How’s Xiaomi MiBand privacy?

29/12/2020 Final update: Almost a year after my complaint, I received an answer: the Dutch Personal Data Authority is not going to research my complaint further because they can’t say if they are able to be effective in reaching the goal of the complaint. Additionally, there were no other complaints against Huami, so they consider it a small risk (I wonder if they know that Huami is actually behind Xiaomi). Here's the full official response.

02/06/2020 Update: While still waiting for a response from the Dutch Personal Data Authority, I’ve been contacted by Kevin Grahl, who wrote a great article on how to protect yourself from leaking personal data to Xiaomi. The trick is to use the Lockdown iOS app. I’m confident about this solution 🙂

27/11/2019 Update: After 2 SARs without a response from Huami, I’ve decided to make a complaint with the Dutch Personal Data Authority. The estimated response time is 3 months.

7/11/2019 Update: I just received a concrete answer from Xiaomi’s Privacy Office: “MiFit is a product of Huami. Xiaomi Singapore Pte Ltd is not the MiFit data controller and is not responsible for processing the personal data of MiFit ‘s data subject. Please refer below Huami’s contact information is privacy@huami.com.”. So, I’ve made a SAR to Huami.

Xiaomi Miband

Xiaomi produces a wearable activity tracker called MiBand. The 3rd generation has a reasonable feature set, and it is 2-3 times cheaper than its competitors. It’s a great entry-level band if you want to begin tracking your fitness levels.

I bought a Xiaomi MiBand3 because I was hoping to make sense of my erratic sleeping patterns. I was also eager to discover how much movement I was getting through the day. Additionally, I was hoping to connect with some faraway friends via the MiFit phone app.

But what about privacy?

The data that a fitness tracker generates feels personal, and Xiaomi is a Chinese company. I don’t want the Chinese government to have information about me. It’s bad enough that Chinese citizens have no privacy. To make an informed purchase, I searched for articles about “Xiaomi privacy”. I found two articles (1 and 2) reviewing the InfoSec aspects of a couple of fitness trackers. Yet, nothing that answered my question about Xiaomi. In the end, I decided to buy the band, but I felt uneasy every time the MiFit app “synchronized” with the band. Uneasy, but not concerned enough to look deeper into the matter.

Susana Sanz, from BalkonTactics, renewed my interest in privacy and InfoSec. After our talk, my unease changed into serious concern about the data generated by my shiny, new fitness tracker. The ethical/moral/philosophical aspect of privacy did not interest me; that’s something that others have talked in more detail (Glenn Greenwald and Edward Snowden come to mind).

I was interested to know what exactly does Xiaomi know about me. Making a Subject Access Request (SAR), a right recognized by the GDPR is one way to go about it. For the sake of learning how SAR work, I submitted one to privacy@xiaomi.com. But this process would take a long time, and patience is not one of my virtues. While waiting for an official response, why not use a “hacky”, DIY approach to get an answer?

The privacy investigation

Nowadays, almost all phone apps communicate with a server on the internet. It is possible to intercept that communication, while it’s happening (see the technical method section at the bottom of the post). Thirty minutes later, I confirmed my concern: Xiaomi collects all the data that MiBand generates. To be more specific, all the data displayed in the MiFit app (e.g., sleep data, training data, heart rate) gets uploaded to the Xiaomi servers. There is no way to disable the upload in the configuration of the application. The band keeps a backlog of all the recorded data, and everything gets uploaded to Xiaomi when I open the mobile app. If you don’t use the MiFit app, you’ll end up with a band that only knows how to count your steps and how to measure your heart rate.

The only good news here is that, at this moment, the geo-location data is not collected passively (outside training sessions). But there is no guarantee that it will stay like this in the future.

In the end, I’m left feeling disappointed that Xiaomi has unrestricted access to sensitive information about my lifestyle:

• what would happen if someone infiltrates their systems? I’m sure that there are ways in which this data could be exploited to my disadvantage.
• what’s up with this shady user agreement? Not clear to me what Xiaomi and its partners do with the data. I understand that the moment it gets uploaded, I “waive any and all ownership, legal and moral rights” to my data. But how does Xiaomi use it? Who are the third parties or Xiaomi affiliates that have access to it? Is it sold or monetized in any way? Lots of questions and no clear answers.

If you’ve been on the internet long enough, you’re familiar with the phrase “If you’re not paying for the product, you are the product”. Fun fact, in 2016, the average worth of a Facebook user was $3.73 per quarter. I’m not ok with that, but let’s leave it there for now. Thinking logically, the phrase should not stand once I start paying for the product. Right? Well, it seems that this is not the case with Xiaomi MiBand.

There’s no privacy and I don’t own the data

I’m dissatisfied that, despite paying for the MiBand, I “waive any and all” rights over the data that I generate. In this new light, what seemed to be a good deal (best cheapest fitness tracker on the market) became a lousy deal when reading the fine print and doing a bit of research.

In the end, there are two big questions left in my mind about this way of collecting personal data:

• Is this a general practice of the fitness band industry, or is Xiaomi an exception?
• Are other Xiaomi products collecting data in the same way?

If you own a fitness tracker or another Xiaomi product, can you do a bit of digging around and let me know? Or get in touch with me and we can do the research together.

Technical details of the investigation

The technical method of finding out what MiBand3 data gets uploaded to Xiaomi’s servers was simple. Had I known it would be so simple, I wouldn’t have postponed it so much.

The hardware setup: I had to install mitmproxy on my laptop.

• connect both my phone (with the Xiaomi MiFit app) and my laptop to the same WiFi network
• install and run mitmproxy on my laptop
• install the mitmproxy root certificate on my phone
• on my phone, set the proxy server for the WiFi to point to my laptop
• open the Xiaomi MiFit app and look at the requests going into the proxy running on my laptop

Out of all the requests made by the Xiaomi MiFit app, only one sends a lot of data:

POST https://api-mifit-de.huami.com/v1/data/band_data.json?r=50AB6198-7007-47BF-86AC-53F606CDD4F6&t=1565977799279

In the payload of this request is a key called data_json that contains all the recent band data (as the name of the endpoint suggests). I took a look at the data in the JSON object and saw all the data points that are shown on all the graphs (in the app), including all the geo-coordinates of my running sessions. To my surprise, the MiFit app didn’t seem to send to Xiaomi information about my current location. Yet, this is not a guarantee that this information will remain on my phone in the future.

From a technical perspective, I enjoyed doing this little research. Using mitmproxy was straightforward, and I recommend it if you want to see what communication goes on between the apps on your phone and the internet.