painful for us.
| lucideer wrote:
| Interesting to see the quite loaded (and slightly archaic in
| 2020?) term "spyware" used to refer to Chinese software. I
| haven't seen it used to describe Facebook or Google software,
| even alongside all of the recent news stories highlighting their
| apps' tracking footprint by Apple's newer iPhone AppStore
| requirements.
| powerapple wrote:
| Unfortunately, xiaomi's business model is to sell hardwares with
| little to none profit margin and make profit as a internet
| company, I.e. advertising and so on. I give them the benefit of
| doubt that 90 days renewal was added and didn't work due to not
| unit tested maybe. Still, it is the same ad business as fb. I
| love the look of their phones, but I would pay for an iPhone for
| the benefit of secure os and better privacy
| dicomdan wrote:
| They give away low cost hardware because it's a military branch
| of the government whose purpose is establishing a global
| surveillance network. Being profitable is a nice to have but
| not a primary purpose as they get subsidized by the state
| regardless.
| asien wrote:
| > If you use Mint Browser (and presumably Mi Browser Pro
| similarly), Xiaomi doesn't merely know which websites you visit
| but also what you search for, which videos you watch, what you
| download and what sites you added to the Quick Dial page
|
| Yet people in Europe they LOVE Xiaomi. I swear I've seen so many
| of my friends with those high end 500$ phones.
|
| Even if they are tech guys it's like they just don't care , they
| want the most powerful phone with the most features at the
| cheapest price.
|
| At this game Xiaomi and other Chinese brands have become very
| good.
|
| That being said Google as been doing the exact same thing for 30
| years. Nobody ever considered banning google from anything.
| wooptoo wrote:
| What's worse is that the whole OS is actually spying on you, not
| just the Mi browser. Even when idle my phone is trying to send
| bits of data to their servers.
|
| Xiaomi are great but for me this is the end of the line with
| their phones. Privacy comes at a premium nowadays and lots of us
| are willing to pay for it.
|
| Those affected can block the following domains from resolving:
|
| - data.mistat.intl.xiaomi.com
|
| - sdkconfig.ad.intl.xiaomi.com
| aroman wrote:
| I recently bought a Xiaomi phone (Poco m3) for development. I was
| shocked to learn that in order to enable USB debug mode in
| developer settings, I needed to _BOTH_ :
|
| 1) make a Xiaomi account with
|
| and
|
| 2) insert a SIM card to the device (!)
|
| Is that not insane? Other people seem to think so too:
| https://android.stackexchange.com/a/186052
|
| Apparently the only alternative to this is rooting the device,
| which may break it.
| nottorp wrote:
| Yes, I returned it and got a Samsung instead for this exact
| reason.
| aroman wrote:
| Any model to recommend? Not sure if our usecases are the same
| -- I wanted to find a cheap "lower end of the market" phone
| to test my mobile game on. Frankly, the poco m3 might even be
| too powerful for that purpose...
| danlugo92 wrote:
| A10 or A01 are pretty slow
| eptcyka wrote:
| Not a Samsung in my experience. They get slow quick and the
| bluetooth chip on mine died literally out of nowhere. After
| 3 months of use, no less.
|
| Get a pixel or a oneplus.
| nottorp wrote:
| I have a Galaxy A21s now. It was just slightly more
| expensive than the Xiaomi i tried. Not sure how low end
| it is though.
|
| Mind, it's strictly a development phone. It sits on my
| desk plugged in, unless I debug those Android apps. No
| sim card in either. My personal phone is an iPhone XS.
| grishka wrote:
| Xiaomi phones have unlockable bootloaders, so rooting is really
| trivial, but guess what? You need a Xiaomi account to unlock
| the bootloader too! And they make you wait several days to do
| it.
|
| And no, you can't break an Android device by rooting it. Worst
| case you'll have to reflash the system partition through
| recovery.
| dave_sullivan wrote:
| Went through this recently. Had to download xiaomi unlock
| software to unlock the bootloader. Probably sent an image of
| my hard drive back to china in the process. And the 7 day
| wait period. Really is an example of price too good to be
| true because they collect your data and probably get huge
| government subsidies to do so. Nice phone though once you
| flash it.
| grishka wrote:
| Yeah I did do that too several years ago too, but I ran it
| on a VM because I didn't have a real Windows machine
| anyway.
| asien wrote:
| > Is that not insane?
|
| Yes I personnaly find it very schocking.
|
| Bought a Samsung A20 for the same purpose, no need for a sim or
| any sort of dev account.
|
| Plugged the usb cable and a few minutes later my nativescript
| app was running.
| monksy wrote:
| Same for the mi pad plus 4 to root it. You have to have it tied
| to an account for a month.
| squarefoot wrote:
| I just bought the same phone as a gift for my girlfriend, and
| was considering getting one for me one day since it's a really
| nice piece of hardware for the price. Some searches around
| brought this link of a community of non official developers
| attempting to clean up the system from some preinstalled junk.
|
| https://xiaomi.eu/community/
| qwertox wrote:
| I bought a Poco X3 NFC about a month ago, and also was
| confronted with the Xiaomi account signup request when I tried
| to enable USB debugging.
|
| For me this was enough of a reason to send the device back, but
| I started fiddling around and ended up being able to use USB
| debugging without an Xiaomi account. I don't remember how I
| managed to do this, I think I had to disable a specific MIUI
| optimization. No ADB had to be used for this. I think it was
| this https://android.stackexchange.com/a/185876
|
| I'm also pretty sure that I did not insert a SIM card at that
| point, because I was still using the device-to-be-replaced on
| that and the following days.
|
| I think it's just a lot of tactics which they use in order to
| push you to create an account, but ultimately it's not
| required.
|
| That being said, I really despise their MIUI, all their
| modifications. Everything about it attempts to make you use
| their products, even if Google's apps are already installed.
|
| For me, the Android experience which the Pixel devices give you
| are all I want. Even Motorola's minor enhancements are
| something I don't want on a new phone.
| dheera wrote:
| That's terrible. Is it possible to even root it without
| enabling debug mode though? I've always had to use "adb reboot-
| bootloader" to get into the bootloader because the stupid key
| combination doesn't seem to work on recent phones, or maybe
| it's just that my fingers aren't fast enough.
| ev1 wrote:
| I've been told that the reasoning behind this is shady
| resellers loading unremovable system malware to the system
| partition (which runs as device admin++) before reselling this
| to you.
|
| Apparently this is a huge problem in China, where there seems
| to be quite literally no trust at all on online shopping. This
| actually does seem to be the case if you try buying devices
| from any NON-xiaomi-official store Aliexpress shop. They're
| usually $0.01-$1.00 cheaper, and are guaranteed to be packed
| with massive amounts of malware. None of which can be pressed
| "disable" or "uninstall" (greyed out).
|
| They use fake reviews and fake buyers much like Amazon in the
| west, to inflate their order count and ratings to be sorted
| above Xiaomi official store
| ywei3410 wrote:
| Jesus, do you have any sources (Chinese is fine) for this?
| This is horribly anti-consumer and I'm surprised there's not
| more of a push back if it's so common.
| ev1 wrote:
| Try search for phrase "fakerom" or "fake rom" or
| "rottensys" with xiaomi.
|
| The resellers get paid a few dollars for the malware
| install. I think the most common is people reselling to
| ship out to other countries, and not sold in China itself.
|
| The aliexpress shops get shut down, negative feedback, but
| they just open another. Note that aliexpress actually shuts
| these down in the first place and is "reputable" end of
| things. Never ever buy devices from gearbest, wish, etc. -
| ever .
| Daho0n wrote:
| Anti-consumer? By the capitalist businesses? Of course.
| It's just like buying crap from Amazon. If you use it you
| support it.
| gruez wrote:
| >2) insert a SIM card to the device (!)
|
| You need to insert a SIM AND use mobile data on it (ie. turn
| off wifi, enable mobile data). Just inserting a dummy SIM card
| won't work.
| SquareWheel wrote:
| I ran into the exact same thing. And because I don't have a SIM
| card (it's an at-home "tablet"), I have no way to enable USB
| debugging. Pretty frustrating.
|
| If Lineage starts supporting this device, I'll definitely move
| over from MIUI.
| firebaze wrote:
| I use a Huawei matebook D14 as my personal device. Its primary
| use is in a WiFi-network (as in 99% of the time). Since I also
| use MS devices in the same network I log all IPs being accessed
| from my network
| (https://www.raspberrypi.org/documentation/configuration/wire...)
|
| I'll leave the log results of accessed IPs as an exercise to the
| reader. Hint: no chinese/russian IP addresses are being accessed.
|
| I'd guess a lot more people use Huawei devices (before they were
| outlawed) than explicitly using a Xiaomi browser.
|
| And a lot of people didn't forget Snowden.
|
| Addendum: I use a MacBook pro (32gig, I7) and a Win10 pro work
| device (32gig, I7) as well. Neither contacts China or russia.
| Both of them submit ~10x of unknown traffic than the Huawei
| device.
|
| I don't want to paint the chinese dictatorship as "good", not at
| all. But I _do_ want to remind that the US is - as experienced by
| an EU consumer - worse. Not now, but maybe in the future, at
| least according to collected data.
| ckozlowski wrote:
| I suspect that your point is that "a Chinese device doesn't
| mean it's reporting to China." I think it's good not to make
| this assumption.
|
| That said, I also think it's incredibly naive to think that a
| collection system wouldn't make use of a local proxy to mask
| the ultimate destination of the information. It's such a
| trivial task to do, and provides a host of benefits to
| obfuscate and sow doubt as to where the data is going and will
| be ultimately used for.
|
| I'm not assuming that "it must be reporting back to China
| through a proxy!", but rather, the absence of certain national
| IPs in that list shouldn't be used to rule out scenarios
| either. An idea scenario for me would be that the device didn't
| call back period, or if it did, it did so to endpoints that
| could be authenticated and audited.
| firebaze wrote:
| It's incredibly naive to assume NSA/* doesn't do the same,
| even if that affects your daily life as a human/business
| owner about as much.
|
| I despise the chinese government - may it concern Uighurs or
| the treatment of Tibetans. Still I have a hard time believing
| none of my data collected by google is used by the US
| administration, which, as we know, is not always lead by a
| trustful person. Still, if I had to choose whom to embargo,
| I'd definitely choose china/russia.
|
| Since it's so easy to cheat traffic, there are two options:
| only china/russia needs to cover traffic, or ...?
| cwkoss wrote:
| How does this compare to google chrome's data collection?
___________________________________________________________________
(page generated 2021-03-01 23:00 UTC)