Data sovereignty: Indian Air Force smartphone ban forces Xiaomi to announce Indian data centre
Mon 27 Oct 2014
Chinese smartphone manufacturer Xiaomi Inc has promised that it will invest in a new Indian data centre in order to allay criticism from the Indian Air Force that one of its popular models sends private data to servers in Beijing.
Last week the IAF advised its personnel and their families not to use Xiaomi’s Redmi 1s model of smartphone, which was discovered in an investigation by security company F-Secure to be storing sensitive user information on Chinese servers. The information being sent from India to China by the budget phone apparently included the IMEI device identifier, phone number and numbers derived from text messages and the user’s address book.
Xiaomi, one of China’s largest electronic device manufacturers, had partially-addressed the issue after the Beijing cloud storage was noted in an F-secure report made on August 7th this year. A follow-up from F-secure acknowledged that the Xiaomi had released an OTA update for the Redmi 1s which made the cloud storage an opt-in feature, and that, once enabled, it now sent information over the https protocol rather than unsecured http.
But once the feature was turned on, user information was still being directed to https://api.account.xiaomi.com. Though no history of the IP addresses involved in the investigations is available, there is some evidence that customer information, available as it is to the privately-owned Chinese company, was actually stored in Singapore rather than Beijing.
At the time of writing the IP range thrown up by a random request to the domain resolves to an Amazon Web Services host based out of Singapore. Xiaomi announced its intent to move its headquarters to Singapore via its ‘About’ page at least as early as May 2014. The company established trade in Singapore on February 21st this year.
In a release today Xaomi’s Brazilian-born Xiaomi Vice President Hugo Barra said “We are trying to get to the bottom of this. So far, we have not heard anything from the IAF or any other authorities and have only read media reports. We will reach out to authorities and engage with them to address any concerns that they might have.”
In a Google+ post immediately prior to the IAF controversy, Barra announced the company’s intention to fully address data sovereignty issues by 2015.
According to the Indian Times, the IAF’s advisory note was prompted by a report from the Indian Computer Emergency Response Team (CERT-In).
This initial hiccup in the Chinese tech-maker’s foray into the burgeoning Indian mobile market has been quite prompt, as Xiaomi only entered it in July, with the Mi3 smartphone. The 1S is one of half a million smartphones sold from the Redmi line this year.
The central issue coming into focus here is whether the non-Chinese military are willing to trust Chinese manufacturers with what they may consider to be sensitive data. Considering this, it hardly seems to matter whether the information is stored in Beijing, or (as is apparently the case) on AWS hardware in Singapore – or even in a shiny new Indian data centre. Time to go ZeroKnowledge..?