Xiaomi's Hugo Barra
Xiaomi's head of global expansion - and former Google executive - Hugo Barra has strongly denied the company steals customer data without their knowledgeReuters

Xiaomi has once again denied "uploading or storing private information or data without the permission of users" despite a report which claims to show it does exactly that.

Finnish security company F-Secure published a blog on Friday which seemed to show that a brand new Xiaomi RedMi 1S smartphone was sending certain data to the company's servers without asking permission from the user.

Reacting to the blog and subsequent media reports, Xiaomi apologised for any confusion and has decided to change it policy of automatically uploading certain user information, making it an opt-in choice.

Xiaomi's head of global expansion - and former Google executive - Hugo Barra published a post on his Google+ page over the weekend to defend his company's position.

"We believe it is our top priority to protect user data and privacy. We do not upload or store private information or data without the permission of users," Barra said, before going on to contradict that position in his explanation of what was happening.

MIUI Cloud Messaging

Xiaomi RedMi 1S
The Xiaomi RedMi 1S tested by F-Secure researchers.F-Secure

The issue Barra claims is related to the MIUI Cloud Messaging, a service like iMessage which allows Xiaomi customers to send messages to each other without having to pay SMS charges.

For this service to work, when a new smartphone is turned on, the Cloud Messaging service is "automatically activated through IP communication protocol with Xiaomi servers in order to provide the user with the free text messaging capability."

For the messaging system to work, it needs certain pieces of information from the user's phone including the phone number, IMEI (used to identify a specific phone) and IMSI details (used to identify the user of a cellular network). These are automatically uploaded once a new phone is switched on for the first time.

F-Secure investigation into this suggested phone numbers of contacts added to the address book and phone numbers of SMS messages received were also uploaded, but Barra denies this:

"Users' phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver."

Change policy

Responding directly to the F-Secure blog and the subsequent media reports, Xiaomi has decided to change its policies in relation to its messaging service:

"As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users."

The company has begun pushing out an over-the-air software update for existing customers which will allow them enable the opt-in choice from the settings menu.

Barra apologised "for any concern caused" to users.

Xiaomi has previously been accused of storing people's data in their servers without permission, but the company has strongly denied these suggests, with Barra writing at the end of July that those reports related to its Mi Cloud service which is entirely opt-in.

However F-Secure's security researcher Sean Sullivan cautioned that what Xiaomi is doing could be replicated by other smartphone manufacturers:

"It's important to note that all 'smart' phones are more or less nothing more than a tracking device in your pocket. Our research is ongoing to determine how much metadata vs data is being collected, and whether or not it differs significantly from other vendors in the industry."