Hot Deal collective action against Xiaomi. who's onboard?

546°
Deal Cadet
94
318
16

2 days back i bought the Xiaomi mi Home Security camera 360. online reviews are great, mi.com lists specs which are impressive, sales staff give a demo – download the mi home app and connect the camera. so i buy it.

on using it for the first time, i realise that the Mi home app will not operate unless a Mi account is created. either email id, facebook id or phone number is required. and it does not accept random or inactive info, only after the details are verified will the account be created.

i am stuck at this point. i dont want to provide my contact details to xiaomi. i dont see how creating an account at mi.com is related to connecting the camera to the app – the account creation should be optional. i have requested for a return and refund, but cutomer care tells me their policy allows replacement only.

xiaomi’s policy is flawed at multiple levels:
1. the mandatory need to have a mi account is not specified before the purchase, anywhere – not on the box, not on the website, not by any sales person. they all instruct to download the mi home app and connect the camera – which is how all security cameras operate. by not disclosing the mandatory account creation step, they are indulging in an unfair trade practice.
2.buyers are presented with the demand for contact details only after they have paid the money. at which point most of them feel outsmarted, and helpless and share the details unwillingly. this is a deceptive tactic to extract valuable data. so it is cheating.
3. when you give xiaomi your contact details and then connect you camera – which will have a unique serial number – you are allowing xiaomi to create a one to one correlation between the user and the camera. in short, it knows who is using which camera. this opens a serious privacy and security issue.

to elaborate : unlike other manufacturers that simply allow the camera to connect, and thus can track the camera id, and ip address only, xiaomi gets too close to the user – it now knows your identity down to your active email id, phone number or facebook id.

given that xiaomi is a chinese company, where it is normal to keep every citizen under surveillance, this policy seems ok. but in india, this is a breach of privacy at a personal level, and on a national level a security risk.

imagine, if you were to write something of interest to the chinese govt on your fb page. under chinese law every chinese company is bound to disclose data when asked, so xiaomi will give all information linked to that fb id. you catch the drift, right?

now the above scenario may seem quite remote, but even if xiaomi promises that the database containing the information on contact details and camera id is adequately protected, it is open to hacking. and hacking is quite common. in other countries, manufacturers admit such incidents, but in case of xiaomi, coming from a secretive nation, such episodes need not come to light in time - like the corona infection.

as the latest victim of xiaomi, i am planning to send a petition to relevant ministries to inform them about xiaomi’s policy. secondly, i am planning to file a complaint with the consumer court (first stop is jagograhakjago website).

i am sure many of desidime’s users have or know someone who has bought Xiaomis camera and linked it to the Mi home app unwillingly or unwittingly. if any of such people are interested to join in the petition and complaint please comment below.

40 Comments  |  
23 Dimers
  • Sort By
136
1728
26

Good initiative.

106
1794
17

This is true for Mi Band too. I do not know whether they can access the cam footage but one thing I know you can either use smart home devices like this, Echo, Mini etc and forget about privacy or you can just plain avoid using this stuff. You can try returning your device if you are concerned on the basis of their account requirement. Tag them on social media sites.

376
4100
52
igen wrote:

This is true for Mi Band too. I do not know whether they can access the cam footage but one thing I know you can either use smart home devices like this, Echo, Mini etc and forget about privacy or you can just plain avoid using this stuff. You can try returning your device if you are concerned on the basis of their account requirement. Tag them on social media sites.

Mi band works with 3rd party app without the need for mi account.

122
1071
11

Good research for product but bad one for Xiaomi. They ask account for pretty much all their products. Also Xiaomi is known for selling data so you could had avoided buying a Xiaomi product altogether. For now take pledge not to buy them in future if you’re privacy conscious.

194
6206
70

Its is outrageous, and read the same concern in Amazon reviews.
Privacy is fully compromised be it Mi or Google or Amazon,Airtel,Jio,…… all ask for email, mobile,PAN,aadhar etc and keep watching
Create one dummy email(yopmail) and use it. Hope it works!
If you actively pursue, in the present situation they will surely remove this requirement

50
242
2

wondering why people buy chinese crap still…i too bought MI camera/MI4i in past n due to its shitty performance wont buy even now in 90% discount

137
742
25

I can help u in filing a complaint. Or take a legal recourse. DM me if u want

135
293
7

@brewitty if u bought from Amazon/ Flipkart
Go for replacement
Once replacement arrives
Again go for the same
This time u will get refunded

94
318
16

thanks for the comments and suggestions.
sorry for the delay in replying.
i, myself, prefer non chinese items over chinese, even if they are more expensive. but in this case, i couldn’t find a non chinese camera – godrej and hero included.

going to the consumer court (thanks @sandylodaya for the offer) as an individual will be a waste of time, as the amount involved is only 2800 and under current circumstances it is ill adviced. it would be better if a collective petition be sent to relevant ministries seeking a thorough investigation into xiaomi’s practices rather than focus on a personal monetary loss. as sending a petition to the ministries is a serious matter, i do not want to rush the matter.

in the meantime, i sent messages to mi.com on fb/email seeking email ids of higher authorities, but this was refused. Ironic, for a company that forces its customers to part with such details.

after going through reviews on amazon and elsewhere, i decided to test the claims myself. unbelievably, the app did not accept a yopmail.com id – thanks @caks2006407 for the tip!! i had to create another temporary email id to bypass that. i realised that the app will not connect to the cam without an active internet connection at the time of launching the app (the camera will be working). that means, clearly, it has to connect to xiaomi servers regularly. secondly, the app also requires location details to scan for wifi routers (i dont know what is the link between ones gps coordinates and the hotspot in ones residence/office). in short, xiaomi has all the details to pinpoint who is using which camera and where in the world. this is a serious breach of privacy.

what i find strange is that no one seems to have bothered about this intrusive behaviour of the app. all reviews give glowing details about the performance of the camera, while skipping the fact that the app might be enabling someone at xiaomi to watch the video feed while the camera is being reviewed!! atleast the indian websites should have spent some time comparing the apps data collection hunger and warning users to consider that aspect without being blinded by the brilliance of the camera.

i intend to make a thorough review of the gadget focussing on the privacy issues, first. to make it unbiased, i need your help with a few questions regarding the behaviour of other cameras. i have used a ccplus wireless camera before, and can vouch that it’s app does not need an account, nor an active internet connection or access to location to connect to the camera.

if you have any other wireless camera, i would appreciate if you could answer the following

1. brand and model of camera
2. name of app used to connect
3. does the app mandate creating an account at any site online before connecting to the app?
4. does the app require an active internet connection to connect to the cam? (to check this, disconnect the internet connection from the router/hotspot and relaunch the app)
5. does the app require access to gps/location?
6. does the app allow manual addition of the camera?
7, what personal details have to be given to the app to be able to connect to the camera?

any other questions that you feel need to be addressed, please add that as well.

to kick things off, in case of my camera the anwers are :
1. xiaomi, mi home security camera 360 1080p
2. mi home
3. yes, mi.com account mandatory
4. yes
5. yes
6. no
7. email/phone/facebook id

0
832
7

There is one more aspect. the Indian servers are mostly offline all the time, so even after all the permission n internet one can’t get the device to work unless he manually selects China (mainland) in mi home app.

0
832
7

If for some reason there’s a power cut or u accidently power off the device. You have to repeat the whole setup process again.
on the surface, it looks mi trying to put ecosystem like that of Samsung, but I’m not sure if this is a common practice to force ur user to be connected to the internet all the time.
anyway,I had two mi repeater n i replaced them with tp link.

603
12165
62
igen wrote:

This is true for Mi Band too. I do not know whether they can access the cam footage but one thing I know you can either use smart home devices like this, Echo, Mini etc and forget about privacy or you can just plain avoid using this stuff. You can try returning your device if you are concerned on the basis of their account requirement. Tag them on social media sites.

No, mi band doesn’t need it… unless they had recently change stuff with new stuff.
Also to OP, first check out full details with the company. I don’t think any company would hide such a stubborn request, atleast it would be on the lengthy TnCs.
If not and they don’t cooperate with return and refund then go ahead with your plan.
Also if you’re very conncerned with your privacy going into the hands of China, US, israel , Indian ministry and your local neighbourhood hacker then avoid stuff like these, cell phones, echo, etc.
Data stealing and selling is a BIG business in this decade.

194
6206
70
Harish.agarwal wrote:

There is one more aspect. the Indian servers are mostly offline all the time, so even after all the permission n internet one can’t get the device to work unless he manually selects China (mainland) in mi home app.

A very serious concern, manual selection may imply our consent to share

0
7523
116

I’m using Tplink Cloud Camera unfortunately it has the same process

3
542
6

Almost Every smart equipment requires account if u want to use through mobile.

31
1192
9
abhijith143 wrote:

Avoid buying Chinese items…

Exactly…after purchasing…why are u think about national security n all??… before purchasing only if u had though about India…u would have avoided Chinese brand products

50
314
1

The OPs concerns are genuine, and that is exactly what happens too as part of Data collection. I myself have posted privacy related stuff in DD and other places, a dimer has replied ‘So what ?’; because it’s not of concern for them and they don’t understand the implications.

If you don’t want to agree to the terms of the usage, you can return the Product, MI phones are horror stories for people who understand about Data privacy and Android. This is not a Chinese thing, it happens with all products even in India. However Xioami is one of the worst I’ve personally seen in terms of invasion.

You cannot question them on why they’re invading your privacy, it’s your choice,agree or disagree, just like people get greedy with shady cashback apps and fail to understand how much info is being shared and agree to all terms without even reviewing them.

You CAN question them on why it was not intimated to you before, do check the fine print on the box and on the site from which you’ve purchased, if it’s already given there, you can’t challenge much.

Stop using Google and FB logins, create individual logins, try not to share a lot of your personal info on shady sites or with sites which are known for data collection… Google and FB are known devils, so nothing much can be done there rage

50
242
2
Expand
Sm2698 wrote:

Exactly…after purchasing…why are u think about national security n all??… before purchasing only if u had though about India…u would have avoided Chinese brand products

very true…apart from security issue,these are junk product

94
318
16

thanks for the suggestions and replies. so i tried to get to the bottom of the issue. this is what i found. i created a mobile hotspot on my phone, and installed no root firewall app to check and control data transfers.

1. the camera, itself, apparently does not transfer data. i cannot be 100% certain, though. based on the access requests trapped by the firewall, there are no requests coming from the camera. maybe a better root level monitor will be able to get this. update: there is a “home monitoring” feature where the app will send notifications to the user and also store a small clip on the cloud. when this is enabled, there is a data transfer occuring whenever motion is detected. this i checked after installing network monitor mini app on the phone. i dont have the ip address contacted, but it must be amazonaws.com, most likely.
2. the app connects to the internet everytime it is launched. it tries to access a few sites including hinet (taiwan), Zhejiang Taobao Network, alibaba, facebook.com and a few other ips that dont have a domain name, but most importantly to amazonaws.com. this is the most frequent request, and also the most critical because if this request is declined, the app will not connect to the camera.
2a. even if the home monitoring feature is disabled, the request to amazonaws.com persists.
3. the camera once setup will keep recording based on the parameters configured. Even if restarted it will continue recording without any input. it will record to the memory card, you can view the recorded clips by removing the memory card and accessing it directly. if a person is keen to keep his data private, this is the only way. But you will lose features like pan tilt zoom, live view, 2 way audio communication etc which can be done via the app only. Besides removing the card is a hassle and requires the cam to be switched off.
4. the request for location access is apparently a google feature, as this is the only way the available hotspots’ ssids can be identified. the hotspot will be detected, but the name, or ssid, will not be displayed. in more responsible apps, this is a skippable step, but not for mi home. so one cannot entirely lift the shadow of suspicion.

@Sm2698 @binod_babu : as already stated, in my research i have not come across a made in india product. this incudes godrej and hero cameras. if you find a true made in india product please inform me.

@Gaurav_G : i would be interested to know which websites are accessed by the camera and the app. if possible, please try to reconfigure the camera to run through a mobile hotspot and install the no root firewall and check the logs, and inform.

@rini50 , @tristar : the camera-app dichotomy is not apparent to a customer. the box does not even mention the need for an app and the manual (could’nt find an online pdf) doesnt specify any terms and conditions (just to download and run the app). these are there in the app, you can disagree to the data collection, but then the app will quit. xiaomi knows the camera is useless without the app, but doesn’t inform the customer upfront.
the t&c is nothing extra ordinary. the usual data usage terms are seen, about sharing data with third parties etc. etc.

frankly there is a easy to win consumer court case here, but for it to be of any consequence there must be a class action suit with a few thousand customers collectively filing a case. then the monetary impact on xiaomi will be significant enough for it to take notice, and for the petitioners to feel rewarded.

the quicker option is for a mass petition to the relevant ministries. at the very least the unfair trade practice of not being transparent can be highlighted, seeking a disclosure on the box. most satisfactory would be a thorough review of the data collection policies and data transfer policies of xiaomi, which should culminate in an app redesign so that a mi.com account becomes optional, and the storage of data at amazonaws stopped unless the buyer opts for the home monitoring feature.
i shall be drafting such a petition soon, hopefully we can find atleast 50 supporters from this forum.

0
7523
116
brewitty wrote:

thanks for the suggestions and replies. so i tried to get to the bottom of the issue. this is what i found. i created a mobile hotspot on my phone, and installed no root firewall app to check and control data transfers.

1. the camera, itself, apparently does not transfer data. i cannot be 100% certain, though. based on the access requests trapped by the firewall, there are no requests coming from the camera. maybe a better root level monitor will be able to get this.
2. the app connects to the internet everytime it is launched. it tries to access a few sites including hinet (taiwan), Zhejiang Taobao Network, alibaba, facebook.com and a few other ips that dont have a domain name, but most importantly to amazonaws.com. this is the most frequent request, and also the most critical because if this request is declined, the app will not connect to the camera. it could be that while the camera when operating offline doesn’t transmit data online, once the app is connected there is transfer through the app.
2a. there is a “home monitoring” feature where the app will send notifications to the user and also store a small clip on the cloud. but even if that feature is disabled, the request to amazonaws.com persists.
3. the camera once setup will keep recording based on the parameters configured. it will record to the memory card, you can directly view the recorded clips by removing the memory card and accessing it directly, if a person is keen to keep his data private.
4. the request for location access is apparently a google feature, as this is the only way the available hotspots’ ssids can be identified. the hotspot will be detected, but the name, or ssid, will not be displayed. in more responsible apps, this is a skippable step, but not for mi home. so one cannot entirely lift the shadow of suspicion.

@Sm2698 @binod_babu : as already stated, in my research i have not come across a made in india product. this incudes godrej and hero cameras. if you find a true made in india product please inform me.

@Gaurav_G : i would be interested to know which websites are accessed by the camera and the app. if possible, please try to reconfigure the camera to run through a mobile hotspot and install the no root firewall and check the logs, and inform.

@rini50 , @tristar : the camera-app dichotomy is not apparent to a customer. the box does not even mention the need for an app and the manual (could’nt find an online pdf) doesnt specify any terms and conditions (just to download and run the app). these are there in the app, you can disagree to the data collection, but then the app will quit. xiaomi knows the camera is useless without the app, but doesn’t inform the customer upfront.
the t&c is nothing extra ordinary. the usual data usage terms are seen, about sharing data with third parties etc. etc.

frankly there is a easy to win consumer court case here, but for it to be of any consequence there must be a class action suit with a few thousand customers collectively filing a case. then the monetary impact on xiaomi will be significant enough for it to take notice, and for the petitioners to feel rewarded.

the quicker option is for a mass petition to the relevant ministries. at the very least the unfair trade practice of not being transparent can be highlighted, seeking a disclosure on the box. most satisfactory would be a thorough review of the data collection policies and data transfer policies of xiaomi, which should culminate in an app redesign so that a mi.com account becomes optional, and the storage of data at amazonaws stopped unless the buyer opts for the home monitoring feature.
i shall be drafting such a petition soon, hopefully we can find atleast 50 supporters from this forum.

Can you share the app link?

Kudos to you for such an in depth research highlighting the privacy breaches!

94
318
16

@guest_999 : there is the concept of a representative suit, where a few people can file a civil case on behalf of a lot of people. it is the closest to a class action suit available.

30
3665
43
brewitty wrote:

@guest_999 : there is the concept of a representative suit, where a few people can file a civil case on behalf of a lot of people. it is the closest to a class action suit available.

I don’t think you can file a representative suit for such “consumer related” issues. In my opinion the best option is file case in consumer court & then winning in that case as an example for any future similar case. Btw if you win a case in consumer court then I think your all legal expenses incurred in fighting the case will be incl in the penalty levied on losing company to be given to you along with product’s original cost & some extra compensatory amount.

Missing