Really interesting. But whether what Xiaomi browser does it's a spyware, what's is Google?
Does Google collects our navigation data? (Yes if we are using chrome or android and logged in)
Does Google knows what videos and what kind of videos do we watch? (Do you need an answer?)
Call it's a spyware because is a chinese company? Really? Nah. Google does the same or at least worst than it.
I'm neither defending Xiami nor Google. The question is: almost every application does data collection. And if you call it as spyware, therefore every app which does data collection is a spyware.
I think it comes down to which companies and governments are on the other end. I'm far from trusting the US government, but I trust the Chinese government even less.
There is a natural tendency to compare and contrast. And especially in cases where people are speculating about political motives, you're going to see that.
> Or Google being spyware somehow makes Xiaomi spyware less shitty?
Absolutely not, but both of them doing it defangs certain types of criticism.
False equivalence. If people in here actually broke down the differences, they would have to admit that their "Grr, Google just as bad!" hyperbole is more than just a tad disingenuous.
Apologies for not finding citations, but as an example of... suspicious behavior... Firefox had a big campaign about blocking Facebook tracking with a big push to install an addon to reduce Facebook data collection. They did not do that with Google. That's the one that stood out to me as especially asymmetric, others may have other examples they remember.
Don't get me wrong, Firefox is clearly the best of the options available. I use it all the time. But I'm also very aware that there is a bigger bias against Facebook (don't actually care since I don't go near it and block its javascript and cookies) than against Google. Of course, it's not obvious that this is Firefox's fault, Google is extremely good at finding probably-shouldn't-be-legal workarounds to just about any attempt to retain privacy.
You'd think making clear you want to retain your privacy should be enough, legally, but I guess there are no consequences.
Firefox puts Google in its own container just like Facebook. It also block third party cookies and is way better at avoiding fingerprinting than chrome.
Yes, it does matter that it's outside of US laws. Just like the inverse matters too. ( an American company collecting Chinese user data should matter to Chinese users ).
This "whataboutism" is getting tiring. What Xiaomi does here is really bad. if google does/did the same thing it would ALSO be bad.
There is no "but they do it too!". It's bad, period.
Well yes, I also call Chrome a spyware and don't use it. That's why I use firefox. And from what I read on HN, other people say the same thing about Chrome.
They respect their customer by selling hardware 50% off compared to Samsung and 80% off compared to apple. Having this with custom rom is a bargain imho.
How do you trust the hardware? Granted, how do you trust the hardware in any phone. But the risk may be higher if the entire production chain is in the one country with privacy/surveillance abuses.
Well you don't, but 1) no one can be trusted anyway. 2) one can analyze traffic after flashing to see if it is still phoning home. I won't expect it to, it's just too much hassle compared to doing it with software, just for sake of someone who flashed custom ROM. If you have real reasons to be worried about Chinese spying (like business/government work) then obviously you wouldn't buy any hardware like that anyway.
I don't know. I agree that it's not a customer friendly policy. But if your already stuck with a Xiaomi phone you have to either return it or bite the bullet, not much else you can do.
They're basically the only company allowing you to root a phone without loosing warranty. And it's not like other manufacturers come without FB installed as system app - yes, they're a bit worse on privacy by default, but it's not like they're the black sheep within a pile of innocents.
Like which other manufacturer of the size and scale of Xiaomi? Every single one of them has locked bootloaders, Samsung even bundles ads, and all of them without fail use Google Play Services and all kinds of other proprietary nonsense that can and maybe should be categorized as spyware.
I have had 3 Xiaomi phones over the years. Their proprietary bootloader-unlocker tool has always taken a good day or two of work to get the phone unlocked when I don't have adb tools /drivers installed from the get-go. Their utility gives me failures/errors/denials/"your social credit is too low" (i don't live in/near China) dozens and dozens of times before it finally decides to unlock my phone for me. I'm pretty sure my next phone won't be a Xiaomi, though it's hard to find sanely priced non-Chinese phones with good ROM coverage these days.
Unfortunately Google is making it much harder to run ROMs now due to the new Safety-Net bootloader checks. You'll no longer to be able to use many bank apps (or even the McDonalds app!).
I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China. The MSS is no joke.
This is the same reason that Zoom is banned at my workplace and many other partner companies.
You've actually got two problems here. One is the commercial advertising/for-profit related data sharing problem described in the article. The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
Could it be the same reason anyone outside of the US would voluntarily choose to run close-source software from a company that's subject to domestic laws and regulations in the US? The ECPA is no joke.
I'm sure that a Chinese citizen would see the NSA as an equal or greater threat. The difference from my perspective is that as a citizen of a NATO country with a functioning democracy, I'm highly unlikely to be rounded up by my government and put in a prison or concentration camp for expressing my political opinions or religion.
You only need to look at the past several years of news from Hong Kong and the Uyghur/Xinjiang province situation to see the stark real world difference in human rights, political freedoms and press freedoms.
I'm not 100% sure from your comment whether you're making out that:
(a). China is bad (yes, known)
(b). The US is not quite as bad (debatable but for the sake of argument lets agree that this is true)
(c). The US is benign
My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true. Though terms such as "country with a functioning democracy" make me think you might...
My point was absolutely not (c). The US has a vast and complex array of sociopolitical, economic disparity, racism, police brutality issues, some of which have been highlighted throughout 2020. But I definitely consider it to be the lesser of two evils.
US Intelligence has too long a history of its own largely consequence-free abuses too. Someone else having a surveillance state doesn't make the one at home any better.
Someone from outside the US will probably worry more about its history of backing coups than the domestic problems you mentioned. If the US puts a Pinochet in my country and their algorithms say I'm likely to be a communist sympathizer, am I at risk?
Definitely. Those of us from Latin American countries have a history with the US that we don't have with China, and so while China might be bad to us, we are (mostly) outside its sphere of direct influence; on the other hand, the US has a proven track record of supporting blood-thirsty and ruthless dictators in the relatively recent past, and meddling with our democratic institutions and electoral processes, so it's the "biggest threat" to us, so to speak.
> My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true.
The country is an imperfect union. Although the country attempts at every turn to work towards "A more perfect Union"; clearly we have similar issues that other countries do.
In a comparative analysis, OP was merely saying the US is head and shoulders above a country that suppresses freedom of speech, eliminates political dissent and the people who promote freedom and sends them away to actual concentration camps under the guise of "re-education".
Black and white sophism. No country is going to meet c), no country is benign. What matters is how much better the country in aspects like this. And the US still much better, NSA included.
There is nothing new about the question "why would someone buy cheap phones when they come with spyware". So someone asks a shit question and gets a shit answer.
Why is it unproductive? Parent makes a point that non-US consumers don't care whether it's a US or Chinese product. Both nations have access to domestic company's data.
The original message was saying they couldn't understand / couldn't empathise with someone making a conscious decision to use xiaomi. I gambled that they make the same conscious decisions using US software, but only see their decision to do so differently due to a set of pro-US biases that others won't have.
It's difficult to look past such biases if they're deeply ingrained but I think this can definitely be productive to do so. If you can empathise better with conscious xiaomi users, and understand why people use non-optimal software, such understanding can have a lot of benefits.
It goes the same for any of the "Eyes" countries. They share intelligence and tracking of citizens as well. It's not just the US, so don't act like it is.
Don't pretend any other country have as much surveillance capability as the US does. There are levels to the awfulness and not everyone is at final boss level. Most are random green scrubs comparatively.
I would argue if you are American nor Chinese, the US has a greater ability to negatively influence your life. Chinese government has full control domestically but can’t (currently) do too much outside of their borders. The US on the other hand...
I agree, people give US companies way to much slack... But then what am I supposed to do if I'm European? The US and China pretty much covers the mobile market (and what's not covered is still not European).
From a purely pragmatic point of view: If you're European...?
Consider that your country is likely either already a five eyes member, or a "five eyes plus" member with a historical record going back 45+ years of intelligence/law enforcement data sharing between the various NATO governments' intelligence agencies.
And take a risk calculation, based on what you're doing in your life, if all your metadata and traffic was in the hands of the NSA, what's the most likely end result that might affect you adversely?
Are you actually at risk of being persecuted for anything you're doing socially, religiously, politically? For instance, if you're a German, is all of your data being in the hands of the BND going to result in anything bad happening to you?
From a purely pragmatic point of view, a lot of especially Eastern Europe and Eastern Germany are viscerally aware that "anything you're doing socially, religiously, politically" will always somehow include something illegal and worrying about surveillance results in self-censorship.
I really don't think that's unreasonable, the fall of the berlin wall was within living memory. I hope that the NSA isn't going to do anything too, but the idea that they can't or won't is clearly not true. Staying under the radar might feel pragmatic, but I think a lot of people realize that's entirely inadequate with constantly shifting political environments.
I am not a European but I am fairly sure I would have two very different opinions on this, relative to my personal perceived level of threat from my own national government, if I were a citizen and resident of the Netherlands or, for instance, Belarus.
Considering the current target of deplatforming is the far-right, and given Germany's history specifically, they have a lot of reasons not to trust local hardware and software. The same goes for the Le Pen crowd in France, a somewhat adversarial government on the other side of the globe is often less risky than the status quo across the pond allied to the current French establishment.
I was wondering how long it would take until we got to the argument of "oh no, won't somebody please think of the unfortunate oppressed fascists! it's a good thing that xiaomi has phones and software for them, because their own local european government is against them".
The paradox of tolerance and an open society is that if you allow actual fascism to flourish (and Le Pen is absolutely a fascist, in my opinion), you risk ending up with something much worse in the long run.
"oh no, won't somebody please think of the unfortunate oppressed fascists!..
Except anyone that you want to oppress will retroactively be labelled "fascist", or "far-right" by whatever loose system serves that purpose.
The latest version of "terrorist", "activist" or "heretic".
and Le Pen is absolutely a fascist, in my opinion
But whose opinion is canon in matters of censorship? Le Pen is also a valid political candidate with fair support in her electorate.
Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
so you say "if you allow actual fascism to flourish.. something much worse in the long run" - who gets to decide what is "allowed", and what isn't?
Seems to me the basis for such stability would have nothing to do with subjective judgements of what constitutes "fascism" - and more to do with principles of democracy - i.e. a fascist entity can be democratically elected - it just can't be given powers that would allow it to override democracy, or escape legal oversight. Perhaps the key word is "extralegal"?
The problem is that too many political entities (not just far-right) seek extralegal, overreaching powers; believing it OK so long as "they can be trusted"; but if the king of today is a good king, his heir might still be bad. And the good government that allows for overreach enables the bad government that does the same.
> Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
This actually happened in recent history. Just because Hitler (and yes I must unfortunately rely on such a reference, and no, Le Pen is not Hitler, but it provides a good example of far-right vs democracy) was elected doesn't mean the entire world should roll over.
Just to clarify, by "roll over" you mean "change their democratic systems to prevent the election of fascists"?
The election of the Nazis didn't justify the sweeping power transfer that resulted, including control of the press, a private party militia (Brownshirts) etc etc etc
I'm criticising efforts to interfere with who is allowed to be elected, versus limiting what powers can be obtained through election.
I know first hand that Nokia top and middle management understood nothing about software development or quality. The tools and practices used in the whole development were horrible. After a couple of years they just drowned in bugs and new products came slower and slower, failed projects more and more frequent.
I have no idea whether it's equally bad at Google/Android or Apple. I have the feeling it's not.
I don't think China really dominates in software world-wide. Xiaomi seems more like an exception to me. Hardware is a different story.
That's not true, because US companies are allowed to export E2E technology in products. Chinese companies are not given the same leeway. All Chinese messenger clients are not encrypted and are fully surveilled. That is not true for US messenger clients.
IIRC American companies (specially service companies, but surely also hardware companies) can be forced to introduce backdoors and other spying mechanisms and then force them not to disclose such a thing (i.e. Lavabit, Groklaw, Room 641 and equivalent Google and Facebook programms).
For us that don't live in the US or China, it is just a matter of choosing between two evils. And in being pragmatics, the 90% of the population outside of China and the US does not give a damn if the US or China are spying in their mundane conversations.
> IIRC American companies (specially service companies, but surely also hardware companies) can be forced to introduce backdoors and other spying mechanisms and then force them not to disclose such a thing (i.e. Lavabit, Groklaw, Room 641 and equivalent Google and Facebook programms).
You recall incorrectly. By extension of the First Amendment, US companies are protected from being forced to introduce functionality so as to collect or decrypt information (or for any other purpose). Carrying out original work for the government is considered to be speech, and as a result cannot be compelled. If the data is already collected and available in a decrypted form to the company a court order can compel the data to be turned over as evidence, as is the case with any data (or any thing) held by anyone (with narrow exceptions related to the 5th amendment).
This was a topic of national attention several years ago when the FBI tried (and failed) to compel Apple to create and sign a custom software update to unlock an iPhone.
And yet from the free to export US we keep finding backdoors and hardcoded admin passwords in things that are supposed to be way more secure than a random chat client. Even if all of them are actually bugs I'm not sure that is any better. No E2EE to share my shopping list with my girlfriend versus the piss poor security in enterprise hardware from manufacturers like Cisco etc? At least I can download another chat client. Purging US enterprise equipment from my company, home and ISP? Not so much.
Huawei's security doesn't come close to Cisco's security practices. Mostly because the vast majority of their hardware and software was sourced from stolen IP (Huawei had cash bounties for employees to provide stolen IP to the company). If you sell stolen technology, you don't truly understand how it works or how to secure it.
Given the choice, I'd choose Cisco every day of the week. It's not perfect but then again there's no such thing as perfect security.
With an E2E messenger, you can be sure that most likely your communications are not being intercepted. With a Chinese company, your communications are never secure.
Not only are Chinese software products not secure, but they'll lie to you about their security. Zoom claimed to have E2E encryption on calls which turned out to be an egregious fabrication (on top of them exporting calls to Chinese servers).
I agree with your statement, but I'd like to get it a bit further. Why run any closed-sourced software from (or have servers in) countries that can request you data without a fair trial (e.g. secret courts). I feel just as uncomfortable about national security letters and the NSA/CIA as the MSS, this from someone who is not living in China or the US.
I do think this shows the perks of open source software and being able to self-host or federated solutions.
Because it is much easier. I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited.
I have no time to learn how to and run and maintain my own mail server.
> I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China.
All you have to do is look at it from more than a security/privacy perspective.
Chrome is the most used browser despite Firefox doing nearly everything Chrome does the same and everyone knowing that Firefox doesn't track you like Chrome does.
It's obvious why. It's a little faster, it has more money behind it, it comes pre-installed (and unremovable) on most phones, etc.
> The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
If you're anywhere near any scene you might consider not liked by the current government (which surely also includes journalists and the likes), your domestic agencies are a far bigger threat than the MSS, as long as you don't choose to go to China - and even then, you're probably fine, unless you're fighting against the Chinese regime in particular.
And yes, the patriot act and the NSA are no joke. It's not like subpoenas are never head of (and the EU is, at least in parts, not much better).
I use a xiaomi phone and the reason I use it is because it is significantly cheaper compared to a samsung or apple phone. Example: A $200 xiaomi phone is equivalent in specs to a $600 Samsung.
Also it is likely the Chinese are spying on me indirectly (data collection where the chinses military can access the data if they want to) but I really have nothing significant on me that the Chinese would want to be concerned with me.
Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable. Privacy should mean privacy, even if that means losing functionality on a select few sites.
* P3A doesn’t collect any personal information.
* You can turn P3A off at any time in the “Privacy and Security” section of the browser preferences.
* All the P3A code will be open source (...) you can check that your browser is only sharing the specific things we promise.
> Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable.
The claim was never about absolute privacy but rather as strong as default as possible while keeping the web functional. And in that department they are delivering more than any alternative - more than even Firefox out of the box. Not to mention that TFA itself states that the implementation was far from ideal.
Anyway, the biggest question I have for those that are so quick to criticize Brave is "what else do we have with a business model that can disrupt Surveillance Capitalism?". Apple could if they wanted, but where is Safari for Windows/Linux? Any of the others? Doubtful. Even Mozilla's dependency on ad revenue from Google makes them less credible. So why shit on Brave when there is absolutely zero potential alternatives?
> A $200 xiaomi phone is equivalent in specs to a $600 Samsung.
Xiaomi phones have much higher audio latency than Samsung phones.[1] As a VoIP user, I would rather use an entry level Samsung phone (e.g., a $150 A02s) than a Xiaomi flagship.
Xiaomi phones are frighteningly popular here in Russia because they're very cheap. Like, a-phone-could-not-cost-this-little cheap. A 7000₽ (around $100) phone? Why not, seems legit! And not many people really understand what Xiaomi is actually doing to offset that cost. Heck, when you open the built-in calculator app in MIUI, it has a freakin privacy policy and refuses to operate if you don't accept that. Same for the gallery and the music player — you know, all the apps that have no business knowing that the internet at all exists.
In large software companies that have whole GUI/human interface design departments, they do lots of R&D and testing of interfaces. Traditional things like putting people with new software interfaces in rooms with video cameras and one-way mirrors of staff watching.
It would be very interesting to see a random sampling of 20 'non technical' users presented with such a phone, and given instructions simply "here is your new phone, please unbox it and connect it to the wifi and do things on the internet for three hours". Record a video of their interactions with the screen.
In my experience the vast, overwhelming majority of people when presented with a software popup like "Do you accept the license agreement to use this calculator?" will simply click yes/accept/okay/proceed as quickly as possible and disregard what it actually means.
I have a theory that a very small percentage of persons would actually balk or become suspicious of seeing something like a privacy policy agreement for a photo gallery or music player.
Now, I'm not a UX specialist, I'm merely a developer and these are just my own observations, but...
Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about. And that's why dark patterns work more often than not.
I roughly categorize UI/UX patterns into those that respect the user and those that don't. Showing a modal and making them decide something right now and right there is very disrespectful and off-putting. iOS of all things does this for system updates, low battery, and some urgent as hell alerts about your Apple ID. What you should be doing instead is use something non-blocking that can be ignored, like a notification, an icon badge, or a clickable bar at the top of the screen. Anyway, I digress.
And then, if you need a calculator, but the one that came with your phone quits unless accept the terms of use, what are you gonna do, as a non-technical person? Go to Google Play and look for a better one? Probably not.
> Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about.
I think most users even accept this as general setup things. When I, as a developer, want my device set up as quickly as possible, I mostly just proceed with everything.
Not defending Xiaomi in general, but it's worth mentioning that the stock calculator in MIUI (at least when I last used it) was much more than just a traditional calculator. It had all kinds of sophisticated functionality that goes beyond our arithmetic, such as currency conversion, which obviously requires network and an api that might very well be third party and require a privacy policy.
So while I assume they're tracking users, I don't think the calculator having a privacy policy is as shocking as it initially sounds.
Uh. An API that provides currency exchange rates is a textbook case of a read-only API. Unless that privacy policy is the nonsensical "we receive and process your IP address" (or course you do, that's how the internet works, duh), it has no reason to have one because no data flows in that direction.
Trying to get legal to sign-off on allowing no-privacy-policy access to anything is going to be hard every time, especially if you do keep personal information like IP addresses for any amount of time (hello gdpr).
While I don't think there would be much investigation on a simple currency API storing user info, most companies aren't in the business of increasing legal risk for the tradeoff of user experience.
IP addresses are not identifying info under the GDPR. They are only potentially identifying. The address in your nginx logs does not count, if you are storing other data and can use the IP to identify an individual, now its identifying data.
The photo editor on my Sony phone keeps telling me it wants to send data to Sony and refuses to open when I decline. So the Chinese are no worse than the Americans and, apparently, the Japanese in this regard.
Wow, so because of this one example you conclude "So the Chinese are no worse than the Americans and, apparently, the Japanese in this regard."
You are saying that if you can find a single example of X happening in domain A and a single example of X happening in domain B, then "apparently" A and B must be "no different" with respect to X. People are murdered in Japan. People are murdered in Brazil. Thus Japan is no different than Brazil with respect to murders.
Please please tell me that you are just being inflammatory and that this "find one example" criteria isn't how you go about making assessments of things.
You're right; our natural bias would be to distrust the Chinese more, because culturally and politically they are so far removed from us. So actually we should be suspecting the Americans and Japanese more than China to counter our biases.
Could China possibly have infiltrated as much of global communications networks as the NSA & Five Eyes have for the past decade and a half? Not likely! If we didn't have such successful digital espionage programs, would we instead rely on our corporations to spy on our behalf? Very likely, seeing as we've already done that too.
It's not really that a phone could not cost this little. Xiaomi's pricing model is pretty transparent, they make a 5% or so profit from each device and also monetize via UI ads.
It's more that consumers around the world have been brainwashed into believing huge markups are the default and must be accepted.
That of course does not alleviate the data collection concerns about Xiaomi, but it is unfair to say that given the production apparatus to produce at scale and the ability to absorb losses initially, it is not possible to make devices this cheap.
How is that different from stock Android, besides this being per app and having to give blanket permission for all things Google right at installation of stock Android?
Sure, but you will still have a sort of chain of trust with Google that that disable button will actually do anything. Except bothering you in the future with a new, fancy enable button to make certain apps work.
Here in the US, a Moto G7 Play is $130 brand new from amazon.com, and seems to be much more reasonable from a privacy standpoint. I seem to remember being presented with a clear choice to disable phoning home to Motorola during initial setup.
> why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China
Because outside US it doesn't really matter whether it's Chinese or American company that has your data.
if your Country has good relationships with both of them it doesn't really matter.
EDIT: you have to understand that the cold war is over and you can't replace USSR with modern China, my country has good relationships with both the US and China so it doesn't really matters who's spying on you, they are "good friends" anyway...
This question is particularly pertinent in a country like Australia. Both the US and China have strong interest in controlling our loyalty and GDP, and I for one dont want to be a subject of either regime.
> But in context:
>
> - Australia has similar laws.
>
> - Snowden releases showed the US don’t even ask, they just take it.
>
> So it’s not like there is a huge amount of difference around the world.
I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
Snowdon case made the US government look bad, please don't use the same reason to make the Chinese Communist Party look good or OK.
It's kind weird when something bad happens, everyone just points at the US and says they do that too! The CCP did something bad, Somehow it's OK because the US government did something bad.
If you are an US national and living in the US, you can complain and bitch about your government all you want and not worrying about your safety, hence you can talk about the Snowdon case or berate the president, and things might change. Would you dare doing that in Chinese soil even if your are not Chinese.
No, I was pointing out the "Don't by Xiaomi because you can't trust them" is logically flawed... because you can't trust any of the countries involved with the manufacture of phones.
This isn't excusing the behaviour, it's pointing out that "privacy" is not a justification for not using Chinese goods, because American goods have evidence of exactly the same compromise.
> I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
I assume it's the Australian Assistance and Access Bill that's being referred to here. It has nothing to do with privacy. It's prime job (which isn't hidden - it's spelt out in the explanatory notes) is to circumvent encryption by accessing the data at the end points, where it isn't encrypted. It must be unencrypted at the end points because humans can't read or listen to encrypted data. https://searchsecurity.techtarget.com/definition/Australian-...
The bill gives several government agencies the legal right to coerce any software company to "assist" them by writing a bug that is invisible to the OS. The "access" part gives them right to coerce a software company to distribute software to any device they target (there is legal oversight on who they can target).
To fill this out with a concrete example, they could compel Google to provide a version of the Android Google Keyboard that records all key strokes and the name of the application it is are sending them to. They can then force Google to install that keyboard via their auto update mechanism. Notice that using an open source program like Signal that securely and correctly encrypts everything, and comes from a trusted source is not a useful defence against this.
Both of these powers are accompanied by an automatic gag mechanism, meaning if Google revealed they were asked to do either of these things someone would go to jail. The provisions in the act for reporting when and where these powers are used, so the voters could have some say are to put it mildly weak.
Although Australia is very clearly a country that operates around "the rule of law", in the end the only difference that has made is we know they are doing it, whereas China could deny they are doing it. In reality, I don't think China tries to deny the Great Firewall of China, or the invasive probes they force citizens to install to support their social credits system.
So yeah in my view OP is quite correct. If there are differences they revolve around how widely these things are deployed, not over whether they exist. I presume my home country, Australia, deploys them a lot less, but they go to a great deal of trouble to ensure there is no way to be sure.
I am using Xiaomi phone for roughly the same reasons as I am using Gmail.
I dislike results of either, replacement of both is on my oversized TODO list - and was there since at least two years.
I dislike that USA government, China government and God knows who else has full (partial?) copy of whatever I ever typed on my phone but I did nothing beyond selecting Android Zero, declining "send all what I typed to Google" and declining gloud sync.
(I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited)
I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
Anyway, you're right. In practice, protecting your privacy is a massive hassle. I just do it step by step, knowing that even half-assing it is better than nothing.
I really hope that privacy situation will start getting better - or at least not getting worse.
For email I basically gave up (for now) as it will likely leak on other side anyway.
But I aggressively avoid cloud sync, and my files on cloud are either public or locally encrypted before uploading. Well, at least it protects against non-targeted attacks.
> I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
:)
Just in case that you have an Android phone - I recommend StreetComplete, it allows limited editing with zero OSM-specific knowledge. Registering for OSM account is the most difficult part.
I do contribute through OsmAnd. I mapped a few gas stations in more desolate areas. However this is a much more exciting way to contribute. Thanks for sharing!
Because it has cost benefit.
Redmi Note here in Brazil are super popular.
The only alternative for that, it's Samsung, but is not exactly better. I believe Xiaomi devices are still cheaper than Samsung here.
I know, I know, you're thinking that doesn't either, but you can control it remotely through an app or website, and automate certain actions. You might want your air cleaner to start running when you leave your office, for example so that your air is dust-free when you get home.
I've actually used a Xiaomi light remote-controlled over the internet to simulate being home while on another continent so that anyone casing the place for a burglary might be dissuaded. I disabled its internet connectivity when I was done with that.
Well, to play devils advocate, as a random Irish guy it seems like my choice is between Chinese companies spying on me or US companies spying on me. I don't see that huge a difference - although I do acknowledge there's a difference in freedom of speech and culture in the US, that applies to US citizens and when it comes to spying on people outside the US the difference is much smaller.
Similar boat, but I see a pretty big difference. Every time I have to fill out a FATCA form, I'm reminded of how much power the US government can wields over me - a non US citizen/resident.
Consider Document Number 9[1], and the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine. You already know what it's like living in a world which the US is a dominate super power, that's what the West has experience in the past 70 years and it had created some of the greatest prosperity both the US and West have experienced in their existence.
A dominant China is interested in promoting their own values of Xi thought. And they're working very hard to promulgate it. Their coercive ability is remarkable in how it's already transformed Hollywood. Their ability to do so will only increase.
> Consider Document Number 9[1], and the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine.
You have quite literally also just described the US.
"China and Communism are a threat which we should seek to undermine". It works both ways.
Xi Jingping considers the promotion of liberal values, human rights, and democracy at their core to be "arrogance, prejudice and hatred". This goes beyond one power vs another, every democracy is under threat.
> the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine
For the last decades, the US has been actively trying to undermine -- mostly covertly, sometimes more openly -- leftist parties and organizations in Latin America (more often than not completely unrelated to China), so...
Ignorance and cost. Chinese phones are popular in Europe, where Apple/Google/Samsung flagship phones are prohibitive, and similarly spec'ed Chinese ones are a fraction of the cost.
And we can't forget many Euro citizens simply don't care.
> I truly don't understand, from a security and privacy perspective, why would anyone would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in the United States.
Fixed that for you. Xiaomi offer an official bootlock unloader for their shitty MIUI roms which no one else on the planet does and is one of two companies out there that sells stock android phones. They are the easiest mobiles on the planet to install LineageOS on.
Imagine being on HackerNews and not at least slightly acknowledging the fact this company makes the most hacker friendly phones on Earth. It's honestly embarrassing.
Feel free to sniff the packets on any other device and realise how prevalent phonehomes are and how the eyes can access all of it on a whim if it's going to non-Chinese companies.
If you were an activist in the Western world I would only recommend a Chinese phone to protect yourself.
I think it's important that you raised your point, but I don't see that Xiaomi providing stock android phones and the ability to unlock the bootloader on their MIUI phones forgives them from the clear privacy issues highlighted in the original post, particularly given that the vast majority of their customers stick with the default/popular option.
For the same reason anyone chooses products created in any other country. All countries can force the companies to share data hosted in that country to companies which operate in those countries.
Zoom is banned as a result of marketing efforts of competitors like Microsoft and Google. I have worked in companies which have either Microsoft products banned or Google products banned.
Interesting to see the quite loaded (and slightly archaic in 2020?) term "spyware" used to refer to Chinese software. I haven't seen it used to describe Facebook or Google software, even alongside all of the recent news stories highlighting their apps' tracking footprint by Apple's newer iPhone AppStore requirements.
I recently bought a Xiaomi phone (Poco m3) for development. I was shocked to learn that in order to enable USB debug mode in developer settings, I needed to BOTH:
Any model to recommend? Not sure if our usecases are the same -- I wanted to find a cheap "lower end of the market" phone to test my mobile game on. Frankly, the poco m3 might even be too powerful for that purpose...
I have a Galaxy A21s now. It was just slightly more expensive than the Xiaomi i tried. Not sure how low end it is though.
Mind, it's strictly a development phone. It sits on my desk plugged in, unless I debug those Android apps. No sim card in either. My personal phone is an iPhone XS.
I recently ordered the 2020 version of the Moto G Power (XT2041-4) from Costco for personal use, upgrading from the Moto G6 Play.
And although Lenovo is now China-owned, the Moto line is still pure Android and no bloat.
Did a lot of research and the the last gen G Power is the best spec'd budget phone around this price point that is not a Samsung and sold in typical NA big box stores.
I've been told that the reasoning behind this is shady resellers loading unremovable system malware to the system partition (which runs as device admin++) before reselling this to you.
Apparently this is a huge problem in China, where there seems to be quite literally no trust at all on online shopping. This actually does seem to be the case if you try buying devices from any NON-xiaomi-official store Aliexpress shop. They're usually $0.01-$1.00 cheaper, and are guaranteed to be packed with massive amounts of malware. None of which can be pressed "disable" or "uninstall" (greyed out).
They use fake reviews and fake buyers much like Amazon in the west, to inflate their order count and ratings to be sorted above Xiaomi official store
Jesus, do you have any sources (Chinese is fine) for this? This is horribly anti-consumer and I'm surprised there's not more of a push back if it's so common.
Try search for phrase "fakerom" or "fake rom" or "rottensys" with xiaomi.
The resellers get paid a few dollars for the malware install. I think the most common is people reselling to ship out to other countries, and not sold in China itself.
The aliexpress shops get shut down, negative feedback, but they just open another. Note that aliexpress actually shuts these down in the first place and is "reputable" end of things. Never ever buy devices from gearbest, wish, etc. - ever .
another reason being some eBay/re-sellers buy in low cost places (like India/China) - reinstall EU ROM and sell it at high cost. (Even now many devices in Asian markets come with a label like - Only for India-SIM)
I ran into the exact same thing. And because I don't have a SIM card (it's an at-home "tablet"), I have no way to enable USB debugging. Pretty frustrating.
If Lineage starts supporting this device, I'll definitely move over from MIUI.
I just bought the same phone as a gift for my girlfriend, and was considering getting one for me one day since it's a really nice piece of hardware for the price. Some searches around brought this link of a community of non official developers attempting to clean up the system from some preinstalled junk.
That's terrible. Is it possible to even root it without enabling debug mode though? I've always had to use "adb reboot-bootloader" to get into the bootloader because the stupid key combination doesn't seem to work on recent phones, or maybe it's just that my fingers aren't fast enough.
I bought a Poco X3 NFC about a month ago, and also was confronted with the Xiaomi account signup request when I tried to enable USB debugging.
For me this was enough of a reason to send the device back, but I started fiddling around and ended up being able to use USB debugging without an Xiaomi account. I don't remember how I managed to do this, I think I had to disable a specific MIUI optimization. No ADB had to be used for this. I think it was this https://android.stackexchange.com/a/185876
I'm also pretty sure that I did not insert a SIM card at that point, because I was still using the device-to-be-replaced on that and the following days.
I think it's just a lot of tactics which they use in order to push you to create an account, but ultimately it's not required.
That being said, I really despise their MIUI, all their modifications. Everything about it attempts to make you use their products, even if Google's apps are already installed.
For me, the Android experience which the Pixel devices give you are all I want. Even Motorola's minor enhancements are something I don't want on a new phone.
Xiaomi phones have unlockable bootloaders, so rooting is really trivial, but guess what? You need a Xiaomi account to unlock the bootloader too! And they make you wait several days to do it.
And no, you can't break an Android device by rooting it. Worst case you'll have to reflash the system partition through recovery.
Went through this recently. Had to download xiaomi unlock software to unlock the bootloader. Probably sent an image of my hard drive back to china in the process. And the 7 day wait period. Really is an example of price too good to be true because they collect your data and probably get huge government subsidies to do so. Nice phone though once you flash it.
> The intention here seems to be that aigt is the timestamp when the ID was generated. So if that timestamp deviates from current time by more than 7776000000 milliseconds (90 days) a new ID is going to be generated. However, this implementation is buggy, it will update aigt on every call rather than only when a new ID is generated. So the only scenario where a new ID will be generated is: this method wasn’t called for 90 days, meaning that the browser wasn’t started for 90 days. And that’s rather unlikely, so one has to consider this ID permanent.
If we assume that Xiaomi aren't literally trying to spy for a government and are in fact just poorly calibrated on what's legitimate to collect for product analytics purposes, this paragraph highlights why that's still incredibly dangerous despite "good intentions".
I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice.
This paragraph seems to suggest a similar problem at Xiaomi. This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points. The fact it wasn't suggests that these stages either don't exist or are insufficient.
Right, I meant is it allowed by Chinese law to NOT spy for the government. As I understand it, to be allowed to operate in China as a Chinese company, you are under the obligation to provide any information you collect to the gov't upon request. Is that not the case?
Google publishes a transparency report with aggregate information on government requests for user data, and regularly challenges requests to reduce their scope. To pretend that this is the same as China is a joke.
Splitting hairs here, but the wording of your question gives the impression that one could choose not to collect any data and then be free of said obligations, but I don't think that's the case. Does anyone know?
You guys are familiar with the Snowden disclosures and how all telecom companies and very likely all major tech companies are spying for the US government right?
At this point, this is table stakes for big tech and it's completely anti-democratic. China may have a very good domestic dragnet but clearly it's playing catch up compared to the foreign intelligence assets the USG (and five eyes) has.
If you're going to cite Snowden, please be accurate.
Remember that one of the leaks was that the NSA tapped unencrypted Google backhaul in transit without Google's knowledge.
There's a difference between panopticon fearmongering and citing specific information we should be wary of. The former leads to apathy. The latter leads to action.
That was ATT. It (and all the other exposed operations) hardly support the statement that "all telecom companies and very likely all major tech companies are spying for the US government".
The US defense and intelligence apparatuses have been deeply intertwined with private enterprise for many decades. This is a matter of historical fact. But I totally understand if it's more comfortable for you to believe that now things are different despite the fact that no one was ever held to account for what happened in the past.
Right, that's why I said "very likely" instead of "proven". However, at the point it's pretty clear the tech companies are all competing for pentagon contracts (e.g. Project Maven, JEDI, etc) so the 2013 information has significant potential to be dated.
Thinking America's largest monopolies and America's government and foreign policy are at odds over more than superficial things is probably not an accurate view of the world. America uses our corporations to advance nebulously defined "national security interests" and corporations use the government to get rich(er).
There is a difference between being required to collect data that they wouldn't otherwise need for a legitimate business purpose, and being required to provide access to data they've already collected to their government. I'm no expert but it seems like a Chinese company could design products that don't collect a bunch of extraneous information, without violating Chinese law.
if you mean this in the sense that "all chinese companies are automatically spy agencies", then no, that's certainly not true. But would they have to comply with a government request - yeah, probably, just like any other company.
That feels like a distinction without a difference. The gov't has access to all the the data of all Chinese companies, and those companies are not required to divulge that to their consumers.
Genuinely, I really want to see Purism succeed and increasing numbers of competitors in that space, because we need tools that don't require so much blind trust. Whether caused by inept software devs, scope for malicious code / backdoors in firmware, analytics spyware, and whether this stuff is well intentioned or not, if it can be abused, it will be.
Open source and verifiable down to the firmware is the only chance we have at any real level of trust, otherwise as is always apparent in these conversations, it often falls otherwise to who you think could compromise your device and making your bed with it, like USA not China or vice versa
The problem is that purism doesn't pay as much as all the tracking, preinstalled bloatware, random 3rd party utilities and other stuff. This will never ever be solved through competition,because people either don't care, or there aren't enough of those who do. Legislation is the only way to make it work, but then again, that's hardly an option for most of the world.
as much as I am eager to see open source mobile OS succeed, tracking happens at the app level.
What happens when I install the FB app on a Purism enabled device?
My way to go until now has been installing as many OSS apps on my smartphone as possible, to the point that even the keyboard and the launcher on my smartphone are installed through f-droid.
That's the main reason why I prefer Android phones over Apple ones.
I don't think Facebook is likely to release a Linux based app. If they did it would likely be electron style. There also lots of Facebook apps that wrap the mobile website inside of a stand-alone "app" available on F-Droid. I also wonder what type of permissions API even exist that would allow you to view contacts as an app inside of Purism. Maybe Gnome has something kind of API already for apps to access built-in contents but this far there hasnt been a lot of proprietary software released for Linux that embeds spyware because of the low # of users and increased difficulty and general lack of distribution platform. But Purism is also really far away from being a viable platform for non-techies at this point.
Purism is never going to end up with fully open source baseband firmware. It's not going to happen because the radios are subject to several regulations which means customers can't be able to modify that firmware. There's going to always be a trust hole.
Every radio regulation agency on the planet? Most radio hardware is capable of operating outside of regulated limits. The device firmware is usually what keeps the devices running within their regulated limits and gets those components licenses to be sold. Anyone selling regulated devices running outside of their regulated envelope faces fines and even criminal charges.
Cell phones only work because the millions of devices run within strict limits and behave reasonably. There's not a lot of difference between a properly operating radio and a radio jammer. Purism isn't going to find a baseband vendor that's going to risk their licenses by allowing for open source firmware.
In the US a baseband processor's entire software stack that controls the radio front end must be certified. They'll also have the modems to talk to the cellular networks. BPs use their own CPU(s) and an RTOS firmware that's FCC certified.
This is why a baseband processor is a fully separate component from a device's application processor(s). Since the AP doesn't talk directly to the radio it doesn't need to be certified and can be updated without recertification. The BP can also get certification and any manufacturer using that BP doesn't need to re-certify it. The interfaces are also such that the AP can't (or shouldn't be able to) tell the BP firmware to boost the output power above legal limits or something.
Radios that have "open" soft modems don't typically have fully software controlled radio front ends. The radio front end will have its statutory limits baked in electrically or have very limited software control. The modulation on the back end isn't as important as the front end. Broken modulation just means you can't talk to anyone, an overdriven transmitter is effectively a radio jammer or can give someone an RF burn.
Part 2 covers recertification of changes to radio equipment (everything touching the front end of the radio). Part 24 cover broadband PCS while Part 15 covers WiFi and Bluetooth since they're ISM band components.
If you're actually interested read the regulations and look up some FCC IDs for devices.
People should push for open source as much as possible. At some point it will be easier to lobby for the new regulations when everything else is fully open source. See also: https://forum.pine64.org/showthread.php?tid=11815
The regulations around radios exist because the spectrum is limited and emissions propagate over a wide area. You and I (assuming you're in the US) have the same standing to use radio spectrum. If I go and modify my phone's firmware to increase the power output I could literally jam communications from your phone.
It's very different than if I modified the firmware on my hard drive or UEFI on a PC. I might fuck up my stuff but it doesn't affect you. I can fiddle with my hard drive firmware all day but I'm not going to block a 911 call you're trying to make.
Also a company giving out modem firmware is an exception and not a rule. It re-classes the device as a hobbyist/experimental device and if they go traipsing around with it they could potentially face fines (unlikely but possible).
Again it's not about lobbying it's about a limited spectrum and people being stupid/assholes not realizing or caring their pocket radio affects others. You live in a world where shitheads try to make their cars louder on purpose and you can pick up dozens of WAPs because everyone sets the power to the highest number the interface allows.
Using wrong spectrum and jamming communications of others can be illegal without forcing proprietary firmware. It's like making all cars illegal, because someone blocks access roads for a fire brigade.
It's not forcing proprietary firmware. The firmware could be entirely open so long as end users couldn't freely modify it on their devices. Competition between baseband manufacturers drives them to keep firmwares proprietary.
While I agree with your intent, the problem is that, many open source software is not verifiable.
Remember that a Kaggle competitor was openly cheating with his published code? (cf. https://www.theregister.com/2020/01/21/ai_kaggle_contest_che... ) Eventually he got caught, but it's sometimes extremely difficult to spot a well-hidden malicious code in a plain sight. We need to be much better at analyzing software.
Yeah, you are definitely correct on the lack of verification tools and I hope research on that one day breaks out of academia and into more common usage. The Kaggle story is great. One mildly related thing is Purism's bootloader tampering detection with their "librem key". Naturally it does nothing to verify the running code, but it does feel like knowing you're running the code you thought you were has some merit.
I think maybe some replies have interpreted my comment as naively assuming that open source firmware would would mean complete trust. I just think it is a good step on the journey.
While having the source available is not a panacea, it would seem that, at least in the case you mentioned, not having the source code would have allowed for the cheating to continue with impunity, as there would have been no way for anyone to begin to discover what had been going on. That would suggest that having the source available is a necessary part of establishing real trust, even if it's not sufficient.
> While I agree with your intent, the problem is that, many open source software is not verifiable.
To me, this sentence reads as "That a nice idea, but untenable in practice." rather than "Open source is necessary, but shouldn't be considered sufficient." which strikes me as counter-productive to the objective of easily verifiable software.
We'll never have real trust until we get the ability to fabricate our own processors in our own home just like we already have the ability to write our own software.
This doesn't help completely unless you fabricated the fabricator on trusted parts as well. Unless you trust it there is nothing to prove that the fabricator isn't inserting back doors into whatever it prints.
Well, I would love to print out my own cpu in the garage, but until then, I would also be happy, if the factories producing security critical HW, get frequent audits by qualified personel. Certifying and reviewing the build process.
I know Xiaomi is not the best brand to buy for privacy, but I consider their products one of the best in terms of value for money
I own a few Xiaomi devices, I simply install Blokada on each one of them and I think you would be surprised by how many non Chinese domains it blocks, Google being one of the worst offenders.
EDIT 2: paradoxically knowing that Xiaomi is a Chinese company make buyers more aware of the privacy risks involved. It breaks that false sense of security associated with electronic devices that many people believe in.
There are a lot of binaries other than Android that run on Smartphones that you cannot possibly control from within Android even with fully-privileged apps (let alone restricted user-space apps). And, even within Android, because Blokada doesn't support "Block connection without VPN", there's no guarantee that apps don't bypass the VPN it sets up. Besides, Blokada leaks DNS requests over TCP (only handles the UDP ones) [0]. All of this is discounting the fact that Blokada has a hard-coded list of applications it blanket allows by-default [1].
Also, these fingerprinting bits in their code-base doesn't inspire confidence either [2][3].
I'd not consider Blokada a serious security app at this point, though it does have the potential to be one.
About your second edit: If you live anywhere on earth that isn't in the geographical area of China it would likely be better to have data going to China than the big US corps. For most it is unlikely the data could be used against you in anything from ads to a police raid, unlike with something like Google collecting it where it will almost for sure be used and useful.
I hear this a lot, but it strikes me as being short sighted. That only works if the status quo remains so forever. Maybe 5 or 10 years from now, relations between the Chinese and US governments gets cozier, and part of their deal includes sharing of this kind of data.
Or maybe the US government knows it can't legally collect certain information on its own citizens, but can rely on China to collect it, and then purchase it from the Chinese government.
Then there's the overall argument against: I don't want any government collecting data about me, period. It's none of their damn business, regardless of the chances of me having to interact with them in any capacity.
The pessimist in me assumes that's because it's a good cover for the intelligence agencies data sharing agreements between the US, China, India, Russian, North Korea, et al.
|This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points.|
If the very first people (presumably the "higher ups"/more prestigious designers) in the design process miss such things, it is very hard to call them out in a societal construct that is the business construct that has become Xiaomi and the Chinese Government.
It's hard enough in some companies for QA to question software engineers and not catch backlash in the US when making games. Companies like EA, Atari and Nintendo are notorious for it. Apple used to shitcan QA who didn't treat "the talent" nice enough, and they weren't a quasi governmental entity.
You're right, of course. But man, that's a big frog in your throat to go up to your manager and say, "Sir, I'm sorry but this whole process has issues. Here's the fix, but it means a redesign of a core process." That's tough. That's double tough.
This is something that a company with a mature security posture needs though. Yes it's hard, but that's the point.
There are many ways to work around this, having teams whos incentives are tied to finding issues, maybe in a different reporting chain or office or country to those writing the software is one way.
I think incentivizing and anonymizing issue finding by restructure sound like amazing ideas, to be honest. Having batch issues come in to the devs via bug tracking software and conversations be labeled with a user ID rather than name would make a world of difference; so would basic professionalism. An understanding that it isn't team against team. Sdets (and manual testers) are not adversaries to devs or management... Though, I think a lot of devs realize this but project management/producers have a harder time understanding this. This is where I think a basic understanding of coding and the development pipeline would help a lot.
If your design is "accidentally" indistinguishable from intentional state-sponsored surveillance, does it really matter whether you arrived at it through malice or incompetence?
That can be explained as a bug, but tracking what you typed into youtube search boxes doesn't seem like a bug and has no justification in terms of performance optimization.
>I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice. This paragraph seems to suggest a similar problem at Xiaomi.
ASFAIK, Xiaomi does not sell any critical infrastructure equipment, nor is it installed anywhere; not entirely sure why GCHQ or NCSC would be involved, especially when there is ambiguity around which/what equipment they should be conducting a code review upon?
With regard to Huawei, there was no decisive conclusion, despite a comprehensive security review. Furthermore, it has been business as usual for currently installed equipment. All future decisions will be based around the 5G infrastructure.
Presumably phones used by government employees in relation to sensitive data are security critical? I'm not aware if their phones are being used in the wild in such a way but it's not hard to imagine such use cases.
Here in Europe, Huawei and Xiaomi are two of the most popular phone brands I see in shops. Even if the government isn't actually buying them to issue as "work phones" for employees, those employees are certainly buying them for personal use, carrying them to sensitive places, and leaking their own life details.
You'd have to be a complete idiot to believe that the CCP isn't happily digging through all the data they send back.
> This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points.
Seems more likely this was done on purpose so if they got caught they could say "Junior engineer made a mistake. So sorry."
My corollary to Hanlon's Razor is "When you and/or your associates have been caught being malicious multiple times, Hanlon's Razor no longer applies to you."
Another possible explanation is this isn't a bug, but intended behavior. If the browser hasn't been used for 90 days, this might be a good indication that the phone has changed hands, and you need to generate a new ID.
Xiaomi is awesome phone for it's price tag you just needs to flash custom ROM like LineageOS. And they don't even make this problem contrary to other manufacturers like Samsung.
>>The article accuses Xiaomi of exfiltrating a history of all visited websites.
Is this our definition of spyware? I see countless articles float by on HN about super cookies, spy pixels and browser fingerprinting. Those do effectively the same things, track users against their expressed wishes, but we just don't call them spyware.
>American company will collect data to show you ads and profit
Unless you get a target on your back, in which case the American company will provide the American law enforcement agencies with whatever data they want to take action against you and your family.
Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
FWIW I didn't read the gp as supporting data collection, only noting a difference between corporations gathering data and governments. I don't support data collection, but I do think the distinction is useful.
> Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
Really, that is what you got from my comment.
In the case of CCP it can even be who you are, as in Tibetan, Uighur and so on.. Or, a national of a different country that China wants to spy on, or a relative of someone that China thinks has a differing opinion from CCP and so on..
It's not even on the same planet, let along in the same ballpark..
well under the trump administration, we were at the state where ICE was getting tips from unlawful traffic stops and deporting said immigrants/refugees.
I think this point is very debatable, but I do think there's at least 2 good distinctions. 1) there's a difference between a corporate entity gathering data and a government. There's a difference those entities could potentially have on your life. In the latter case there is a bit of an arms race, like Google trying to grab all your data but also not sharing it with Facebook. In the latter case a government can consolidate all the data. 2) There's a big difference between your government collecting my data and my government collecting my data. This can go both ways too, but there's a lot of factors that dictate this: are our governments friendly with one another? Do I trust my government? How much? Do I trust your government? Etc.
They really aren't the same and personally I'd rather not have my data collected, but I'd rather it be dispersed with a corporate arms race who aren't allowed to set laws than an aggregate that belongs to a party that has much more control over my life.
Would I rather have some data harvested by the local three letter agency and some by a random Chinese company versus all my data harvested by an American entity (most western three letter agencies share with the US)? I would most definitely rather have them out of the reach of US spying even if it means sending it to China instead. You might consider PRC hostile but how much do you think it takes for your data to get US agents come knocking on your door versus PRC agents? Sure today it might not happen but in your parents youth it could have. In your children's lifetime your words today might harm them.
The short version is that unless you live inside the PRC data harvested on you is highly unlikely to matter no matter what you do. Inside the US or US allies? Be careful.
I would go the other way. What can China do to me unless I go there? Vs what can the US do to me since I live there, and even if I don’t live there, the US government reach is a lot wider.
> American company will collect data to show you ads and profit. Are they really same?
And your kids data. Grades, searches, web history, pics, diaries. I can totally see new private APIs for recruiters, banks, insurances - like personal assessment scores.
to show you ads and profit, filter what you see online, decide your eligibility for housing and credit, imply your guilt by association or poor classification... and so on.
Remember anything about Snowden's leaks? American companies happily share all the data they collect with local police departments and intelligence agencies, in bulk, with absolute impunity.
If anything, you face a much greater threat from the American intelligence apparatus than one in a foreign country.
1.) Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
2.) People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc.
3.) We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Why are you so upset about Xiaomi getting called out?
I see people calling out Google regularly but rarely is Chrome explicitly termed "spyware", although it very much is: I had to configure G Suite managed browser settings recently and there are like 4 different backdoor ways that big G can "incidentally" process your web traffic and keystrokes: enhanced safe browsing, image alt text accessibility service, uploading your downloads to a scanning service, browser profile history sync, "make the web better" history upload opt-in, et c et c et c.
Pretty clear that GP understands this, since his next point specifically addresses Google. I think he's saying that Xiaomi is also a big company, albeit less big. Seems like a fair point.
The GP responded to each line in the original comment with a number. So, their point about Google (point #2) was seemingly unrelated to their point about Xiaomi's market cap (point #1) as they addressed different parts of the original comment.
The GP mentioned Google perhaps not because of the market cap mentioned in point #1, but rather as a response to the original comment's mention of American companies.
This is further evidenced by their use of point #3 to refer to the term oligarch, which was the third topic raised in the original comment.
You can see how not clear this is based on other replies to the comment as well.
This is a very interesting chain on how people interpret comments. To me (and you) it is obvious that GP only had one reason to mention Google (the 1.4 trillion valuation), but both the OP and the person you are responding to were convinced the GP "didn't get it". Fascinating.
>Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
I'm referring to Google with that valuation.
>We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Propaganda? An oligarch is a rich person with a lot of political influence. Sounds like an average billionaire to me.
>People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc
I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
>Why are you so upset about Xiaomi getting called out?
How much political influence do you think someone like Bezos really has? Everyone in washington hates him. No one wants to do favors for him. They drag him in front of congress do get a bunch of soundbites to play next election cycle.
They win elections on shutting down his headquarter plans. They want to break up his company, raise his taxes on unrealized capital gains, they want to force him to divest his personal investments like WaPo.
Same goes for other billionaires. You think there's a lot of love for Ken Griffin? Or the Google founders? Or Jamie Dimon? Of course not.
Billionaires are a common bogeyman for the populists that have ruled the capitol for the last 10 years or so.
On the flip side, there were municipal governments literally giving Amazon powers over taxation and spending[1] to get them to set up their headquarters in their city. I think this is quite a bit of political power myself.
In public, sure. Behind the scenes, they're taking meetings with his lobbyists, and somehow the tax raise never happens despite politicians talking about ad nauseam.
Part of modern politics is running a kabuki theatre of performative populism on the campaign trail. Not much happens once they are in office, because you need quick wins ahead of the next election.
also note that the Asian billionaires are learning for people like bezos/gates. In public they may be hate figures - but everyone orders from Amazon. Tax breaks for large companies.
(i.e) use thinktank to pass legislation to make everything they do legal.
Which is a performative act of solidarity with warehouse workers. What happens if those in right-to-work states unionize and get sacked? Biden isn't shouldering any of the risks they are.
Actions matter more than words. At this time, it's not even clear if Biden will go to the mat for a nationwide $15/hr minimum. That would do far more to incentivize Amazon to improve working conditions, as its $15/hr starting rates would no longer be competitive.
>the populists that have ruled the capitol for the last 10 years or so.
So the instant someone is elected they start calling Random Joe for funding their next campaign? Of course not. Politicians talk to people who help fund them, that or they are out. Having a politician's ear is power that Random Joe doesn't have. Using Bezos is disingenious. How about Musk or Bill Gates or one of the many rich oligarch families who have the same name as former presidents? Don't pretend money has less power in US politics than in Russian politics. If anything it is worse.
> I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
You seem pretty active on HN so I'm a bit skeptical that you honestly believe this. But I'll respond in good faith anyways. Here's the first result from Google (didn't even use DDG)
- (Washington Post) Goodbye, Chrome: Google’s Web browser has become spy software[0]
But since you're active I'm sure you know about The Social Dilemma, Snowden, etc. I've seen episodes on 60 Minutes, CNN, Fox, and pretty much everywhere that calls criticism to companies like Google and Facebook. Does China get called out more often? Yeah. Why? Because we're in a cold war with them. But still in many of these pieces I've seen them make slights at American tech companies. Things like saying that what they do is bad, but what China does is worse.
I know you were referring to Google, that is why I made the point about Google. Xiaomi is a tech company with a personal data spying program and is worth maybe 50 billion, and supposedly the "4th most valuable startup in the world," if you trust Wikipedia. My point is that the valuation is based on the profit potential that investors see, not how ethical either company actually is. And both derive a non-zero amount of that value from spying on humans.
The Russian oligarchs are a group of people that grabbed large amounts of wealth by reaping the downfall of the Soviet Union. They are a very specific, well connected group of people outside of normal Russian billionaires. The reason specifically that they are oligarchs instead of just normal billionaires is that they are very plugged into the government and sway its operation. And I know there's some cynics out there that will be like "well that's just billionaires in general" but I encourage you to learn about the leverage this group of people have on normal government operations.
With regards to the observation that no one refers to Google as spyware, I don't think I see this either. But I do see tons of mainstream articles raising the point that Google spies on users. The problem is that (it feels like, at least) only us tech-inclined seem to care:
>The report found that 80% of Americans think at least one tech giant is listening in on their conversations: Facebook at 68%; TikTok at 53%; and Google at 45%. But only 18% said they had deleted Facebook because of privacy concerns.
I fully agree Google is just an advertising company dressed up, and also further propose that its open source contributions and tech projects are its robing. I think there's still room to criticize other companies however, especially since privacy issues from companies like Xiaomi don't often get featured on HN.
There's a big difference between Google exploiting private data to sell you more things, and a different company exploiting private data to hand over to a police agency that arrests individuals for having the wrong political views.
I'm not suggesting the former is without fault, and fault by one does not absolve another. But you're right in that these are two very, very different things.
Oh, yeah definitely. I just dislike getting into those weeds specifically because it gets people weighing wrong on scales instead of actually calling out both wrongs individually.
But does the Chinese company fund your pension plans, pay wealth back to the government, and employ tax paying citizens in America? Where do you want to asset valuations to be located - in your own nation, or another?
They're just labels. Good polls are hard to do, and so it is quite hard to know whether these labels hold value in mainstream thought. For e.g. Do people under oppressive/spying regimes see Google in the same light when it comes to data collection?
I'm not sure oligarch means what you are thinking it does. Here is a wiki article which might help clarify why you'll sometimes hear the term used when describing certain Russian billionaires and why you won't generally hear the term used for billionaires from other countries: https://en.wikipedia.org/wiki/Russian_oligarch
Note: it also isn't a derogatory term, as it appears to be implied here, it just is an identifier of how wealth was accumulated.
> This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
Seriously, this is what you're going with?
Russigan oligarchs are people who just straight out stole national assets from the Soviet Union/Russia, with the help of the current ruler. There's a relatively clear definition:
I don't know why you're being downvoted, the word has a very precise meaning. As much as we can whine about Google and such, all of them solved a valid problem many people were facing, and they did it brilliantly. For a really long time Google Search really was the only game in town.
The problem we have is with their externalities. For oligarchs, the main line of business <<is>> the problem.
I don't grant your premise that the U.S. government's level of access to Google data is the same as the Chinese government's access to Xiaomi's. I also don't grant that the two governments are equivalent threats to privacy. You would need to demonstrate both of those things for me to be on board with your argument.
But, the point I actually want to make is that this implies that people aren't concerned with Google's use of their private data, which I think is demonstrably not true, given that they've got multiple open lawsuits against them over it.
> I also don't grant that the two governments are equivalent threats to privacy
So for someone like me, living in a 14 eyes country, are you saying it is worse for my privacy that a government on the other side of the earth that my government doesn't really like might have access to some of my data is better compared to a country my government are sharing data with who also have access to pretty much everything that happens online? I know for a fact that no matter what I say or do online PRC agents will never knock down my door. US agents? That would be quite a lot easier. In less serious waters, privacy is also worse as we know from Snowden that the US not only harvest everything it can but it also share it with US businesses. Will I ever see ads based on an algorithm trained on data from both sides? No idea, but I know which one would be worse for me by a long shot.
> This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
Russian billionaires came to their wealth purely through corruption - i.e. using via their connections during the crucial years of transformation to market economy to buy huge state-owned industrial companies for 0.1-1% of their real value.
Ummm, Xaomi also has a high valuation, and Google gets called out on privacy all the time, including many times in this very discussion.
Russian Oligarchs are called that because they are about two dozen people who looted about 95% of the country's wealth and are basically a transnational crime syndicate masquerading as a govt.
I can't tell of you are deeply clueless, trolling, or spreading dezinformatziya. Either way, perhaps you should remember this quote from famous American author Mark Twain: "It is better to remain silent and let people think you are a fool, than to open your mouth and remove all doubt".
Hmm, I mean why Chinese capitalism is so powerful? Because the government sanctioned and allowed the capital's all-reaching power.
Do you believe CCP is so capable to utilize such tools?
If the answer is yes, then you should ask yourself is there any realistic chance of overpowering such a technologically advanced "government". And how much more powerful the private sectors would be. Think about how much gap is between silicon valley and US government in technological capabilities.
This framing of pin everything as government sponsored activities make it very difficult to correct such behavior effectively. Because they were easily brushed off as intentional attack on the nation.
Why not just put it as what is?
I mean 996 in Chinese high tech industry is killing the quality of the work. That's obviously the right reasoning right?
I don't think whatever point you're trying to make is very clear. There's a lot of insinuations and suggestions, but you're not actually making a point here.
Xiaomi phones are insane, at least BlackShark. They replace virtually all the major user level stuff of Android with extreme data collecting alternatives. They then make it so that you cannot disable many of them (via adp, custom ROMs etc.) without bricking the phone, I'm talking wallpaper or clock apps that run with full, non-modifiable privileges. They subsidize cheap hardware with truly insane level of tracking.
They will also stop allowing custom ROMs once they've built up enough reputation, some newer models already will never have custom ROMs.
stock android apps have sensible default permissions and are modifiable, e.g. clock does not have unmodifiable access to every aspect of your phone. clearer?
If you cannot replace the software on the Black Shark with alternatives without possibly bricking the phone, I would say that's a substantial deviation from the norm where most other devices have unlockable bootloaders and Rom support using LineageOS.
I have a 5 years old oppo phone and decide to use it as podcast device. A few odd thing about this phone:
1) My Google, IG accounts both sent me security alert about successful login attempt from from Thailand, Vietnam. I 100% sure I only created the IG from this phone once and have not used that password from anywhere else.
IG Username / password was taken from this phone and attempt to be login from somewhere else.
2) I can't get the phone to disconnect from wifi. I put the phone on airplane mode, disable wifi, bt, etc. Manually change the wifi password to something else. it always successfully reconnected back after a few days with old password. There are logic in the phone can try very hard to state connected online. It remembers old password and successfully connect successfully with it after a few days.
Only rename the wifi ap in my router seems to finally permanently disconnect it from the network.
3) I have let the phone back online and created Google account that is 100% unique to this phone. Love know how long would it take for the login attempt for that G account from Thailand/Vietnam start to show up.
Xiaomis are pretty good and cheap, funny that one would care about the browser (which is optional, as you can install any browser you want) while Google owns your entire OS, but China bad US good amrite?
Sure unless you are someone whos beliefs actually matters like a reporter and the CIA hacks your car driving assistance or you are found dead by suicide of two shots in the head.
In other news, Xiaomi Roborock vacuum cleaners require you to enable GPS permissions and transmit back Wi-Fi PASSWORDS and floor maps back to their server.
They've really been on a privacy invasion spree lately.
Unfortunately, xiaomi's business model is to sell hardwares with little to none profit margin and make profit as a internet company, I.e. advertising and so on. I give them the benefit of doubt that 90 days renewal was added and didn't work due to not unit tested maybe. Still, it is the same ad business as fb. I love the look of their phones, but I would pay for an iPhone for the benefit of secure os and better privacy
They give away low cost hardware because it's a military branch of the government whose purpose is establishing a global surveillance network. Being profitable is a nice to have but not a primary purpose as they get subsidized by the state regardless.
Okay. So Chinese government keeps pumping money into Huawei, Xiaomi, Tencent, Alibaba, Tiktok and many other businesses so that they can ..... make money? You have to ask an economist for how this works, I am not intelligent enough to figure it out.
I assume that anything is spyware unless proven innocent, especially on mobile where surveillanceware is effectively the whole purpose for the platform's existence.
Are [computers] spyware? Yes, they are (2000) should be the title.
If you use a computer, smartphone or IoT device then yes, it collects data, just as Facebook runs ads.
What's collected these days:
Your social circle,
every time you connect to the mobile network, when, which tower you connected to, tx/rx bytes, who you phoned, where the callee is located
Whether you're in a car, walking (sensors)
Whether your sleeping...(a recent Google blog post talked about a new "sleep tracking" API).
You generate data as a human, interested parties (governments) collect that and will store it for the rest of time. I suspect there's a database of every URL visited by any human in the last 20 years.
This is not surprising and should surprise nobody.
Xiaomi devices are usually at sweet spots price/performance-wise (not really great hardware imo, but well). With custom ROMs (including my GSIs, but other custom ROMs are fine as well), buy a phone for their hardware, not for their software. (BTW my daily driver is a Pixel 5... not running Google adwares! Only high-end-ish device that fits my hand).
However, Xiaomi devices are bricks for like a month, because before being able to install your own software, you need to be approved (connecting a smartphone on a Windows computer), and it's only once you get your smartphone that you can install your own software.
I've never made any GSI without storage encryption, and My GSI have always been running SELinux enforcing.
Some kinds of GSIs have those kind of issues, but it's only those that are binary ports from OEM ROMs, like port from Xiaomi or OnePlus ROMs, but proper source-based GSIs shouldn't have those issues.
Hm, I distinctly remember using specifically your GSIs mid 2019 (and would love to return to them) on Mi Max 3.
In early 2020 XDA thread [1] I was suggested to use phh-securise to reenable SELinux, which suggests that it was not enabled by default at least back then. Never got to try phh-securise, since the encryption part of the response was not definitive.
Prompted by your comment I reflashed my Xiaomi today with the latest A/B GSI [1], and the phone seems to be encrypted. Many thanks for your great work!
Our schools are dumbing down math and removing advanced classes (if you can even go to school) because of “white supremacy”, meanwhile China is investing full speed into engineering disciplines and is performing extremely effective espionage against virtually all Americans.
I don’t know if there will ever be a sino-American war, but if there ever is one it’s going to be very painful for us.
>
If you use Mint Browser (and presumably Mi Browser Pro similarly), Xiaomi doesn’t merely know which websites you visit but also what you search for, which videos you watch, what you download and what sites you added to the Quick Dial page
Yet people in Europe they LOVE Xiaomi. I swear I’ve seen so many of my friends with those high end 500$ phones.
Even if they are tech guys it’s like they just don’t care , they want the most powerful phone with the most features at the cheapest price.
At this game Xiaomi and other Chinese brands have become very good.
That being said Google as been doing the exact same thing for 30 years. Nobody ever considered banning google from anything.
I live in Europe. If I weren't a privacy nut I'd pick Xiaomi any day over Apple or Google. Now I use Android with OPNsense in front of it via VPN. Chinese phones doesn't log more than the other smartphones.
504 comments
[ 1.9 ms ] story [ 257 ms ] threadDoes Google collects our navigation data? (Yes if we are using chrome or android and logged in)
Does Google knows what videos and what kind of videos do we watch? (Do you need an answer?)
Call it's a spyware because is a chinese company? Really? Nah. Google does the same or at least worst than it.
I'm neither defending Xiami nor Google. The question is: almost every application does data collection. And if you call it as spyware, therefore every app which does data collection is a spyware.
Or Google being spyware somehow makes Xiaomi spyware less shitty?
> Or Google being spyware somehow makes Xiaomi spyware less shitty?
Absolutely not, but both of them doing it defangs certain types of criticism.
False equivalence. If people in here actually broke down the differences, they would have to admit that their "Grr, Google just as bad!" hyperbole is more than just a tad disingenuous.
https://www.zdnet.com/article/sources-mozilla-extends-its-go...
Don't get me wrong, Firefox is clearly the best of the options available. I use it all the time. But I'm also very aware that there is a bigger bias against Facebook (don't actually care since I don't go near it and block its javascript and cookies) than against Google. Of course, it's not obvious that this is Firefox's fault, Google is extremely good at finding probably-shouldn't-be-legal workarounds to just about any attempt to retain privacy.
You'd think making clear you want to retain your privacy should be enough, legally, but I guess there are no consequences.
Also Google isn't under the control of an authoritarian government who is committing genocide as we speak.
I'm no Google fan and I dislike what big tech have become but I rather let Google have my data than the CCP.
This "whataboutism" is getting tiring. What Xiaomi does here is really bad. if google does/did the same thing it would ALSO be bad.
There is no "but they do it too!". It's bad, period.
Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?
I'll be getting rid of this phone by the end of the month.
I think the phone vendors that do that are in the vast minority.
Because, unlike Google, they don't use app bundles and partial updates?
This and chrome and most web browsers are spyware at this point.
Firefox doesn't do this.
And when you finally manage to do some therapeutic dissonance from the above default behaviour.
Whenever you use the inbuilt DoH on Firefox, FF shares this stats with Cloudflare too.
https://www.google.com/search?client=firefox-b-d&q=china+mss...
This is the same reason that Zoom is banned at my workplace and many other partner companies.
You've actually got two problems here. One is the commercial advertising/for-profit related data sharing problem described in the article. The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
You only need to look at the past several years of news from Hong Kong and the Uyghur/Xinjiang province situation to see the stark real world difference in human rights, political freedoms and press freedoms.
(a). China is bad (yes, known)
(b). The US is not quite as bad (debatable but for the sake of argument lets agree that this is true)
(c). The US is benign
My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true. Though terms such as "country with a functioning democracy" make me think you might...
https://theintercept.com/2014/07/25/nsas-new-partner-spying-...
US Intelligence has too long a history of its own largely consequence-free abuses too. Someone else having a surveillance state doesn't make the one at home any better.
The country is an imperfect union. Although the country attempts at every turn to work towards "A more perfect Union"; clearly we have similar issues that other countries do.
In a comparative analysis, OP was merely saying the US is head and shoulders above a country that suppresses freedom of speech, eliminates political dissent and the people who promote freedom and sends them away to actual concentration camps under the guise of "re-education".
They're unproductive and flame-war prone. I downvoted your comment.
It's difficult to look past such biases if they're deeply ingrained but I think this can definitely be productive to do so. If you can empathise better with conscious xiaomi users, and understand why people use non-optimal software, such understanding can have a lot of benefits.
The level of surveillance in Xinjiang vastly exceed that of anywhere else in the world except for military installations.
US (or any) surveillance, especially over data, requires no such ownership or control.
Our laws are so damn barbaric in relation to security that it's scary.
It's gotten to the point where I nearly gave up on security. Who's compromised?
I definitely missed out on a job because I was Australian. (Confirmed later over drinks with one of the devs who I am friends with).
I'm an aussie dev, and I hadn't even considered my eligibility to foreign companies may be compromised.
Consider that your country is likely either already a five eyes member, or a "five eyes plus" member with a historical record going back 45+ years of intelligence/law enforcement data sharing between the various NATO governments' intelligence agencies.
And take a risk calculation, based on what you're doing in your life, if all your metadata and traffic was in the hands of the NSA, what's the most likely end result that might affect you adversely?
Are you actually at risk of being persecuted for anything you're doing socially, religiously, politically? For instance, if you're a German, is all of your data being in the hands of the BND going to result in anything bad happening to you?
I really don't think that's unreasonable, the fall of the berlin wall was within living memory. I hope that the NSA isn't going to do anything too, but the idea that they can't or won't is clearly not true. Staying under the radar might feel pragmatic, but I think a lot of people realize that's entirely inadequate with constantly shifting political environments.
The paradox of tolerance and an open society is that if you allow actual fascism to flourish (and Le Pen is absolutely a fascist, in my opinion), you risk ending up with something much worse in the long run.
The latest version of "terrorist", "activist" or "heretic".
But whose opinion is canon in matters of censorship? Le Pen is also a valid political candidate with fair support in her electorate.Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
so you say "if you allow actual fascism to flourish.. something much worse in the long run" - who gets to decide what is "allowed", and what isn't?
Seems to me the basis for such stability would have nothing to do with subjective judgements of what constitutes "fascism" - and more to do with principles of democracy - i.e. a fascist entity can be democratically elected - it just can't be given powers that would allow it to override democracy, or escape legal oversight. Perhaps the key word is "extralegal"?
The problem is that too many political entities (not just far-right) seek extralegal, overreaching powers; believing it OK so long as "they can be trusted"; but if the king of today is a good king, his heir might still be bad. And the good government that allows for overreach enables the bad government that does the same.
This actually happened in recent history. Just because Hitler (and yes I must unfortunately rely on such a reference, and no, Le Pen is not Hitler, but it provides a good example of far-right vs democracy) was elected doesn't mean the entire world should roll over.
The election of the Nazis didn't justify the sweeping power transfer that resulted, including control of the press, a private party militia (Brownshirts) etc etc etc
I'm criticising efforts to interfere with who is allowed to be elected, versus limiting what powers can be obtained through election.
The simple fact that this explanation can exist and is somewhat commonly agreed by tech-savvy people is... disturbing in some way.
I mean, underlying are freedom, rights, security, surveillance, But also geopolitics, economics, philosophy maybe.
Just behind some daily tech.
Remember when this was the other way around? How did we come to this in ~two decades?
I have no idea whether it's equally bad at Google/Android or Apple. I have the feeling it's not.
I don't think China really dominates in software world-wide. Xiaomi seems more like an exception to me. Hardware is a different story.
For us that don't live in the US or China, it is just a matter of choosing between two evils. And in being pragmatics, the 90% of the population outside of China and the US does not give a damn if the US or China are spying in their mundane conversations.
You recall incorrectly. By extension of the First Amendment, US companies are protected from being forced to introduce functionality so as to collect or decrypt information (or for any other purpose). Carrying out original work for the government is considered to be speech, and as a result cannot be compelled. If the data is already collected and available in a decrypted form to the company a court order can compel the data to be turned over as evidence, as is the case with any data (or any thing) held by anyone (with narrow exceptions related to the 5th amendment).
This was a topic of national attention several years ago when the FBI tried (and failed) to compel Apple to create and sign a custom software update to unlock an iPhone.
https://en.m.wikipedia.org/wiki/FBI–Apple_encryption_dispute
Given the choice, I'd choose Cisco every day of the week. It's not perfect but then again there's no such thing as perfect security.
With an E2E messenger, you can be sure that most likely your communications are not being intercepted. With a Chinese company, your communications are never secure.
Not only are Chinese software products not secure, but they'll lie to you about their security. Zoom claimed to have E2E encryption on calls which turned out to be an egregious fabrication (on top of them exporting calls to Chinese servers).
I do think this shows the perks of open source software and being able to self-host or federated solutions.
https://github.com/awesome-selfhosted/awesome-selfhosted
Because it is much easier. I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited.
I have no time to learn how to and run and maintain my own mail server.
They make cheap phones.
Chrome is the most used browser despite Firefox doing nearly everything Chrome does the same and everyone knowing that Firefox doesn't track you like Chrome does.
It's obvious why. It's a little faster, it has more money behind it, it comes pre-installed (and unremovable) on most phones, etc.
If you're anywhere near any scene you might consider not liked by the current government (which surely also includes journalists and the likes), your domestic agencies are a far bigger threat than the MSS, as long as you don't choose to go to China - and even then, you're probably fine, unless you're fighting against the Chinese regime in particular.
And yes, the patriot act and the NSA are no joke. It's not like subpoenas are never head of (and the EU is, at least in parts, not much better).
Also it is likely the Chinese are spying on me indirectly (data collection where the chinses military can access the data if they want to) but I really have nothing significant on me that the Chinese would want to be concerned with me.
So you give them your email passwords? After all, you have nothing to hide.
Shouldn't that be a huge red flag? Any time someone offers something too good to be true, it never is.
> Also it is likely the Chinese are spying on me indirectly
Why?
> I really have nothing significant on me that the Chinese would want to be concerned with me.
It's not just about you, dammit. [0]
By accepting their offer, you validate their actions. You give them bigger reach and make it easier for them to get people that might be of interest.
https://nakedsecurity.sophos.com/2019/02/12/privacy-browser-...
Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable. Privacy should mean privacy, even if that means losing functionality on a select few sites.
> collects telemetry
https://brave.com/privacy-preserving-product-analytics-p3a/
> Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable.The claim was never about absolute privacy but rather as strong as default as possible while keeping the web functional. And in that department they are delivering more than any alternative - more than even Firefox out of the box. Not to mention that TFA itself states that the implementation was far from ideal.
Anyway, the biggest question I have for those that are so quick to criticize Brave is "what else do we have with a business model that can disrupt Surveillance Capitalism?". Apple could if they wanted, but where is Safari for Windows/Linux? Any of the others? Doubtful. Even Mozilla's dependency on ad revenue from Google makes them less credible. So why shit on Brave when there is absolutely zero potential alternatives?
does that include the free tiers that many US companies are offering?
For example: Google, Facebook, Twitter, YouTube
Surveillance Capitalism is bad and we should be fighting it.
Xiaomi phones have much higher audio latency than Samsung phones.[1] As a VoIP user, I would rather use an entry level Samsung phone (e.g., a $150 A02s) than a Xiaomi flagship.
[1] https://superpowered.com/latency
It would be very interesting to see a random sampling of 20 'non technical' users presented with such a phone, and given instructions simply "here is your new phone, please unbox it and connect it to the wifi and do things on the internet for three hours". Record a video of their interactions with the screen.
In my experience the vast, overwhelming majority of people when presented with a software popup like "Do you accept the license agreement to use this calculator?" will simply click yes/accept/okay/proceed as quickly as possible and disregard what it actually means.
I have a theory that a very small percentage of persons would actually balk or become suspicious of seeing something like a privacy policy agreement for a photo gallery or music player.
Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about. And that's why dark patterns work more often than not.
I roughly categorize UI/UX patterns into those that respect the user and those that don't. Showing a modal and making them decide something right now and right there is very disrespectful and off-putting. iOS of all things does this for system updates, low battery, and some urgent as hell alerts about your Apple ID. What you should be doing instead is use something non-blocking that can be ignored, like a notification, an icon badge, or a clickable bar at the top of the screen. Anyway, I digress.
And then, if you need a calculator, but the one that came with your phone quits unless accept the terms of use, what are you gonna do, as a non-technical person? Go to Google Play and look for a better one? Probably not.
I think most users even accept this as general setup things. When I, as a developer, want my device set up as quickly as possible, I mostly just proceed with everything.
So while I assume they're tracking users, I don't think the calculator having a privacy policy is as shocking as it initially sounds.
You are saying that if you can find a single example of X happening in domain A and a single example of X happening in domain B, then "apparently" A and B must be "no different" with respect to X. People are murdered in Japan. People are murdered in Brazil. Thus Japan is no different than Brazil with respect to murders.
Please please tell me that you are just being inflammatory and that this "find one example" criteria isn't how you go about making assessments of things.
Could China possibly have infiltrated as much of global communications networks as the NSA & Five Eyes have for the past decade and a half? Not likely! If we didn't have such successful digital espionage programs, would we instead rely on our corporations to spy on our behalf? Very likely, seeing as we've already done that too.
It's more that consumers around the world have been brainwashed into believing huge markups are the default and must be accepted.
That of course does not alleviate the data collection concerns about Xiaomi, but it is unfair to say that given the production apparatus to produce at scale and the ability to absorb losses initially, it is not possible to make devices this cheap.
The Xiaomi phone is better and more attractive in any other way, except privacy.
But I agree that software from significantly non free nations is extra concerning.
Because outside US it doesn't really matter whether it's Chinese or American company that has your data.
EDIT: you have to understand that the cold war is over and you can't replace USSR with modern China, my country has good relationships with both the US and China so it doesn't really matters who's spying on you, they are "good friends" anyway...
- Australia has similar laws.
- Snowden releases showed the US don’t even ask, they just take it.
So it’s not like there is a huge amount of difference around the world.
I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
Snowdon case made the US government look bad, please don't use the same reason to make the Chinese Communist Party look good or OK.
It's kind weird when something bad happens, everyone just points at the US and says they do that too! The CCP did something bad, Somehow it's OK because the US government did something bad.
If you are an US national and living in the US, you can complain and bitch about your government all you want and not worrying about your safety, hence you can talk about the Snowdon case or berate the president, and things might change. Would you dare doing that in Chinese soil even if your are not Chinese.
This isn't excusing the behaviour, it's pointing out that "privacy" is not a justification for not using Chinese goods, because American goods have evidence of exactly the same compromise.
I assume it's the Australian Assistance and Access Bill that's being referred to here. It has nothing to do with privacy. It's prime job (which isn't hidden - it's spelt out in the explanatory notes) is to circumvent encryption by accessing the data at the end points, where it isn't encrypted. It must be unencrypted at the end points because humans can't read or listen to encrypted data. https://searchsecurity.techtarget.com/definition/Australian-...
The bill gives several government agencies the legal right to coerce any software company to "assist" them by writing a bug that is invisible to the OS. The "access" part gives them right to coerce a software company to distribute software to any device they target (there is legal oversight on who they can target).
To fill this out with a concrete example, they could compel Google to provide a version of the Android Google Keyboard that records all key strokes and the name of the application it is are sending them to. They can then force Google to install that keyboard via their auto update mechanism. Notice that using an open source program like Signal that securely and correctly encrypts everything, and comes from a trusted source is not a useful defence against this.
Both of these powers are accompanied by an automatic gag mechanism, meaning if Google revealed they were asked to do either of these things someone would go to jail. The provisions in the act for reporting when and where these powers are used, so the voters could have some say are to put it mildly weak.
Although Australia is very clearly a country that operates around "the rule of law", in the end the only difference that has made is we know they are doing it, whereas China could deny they are doing it. In reality, I don't think China tries to deny the Great Firewall of China, or the invasive probes they force citizens to install to support their social credits system.
So yeah in my view OP is quite correct. If there are differences they revolve around how widely these things are deployed, not over whether they exist. I presume my home country, Australia, deploys them a lot less, but they go to a great deal of trouble to ensure there is no way to be sure.
I dislike results of either, replacement of both is on my oversized TODO list - and was there since at least two years.
I dislike that USA government, China government and God knows who else has full (partial?) copy of whatever I ever typed on my phone but I did nothing beyond selecting Android Zero, declining "send all what I typed to Google" and declining gloud sync.
(I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited)
Anyway, you're right. In practice, protecting your privacy is a massive hassle. I just do it step by step, knowing that even half-assing it is better than nothing.
For email I basically gave up (for now) as it will likely leak on other side anyway.
But I aggressively avoid cloud sync, and my files on cloud are either public or locally encrypted before uploading. Well, at least it protects against non-targeted attacks.
> I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
:)
Just in case that you have an Android phone - I recommend StreetComplete, it allows limited editing with zero OSM-specific knowledge. Registering for OSM account is the most difficult part.
It works by asking about already mapped elements, while you are in front of them. See https://github.com/streetcomplete/StreetComplete#screenshots
I am glad that you like SC :)
Even without wifi access it is vastly superior to previous choices. At similar pricing to my previous one.
I’m quite wary of the whole monitoring scene but my next air filter purchase will be a Xiaomi again.
Can’t really speak to their other products but on that front they have made a convert out of me despite my aversion to questionable data practices.
Also apparently it’s home assistant compatible. So HA it and firewall it off is the plan
I know, I know, you're thinking that doesn't either, but you can control it remotely through an app or website, and automate certain actions. You might want your air cleaner to start running when you leave your office, for example so that your air is dust-free when you get home.
I've actually used a Xiaomi light remote-controlled over the internet to simulate being home while on another continent so that anyone casing the place for a burglary might be dissuaded. I disabled its internet connectivity when I was done with that.
https://smartairfilters.com/en/blog/xiaomi-purifier-auto-mod...
A dominant China is interested in promoting their own values of Xi thought. And they're working very hard to promulgate it. Their coercive ability is remarkable in how it's already transformed Hollywood. Their ability to do so will only increase.
[1] https://en.wikipedia.org/wiki/Document_Number_Nine
You have quite literally also just described the US.
"China and Communism are a threat which we should seek to undermine". It works both ways.
[1]: https://www.politico.eu/article/xi-jinping-turned-me-into-a-...
For the last decades, the US has been actively trying to undermine -- mostly covertly, sometimes more openly -- leftist parties and organizations in Latin America (more often than not completely unrelated to China), so...
And we can't forget many Euro citizens simply don't care.
Fixed that for you. Xiaomi offer an official bootlock unloader for their shitty MIUI roms which no one else on the planet does and is one of two companies out there that sells stock android phones. They are the easiest mobiles on the planet to install LineageOS on.
Imagine being on HackerNews and not at least slightly acknowledging the fact this company makes the most hacker friendly phones on Earth. It's honestly embarrassing.
Feel free to sniff the packets on any other device and realise how prevalent phonehomes are and how the eyes can access all of it on a whim if it's going to non-Chinese companies.
If you were an activist in the Western world I would only recommend a Chinese phone to protect yourself.
Cointelpro is still roaring hard today.
https://en.wikipedia.org/wiki/COINTELPRO
Zoom is banned as a result of marketing efforts of competitors like Microsoft and Google. I have worked in companies which have either Microsoft products banned or Google products banned.
1) make a Xiaomi account with
and
2) insert a SIM card to the device (!)
Is that not insane? Other people seem to think so too: https://android.stackexchange.com/a/186052
Apparently the only alternative to this is rooting the device, which may break it.
Get a pixel or a oneplus.
Mind, it's strictly a development phone. It sits on my desk plugged in, unless I debug those Android apps. No sim card in either. My personal phone is an iPhone XS.
And although Lenovo is now China-owned, the Moto line is still pure Android and no bloat.
Did a lot of research and the the last gen G Power is the best spec'd budget phone around this price point that is not a Samsung and sold in typical NA big box stores.
Apparently this is a huge problem in China, where there seems to be quite literally no trust at all on online shopping. This actually does seem to be the case if you try buying devices from any NON-xiaomi-official store Aliexpress shop. They're usually $0.01-$1.00 cheaper, and are guaranteed to be packed with massive amounts of malware. None of which can be pressed "disable" or "uninstall" (greyed out).
They use fake reviews and fake buyers much like Amazon in the west, to inflate their order count and ratings to be sorted above Xiaomi official store
The resellers get paid a few dollars for the malware install. I think the most common is people reselling to ship out to other countries, and not sold in China itself.
The aliexpress shops get shut down, negative feedback, but they just open another. Note that aliexpress actually shuts these down in the first place and is "reputable" end of things. Never ever buy devices from gearbest, wish, etc. - ever .
If Lineage starts supporting this device, I'll definitely move over from MIUI.
https://xiaomi.eu/community/
ps: Sadly, the Pinephone is permanently out of stock, otherwise I wouldn't even consider anything else.
You need to insert a SIM AND use mobile data on it (ie. turn off wifi, enable mobile data). Just inserting a dummy SIM card won't work.
For me this was enough of a reason to send the device back, but I started fiddling around and ended up being able to use USB debugging without an Xiaomi account. I don't remember how I managed to do this, I think I had to disable a specific MIUI optimization. No ADB had to be used for this. I think it was this https://android.stackexchange.com/a/185876
I'm also pretty sure that I did not insert a SIM card at that point, because I was still using the device-to-be-replaced on that and the following days.
I think it's just a lot of tactics which they use in order to push you to create an account, but ultimately it's not required.
That being said, I really despise their MIUI, all their modifications. Everything about it attempts to make you use their products, even if Google's apps are already installed.
For me, the Android experience which the Pixel devices give you are all I want. Even Motorola's minor enhancements are something I don't want on a new phone.
Yes I personnaly find it very schocking.
Bought a Samsung A20 for the same purpose, no need for a sim or any sort of dev account.
Plugged the usb cable and a few minutes later my nativescript app was running.
And no, you can't break an Android device by rooting it. Worst case you'll have to reflash the system partition through recovery.
Come on. Do better.
> The intention here seems to be that aigt is the timestamp when the ID was generated. So if that timestamp deviates from current time by more than 7776000000 milliseconds (90 days) a new ID is going to be generated. However, this implementation is buggy, it will update aigt on every call rather than only when a new ID is generated. So the only scenario where a new ID will be generated is: this method wasn’t called for 90 days, meaning that the browser wasn’t started for 90 days. And that’s rather unlikely, so one has to consider this ID permanent.
If we assume that Xiaomi aren't literally trying to spy for a government and are in fact just poorly calibrated on what's legitimate to collect for product analytics purposes, this paragraph highlights why that's still incredibly dangerous despite "good intentions".
I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice.
This paragraph seems to suggest a similar problem at Xiaomi. This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points. The fact it wasn't suggests that these stages either don't exist or are insufficient.
Is that even allowed by Chinese law?
https://support.google.com/transparencyreport/answer/9713961
... it is the same as China. Or is that the joke?
At this point, this is table stakes for big tech and it's completely anti-democratic. China may have a very good domestic dragnet but clearly it's playing catch up compared to the foreign intelligence assets the USG (and five eyes) has.
Remember that one of the leaks was that the NSA tapped unencrypted Google backhaul in transit without Google's knowledge.
There's a difference between panopticon fearmongering and citing specific information we should be wary of. The former leads to apathy. The latter leads to action.
To be clear, evidence that some telecoms have, or that some major tech companies have is insufficient.
Extrapolating some into all is unreasonable. Do you have more proof it's the latter?
Also, there's these nuggets:
https://www.fastcompany.com/40481463/facebook-wants-to-hire-...
https://www.rt.com/usa/399256-mattis-amazon-bezos-trump/
Thinking America's largest monopolies and America's government and foreign policy are at odds over more than superficial things is probably not an accurate view of the world. America uses our corporations to advance nebulously defined "national security interests" and corporations use the government to get rich(er).
Open source and verifiable down to the firmware is the only chance we have at any real level of trust, otherwise as is always apparent in these conversations, it often falls otherwise to who you think could compromise your device and making your bed with it, like USA not China or vice versa
[0] https://puri.sm/posts/purisms-ceo-todd-weaver-testifies-at-s...
[1] https://wp.puri.sm/posts/breaking-ground/
What happens when I install the FB app on a Purism enabled device?
My way to go until now has been installing as many OSS apps on my smartphone as possible, to the point that even the keyboard and the launcher on my smartphone are installed through f-droid.
That's the main reason why I prefer Android phones over Apple ones.
This can work where everything is in the open except a private firmware signing key.
Cell phones only work because the millions of devices run within strict limits and behave reasonably. There's not a lot of difference between a properly operating radio and a radio jammer. Purism isn't going to find a baseband vendor that's going to risk their licenses by allowing for open source firmware.
As far as I know, there is no licensing whatsoever for baseband makers?
Where did you get that it is?
This is why a baseband processor is a fully separate component from a device's application processor(s). Since the AP doesn't talk directly to the radio it doesn't need to be certified and can be updated without recertification. The BP can also get certification and any manufacturer using that BP doesn't need to re-certify it. The interfaces are also such that the AP can't (or shouldn't be able to) tell the BP firmware to boost the output power above legal limits or something.
Radios that have "open" soft modems don't typically have fully software controlled radio front ends. The radio front end will have its statutory limits baked in electrically or have very limited software control. The modulation on the back end isn't as important as the front end. Broken modulation just means you can't talk to anyone, an overdriven transmitter is effectively a radio jammer or can give someone an RF burn.
Can you point where it is stated?
If you're actually interested read the regulations and look up some FCC IDs for devices.
It's very different than if I modified the firmware on my hard drive or UEFI on a PC. I might fuck up my stuff but it doesn't affect you. I can fiddle with my hard drive firmware all day but I'm not going to block a 911 call you're trying to make.
Also a company giving out modem firmware is an exception and not a rule. It re-classes the device as a hobbyist/experimental device and if they go traipsing around with it they could potentially face fines (unlikely but possible).
Again it's not about lobbying it's about a limited spectrum and people being stupid/assholes not realizing or caring their pocket radio affects others. You live in a world where shitheads try to make their cars louder on purpose and you can pick up dozens of WAPs because everyone sets the power to the highest number the interface allows.
While I agree with your intent, the problem is that, many open source software is not verifiable.
Remember that a Kaggle competitor was openly cheating with his published code? (cf. https://www.theregister.com/2020/01/21/ai_kaggle_contest_che... ) Eventually he got caught, but it's sometimes extremely difficult to spot a well-hidden malicious code in a plain sight. We need to be much better at analyzing software.
I think maybe some replies have interpreted my comment as naively assuming that open source firmware would would mean complete trust. I just think it is a good step on the journey.
Open source software is more verifiable than closed source though.
> While I agree with your intent, the problem is that, many open source software is not verifiable.
To me, this sentence reads as "That a nice idea, but untenable in practice." rather than "Open source is necessary, but shouldn't be considered sufficient." which strikes me as counter-productive to the objective of easily verifiable software.
Completely agree.
> Open source and verifiable down to the firmware is the only chance we have at any real level of trust
The hardware itself could be compromised though. There's just no way to know what's really inside these black boxes.
https://youtu.be/_eSAF_qT_FY
We'll never have real trust until we get the ability to fabricate our own processors in our own home just like we already have the ability to write our own software.
https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
Not very likely on a broader scale, though.
I know Xiaomi is not the best brand to buy for privacy, but I consider their products one of the best in terms of value for money
I own a few Xiaomi devices, I simply install Blokada on each one of them and I think you would be surprised by how many non Chinese domains it blocks, Google being one of the worst offenders.
EDIT:
see this screenshot
https://imgur.com/a/UO0BGCy
EDIT 2: paradoxically knowing that Xiaomi is a Chinese company make buyers more aware of the privacy risks involved. It breaks that false sense of security associated with electronic devices that many people believe in.
But according to the logs on my router Blokada is working.
p.s. blokada actually also blocks ads on the formula 1 official app that are served through websockets
Also, these fingerprinting bits in their code-base doesn't inspire confidence either [2][3].
I'd not consider Blokada a serious security app at this point, though it does have the potential to be one.
disclosure: I co-develop a similar foss app.
[0] https://github.com/blokadaorg/blokada/blob/65992cdc/android5...
[1] https://github.com/blokadaorg/blokada/blob/8702350602b/andro...
[2] one identifier too many for a user-agent: https://github.com/blokadaorg/blokada/blob/8702350602b/andro...
[3] unique identifier per installation: https://github.com/blokadaorg/blokada/blob/04efb84e06e1/andr...
what's the name of the app you co-developed?
https://news.ycombinator.com/item?id=26133661
Or maybe the US government knows it can't legally collect certain information on its own citizens, but can rely on China to collect it, and then purchase it from the Chinese government.
Then there's the overall argument against: I don't want any government collecting data about me, period. It's none of their damn business, regardless of the chances of me having to interact with them in any capacity.
The pessimist in me assumes that's because it's a good cover for the intelligence agencies data sharing agreements between the US, China, India, Russian, North Korea, et al.
If the very first people (presumably the "higher ups"/more prestigious designers) in the design process miss such things, it is very hard to call them out in a societal construct that is the business construct that has become Xiaomi and the Chinese Government.
It's hard enough in some companies for QA to question software engineers and not catch backlash in the US when making games. Companies like EA, Atari and Nintendo are notorious for it. Apple used to shitcan QA who didn't treat "the talent" nice enough, and they weren't a quasi governmental entity.
You're right, of course. But man, that's a big frog in your throat to go up to your manager and say, "Sir, I'm sorry but this whole process has issues. Here's the fix, but it means a redesign of a core process." That's tough. That's double tough.
There are many ways to work around this, having teams whos incentives are tied to finding issues, maybe in a different reporting chain or office or country to those writing the software is one way.
But, here we are. In the real world =/
ASFAIK, Xiaomi does not sell any critical infrastructure equipment, nor is it installed anywhere; not entirely sure why GCHQ or NCSC would be involved, especially when there is ambiguity around which/what equipment they should be conducting a code review upon?
With regard to Huawei, there was no decisive conclusion, despite a comprehensive security review. Furthermore, it has been business as usual for currently installed equipment. All future decisions will be based around the 5G infrastructure.
You'd have to be a complete idiot to believe that the CCP isn't happily digging through all the data they send back.
Seems more likely this was done on purpose so if they got caught they could say "Junior engineer made a mistake. So sorry."
There is likely tonnes of binaries that run outside of Android, so OEM you choose matters too.
Is this our definition of spyware? I see countless articles float by on HN about super cookies, spy pixels and browser fingerprinting. Those do effectively the same things, track users against their expressed wishes, but we just don't call them spyware.
Who doesn't call trackers spyware? Everyone with a slightly-above-average sense of privacy has been calling them spyware and blocking them for years.
American company collects your data? $1,400,000,000,000 valuation.
This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
American company will collect data to show you ads and profit.
Are they really same?
One could say the motives are different, but to act as if American groups collect data purely for profit isn't true.
>Are they really the same?
No, but acting similarly doesn't imply identical similarity.
Unless you get a target on your back, in which case the American company will provide the American law enforcement agencies with whatever data they want to take action against you and your family.
Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
Really, that is what you got from my comment.
In the case of CCP it can even be who you are, as in Tibetan, Uighur and so on.. Or, a national of a different country that China wants to spy on, or a relative of someone that China thinks has a differing opinion from CCP and so on..
It's not even on the same planet, let along in the same ballpark..
They're both evil, just that US is less so.
They really aren't the same and personally I'd rather not have my data collected, but I'd rather it be dispersed with a corporate arms race who aren't allowed to set laws than an aggregate that belongs to a party that has much more control over my life.
7 years later and it's like Snowden never even existed.
https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
I, for one, would prefer, if I have a choice, it to be just my Gov and not a foreign Gov that I consider to be hostile..
This seems intuitive at first sight but doesn't make sense to me: is it your Gov or a foreign Gov that can more likely bother your life?
The short version is that unless you live inside the PRC data harvested on you is highly unlikely to matter no matter what you do. Inside the US or US allies? Be careful.
And your kids data. Grades, searches, web history, pics, diaries. I can totally see new private APIs for recruiters, banks, insurances - like personal assessment scores.
Don't try to whitewash it.
If anything, you face a much greater threat from the American intelligence apparatus than one in a foreign country.
2.) People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc.
3.) We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Why are you so upset about Xiaomi getting called out?
We should be more consistent in our terminology.
They're referring to Alphabet's (Google) market cap, not Xiaomi's.
The GP responded to each line in the original comment with a number. So, their point about Google (point #2) was seemingly unrelated to their point about Xiaomi's market cap (point #1) as they addressed different parts of the original comment.
The GP mentioned Google perhaps not because of the market cap mentioned in point #1, but rather as a response to the original comment's mention of American companies.
This is further evidenced by their use of point #3 to refer to the term oligarch, which was the third topic raised in the original comment.
You can see how not clear this is based on other replies to the comment as well.
I'm referring to Google with that valuation.
>We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Propaganda? An oligarch is a rich person with a lot of political influence. Sounds like an average billionaire to me.
>People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc
I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
>Why are you so upset about Xiaomi getting called out?
Only annoyed at the obviously biased language.
They win elections on shutting down his headquarter plans. They want to break up his company, raise his taxes on unrealized capital gains, they want to force him to divest his personal investments like WaPo.
Same goes for other billionaires. You think there's a lot of love for Ken Griffin? Or the Google founders? Or Jamie Dimon? Of course not.
Billionaires are a common bogeyman for the populists that have ruled the capitol for the last 10 years or so.
[1] https://www.huffingtonpost.ca/entry/amazon-city-benefits-sec...
In public, sure. Behind the scenes, they're taking meetings with his lobbyists, and somehow the tax raise never happens despite politicians talking about ad nauseam.
Part of modern politics is running a kabuki theatre of performative populism on the campaign trail. Not much happens once they are in office, because you need quick wins ahead of the next election.
also note that the Asian billionaires are learning for people like bezos/gates. In public they may be hate figures - but everyone orders from Amazon. Tax breaks for large companies.
(i.e) use thinktank to pass legislation to make everything they do legal.
Actions matter more than words. At this time, it's not even clear if Biden will go to the mat for a nationwide $15/hr minimum. That would do far more to incentivize Amazon to improve working conditions, as its $15/hr starting rates would no longer be competitive.
So the instant someone is elected they start calling Random Joe for funding their next campaign? Of course not. Politicians talk to people who help fund them, that or they are out. Having a politician's ear is power that Random Joe doesn't have. Using Bezos is disingenious. How about Musk or Bill Gates or one of the many rich oligarch families who have the same name as former presidents? Don't pretend money has less power in US politics than in Russian politics. If anything it is worse.
You seem pretty active on HN so I'm a bit skeptical that you honestly believe this. But I'll respond in good faith anyways. Here's the first result from Google (didn't even use DDG)
- (Washington Post) Goodbye, Chrome: Google’s Web browser has become spy software[0]
But since you're active I'm sure you know about The Social Dilemma, Snowden, etc. I've seen episodes on 60 Minutes, CNN, Fox, and pretty much everywhere that calls criticism to companies like Google and Facebook. Does China get called out more often? Yeah. Why? Because we're in a cold war with them. But still in many of these pieces I've seen them make slights at American tech companies. Things like saying that what they do is bad, but what China does is worse.
[0] https://www.washingtonpost.com/technology/2019/06/21/google-...
The Russian oligarchs are a group of people that grabbed large amounts of wealth by reaping the downfall of the Soviet Union. They are a very specific, well connected group of people outside of normal Russian billionaires. The reason specifically that they are oligarchs instead of just normal billionaires is that they are very plugged into the government and sway its operation. And I know there's some cynics out there that will be like "well that's just billionaires in general" but I encourage you to learn about the leverage this group of people have on normal government operations.
With regards to the observation that no one refers to Google as spyware, I don't think I see this either. But I do see tons of mainstream articles raising the point that Google spies on users. The problem is that (it feels like, at least) only us tech-inclined seem to care:
https://www.forbes.com/sites/jenniferhicks/2020/10/27/heres-...
>The report found that 80% of Americans think at least one tech giant is listening in on their conversations: Facebook at 68%; TikTok at 53%; and Google at 45%. But only 18% said they had deleted Facebook because of privacy concerns.
I fully agree Google is just an advertising company dressed up, and also further propose that its open source contributions and tech projects are its robing. I think there's still room to criticize other companies however, especially since privacy issues from companies like Xiaomi don't often get featured on HN.
I'm not suggesting the former is without fault, and fault by one does not absolve another. But you're right in that these are two very, very different things.
[0] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
Note: it also isn't a derogatory term, as it appears to be implied here, it just is an identifier of how wealth was accumulated.
Seriously, this is what you're going with?
Russigan oligarchs are people who just straight out stole national assets from the Soviet Union/Russia, with the help of the current ruler. There's a relatively clear definition:
https://en.wikipedia.org/wiki/Russian_oligarch
The problem we have is with their externalities. For oligarchs, the main line of business <<is>> the problem.
But, the point I actually want to make is that this implies that people aren't concerned with Google's use of their private data, which I think is demonstrably not true, given that they've got multiple open lawsuits against them over it.
So for someone like me, living in a 14 eyes country, are you saying it is worse for my privacy that a government on the other side of the earth that my government doesn't really like might have access to some of my data is better compared to a country my government are sharing data with who also have access to pretty much everything that happens online? I know for a fact that no matter what I say or do online PRC agents will never knock down my door. US agents? That would be quite a lot easier. In less serious waters, privacy is also worse as we know from Snowden that the US not only harvest everything it can but it also share it with US businesses. Will I ever see ads based on an algorithm trained on data from both sides? No idea, but I know which one would be worse for me by a long shot.
Russian billionaires came to their wealth purely through corruption - i.e. using via their connections during the crucial years of transformation to market economy to buy huge state-owned industrial companies for 0.1-1% of their real value.
Russian Oligarchs are called that because they are about two dozen people who looted about 95% of the country's wealth and are basically a transnational crime syndicate masquerading as a govt.
I can't tell of you are deeply clueless, trolling, or spreading dezinformatziya. Either way, perhaps you should remember this quote from famous American author Mark Twain: "It is better to remain silent and let people think you are a fool, than to open your mouth and remove all doubt".
Do you believe CCP is so capable to utilize such tools?
If the answer is yes, then you should ask yourself is there any realistic chance of overpowering such a technologically advanced "government". And how much more powerful the private sectors would be. Think about how much gap is between silicon valley and US government in technological capabilities.
This framing of pin everything as government sponsored activities make it very difficult to correct such behavior effectively. Because they were easily brushed off as intentional attack on the nation.
Why not just put it as what is?
I mean 996 in Chinese high tech industry is killing the quality of the work. That's obviously the right reasoning right?
They will also stop allowing custom ROMs once they've built up enough reputation, some newer models already will never have custom ROMs.
1) My Google, IG accounts both sent me security alert about successful login attempt from from Thailand, Vietnam. I 100% sure I only created the IG from this phone once and have not used that password from anywhere else. IG Username / password was taken from this phone and attempt to be login from somewhere else.
2) I can't get the phone to disconnect from wifi. I put the phone on airplane mode, disable wifi, bt, etc. Manually change the wifi password to something else. it always successfully reconnected back after a few days with old password. There are logic in the phone can try very hard to state connected online. It remembers old password and successfully connect successfully with it after a few days.
3) I have let the phone back online and created Google account that is 100% unique to this phone. Love know how long would it take for the login attempt for that G account from Thailand/Vietnam start to show up.They've really been on a privacy invasion spree lately.
In any case I hope you gave it a 1-star review.
Anything from CCP is pyware - especially when the FN namesake is XI Jinpooh.
If you use a computer, smartphone or IoT device then yes, it collects data, just as Facebook runs ads.
What's collected these days:
Your social circle,
every time you connect to the mobile network, when, which tower you connected to, tx/rx bytes, who you phoned, where the callee is located
Whether you're in a car, walking (sensors)
Whether your sleeping...(a recent Google blog post talked about a new "sleep tracking" API).
You generate data as a human, interested parties (governments) collect that and will store it for the rest of time. I suspect there's a database of every URL visited by any human in the last 20 years.
This is not surprising and should surprise nobody.
Xiaomi devices are usually at sweet spots price/performance-wise (not really great hardware imo, but well). With custom ROMs (including my GSIs, but other custom ROMs are fine as well), buy a phone for their hardware, not for their software. (BTW my daily driver is a Pixel 5... not running Google adwares! Only high-end-ish device that fits my hand).
However, Xiaomi devices are bricks for like a month, because before being able to install your own software, you need to be approved (connecting a smartphone on a Windows computer), and it's only once you get your smartphone that you can install your own software.
Awesome project though.
I've never made any GSI without storage encryption, and My GSI have always been running SELinux enforcing. Some kinds of GSIs have those kind of issues, but it's only those that are binary ports from OEM ROMs, like port from Xiaomi or OnePlus ROMs, but proper source-based GSIs shouldn't have those issues.
In early 2020 XDA thread [1] I was suggested to use phh-securise to reenable SELinux, which suggests that it was not enabled by default at least back then. Never got to try phh-securise, since the encryption part of the response was not definitive.
[1] https://forum.xda-developers.com/t/guide-nitrogen-10-10-phh-...
https://github.com/phhusson/treble_experimentations/releases...
I don’t know if there will ever be a sino-American war, but if there ever is one it’s going to be very painful for us.
Yet people in Europe they LOVE Xiaomi. I swear I’ve seen so many of my friends with those high end 500$ phones.
Even if they are tech guys it’s like they just don’t care , they want the most powerful phone with the most features at the cheapest price.
At this game Xiaomi and other Chinese brands have become very good.
That being said Google as been doing the exact same thing for 30 years. Nobody ever considered banning google from anything.