China’s Xiaomi faces privacy hurdles ahead of international expansion

China’s Xiaomi has apologized for causing privacy concerns, after the fledgling smartphone maker faced scrutiny over whether it can be trusted with users’ personal data.

Last week, red flags were raised when security firm F-Secure tested a Xiaomi phone, only to find that it sent contact information and device data back to a company server, without the user’s permission. This prompted local media in Taiwan to question Xiaomi’s previous claim that the company was not secretly storing user’s data.

On Sunday, Xiaomi Vice President Hugo Barra responded, and said that the transmitted data was part of the phone’s Cloud Messaging service, which can send messages via SMS and over the Internet. The service operates with the help of Xiaomi servers, and relies on both phone numbers and device information to rout the messages. But no user personal data is stored by the company, Barra said.

“We apologize for any concern caused to our users and Mi fans,” he wrote. To address the problem, Xiaomi is making its Cloud Messaging an opt-in application, and introducing an over-the-air update to its phones that will let users disable the feature.

Lately, Xiaomi has been gaining international attention over its low-cost handsets, which have started to enter select foreign markets. But like other Chinese tech firms, the company is being scrutinized over privacy and security around its products, including in neighboring Taiwan.

“Do Xiaomi phones steal data and transfer it to Beijing?” asked one headline from Taiwan’s iThome, a tech publication that requested F-Secure investigate the company’s devices.

But on Monday, F-Secure security advisor Su Gim Goh said that most mobile phone vendors usually do end up tracking user information in one way or another, although they first ask for user’s permission with a long privacy policy. However, in Xiaomi’s case, the company had failed to take this step.

“Xiaomi previously said they were basically not collecting any data, but they actually were. That was the most shocking part,” Goh said. “The information was also traveling in plain text. It was unencrypted. That was another point of concern.”

Goh, who is based in Malaysia, said Xiaomi phones are also taking the country’s market by storm. But the company will need to be vigilant in protecting user’s privacy, especially as concerns continue over electronic spying programs by the U.S. and China, he added.

“We did prove the stereotype true. That phone makers from China have the reputation to collect more personal data,” he said.

But even so, the privacy concerns probably aren’t on the minds of most consumers, and won’t stop sales of Xiaomi phones, said CK Lu, an analyst with research firm Gartner.

[Privacy groups call for action to stop Facebook’s off site user tracking plans]

“There’s always been talk of this fear of China. We have seen Huawei, and ZTE, been accused of spying in similar scenarios,” he said. In 2012, for example, a U.S. congressional committee concluded that both companies were a national security threat for their alleged ties to the Chinese government.

In Taiwan, Xiaomi phones have been selling well, and been directed to consumers, not government officials, Lu said. “Even though people may have some concern about using a Chinese service, for most users it’s not a big deal,” he added.