MIUI 12's Privacy Protection Looks Good, but Its Ethical Problems Are Being Ignored

Chinese

In recent years, mobile internet and big data have developed rapidly, and the collection and use of personal information by mobile apps has expanded in a wild and disorderly way. Xiaomi’s latest mobile operating system, MIUI 12, was officially released and its new privacy features were widely praised. MIUI 12 protects users’ personal privacy rights and information security, but it also faces problems such as the difficulty of defining data ownership and the overlap between personal privacy rights and the scientific value of data. This article discusses these three issues from the perspectives of developers, regulators, and executors, respectively.

1. How the Problem Arose

In recent years, mobile internet and big data have developed at high speed, and the aggressive harvesting of personal information by mobile apps has grown unchecked in pursuit of enormous economic returns. In this process, software distribution has not been subject to strict regulatory review, Android permission management has been loose, developers have lacked ethical constraints, and ordinary users have had little awareness or few countermeasures. As a result, users’ privacy and free will have been heavily violated, and information security has long been left defenseless.
On April 27, 2020, Xiaomi officially released MIUI 12, the latest version of its mobile operating system, and its new privacy features were widely praised. MIUI 12 includes three privacy functions: Flare, Interceptor Net, and Mask System. On December 28, 2020, MIUI 12.5 was released and further upgraded privacy controls.
The “Flare” feature provides six major capabilities, including app behavior records, microphone/camera/location permissions, dangerous-permission access, and permission-usage statistics. In Flare, users can view every app’s auto-start behavior, permission calls, chained launches, and sensitive behavior records. If an app performs an unauthorized action, the user can revoke the relevant permission immediately and protect private data.
The “Interceptor Net” feature further strengthens control over background behavior by third-party apps to prevent them from secretly reading private information. After users enable it, all high-risk app behaviors are blocked directly. When sharing photos on social platforms, users can also choose to erase sensitive information such as location data, longitude and latitude, place names, shooting time, and phone model.
In addition, the “Mask System” can provide a “blank pass” to rogue apps that refuse to work without authorization, addressing the pain point of users who want to use an app without handing over personal information.[1.][2.]

2. Ethical Reflection

a) Protecting User Free Will and Information Security

We should first acknowledge MIUI 12’s contribution to protecting user privacy. The reason it received so much praise is precisely that users’ privacy rights have been violated so extensively in everyday use.
Commercial companies use characteristics such as users’ search history, browsing records, activity time, age, and gender to deliver highly targeted advertising and maximize their own profits with algorithms. For example, the range of goods shown in ads may be artificially constrained, higher-priced products may be prioritized, and in some cases the same product may even be shown to consumers with different spending power and habits at different prices, seriously harming consumers’ right to know and their right to fair trade. In addition, because user information is mined so thoroughly, highly customized scams have emerged, with very high success rates and severe harm.[3.]
When harmless pieces of information from different domains are aggregated through a person’s digital identity, they can create new threats to privacy and security. With enough information in hand, an attacker can impersonate almost any user online. Big-data algorithms can not only analyze static data, but also dynamically track changes in personal behavior and preferences, turning people into transparent beings pierced through by data at every moment.
MIUI 12’s efforts to protect user privacy deserve wider adoption, and in particular, bringing public scrutiny into privacy protection is an innovation worthy of praise.

b) The Difficulty of Defining Data Ownership

Personal digital identity involves both personality rights and economic interests. The foundation for determining ownership is a clear definition of the boundary of rights: to what extent do people enjoy control over and disposition of their personal data?[4.] Individual users interact with commercial mobile apps and generate data within them. Data is generated and collected on the platform, and users also sign various form contracts, but does that mean all such data should belong to the company? The question of ownership deserves deeper study.
I believe that when sensors observe the ordinary physical world, the property rights of the resulting data should, under the principle of possession, belong to the party that collects and records the data. Mobile apps, however, observe people, so the principle of possession should not apply. Whether the data should belong to the user and merely be licensed to the platform, or be jointly owned by the user and the platform, is a legal question worth discussing. If companies and users are joint owners, is it appropriate for MIUI 12 to block app access to data at the operating-system level? Even if it only forcibly forbids certain “high-risk” actions, it is clear that the reasonableness of permissions should not be defined by a phone manufacturer.

c) The Overlap Between Personal Privacy Rights and the Scientific Value of Data

Data concerns not only personal privacy and corporate commercial interests, but also scientific research value. If every user refused to authorize any data at all in order to guarantee absolute privacy, the development of technologies such as data mining, machine learning, and digital cities would become extremely difficult. Luciano Floridi and Mariarosaria Taddeo argue that “overemphasizing the protection of individual rights in the wrong context can easily produce overly severe institutional norms, thereby causing the loss of opportunities to realize the social value of data science.”[5.]
When handset makers treat privacy protection as a major built-in “selling point” of their operating systems, this trend will undoubtedly intensify. As MIUI 12 continues to iterate, will privacy protection be strengthened without limit under the joint pressure of public opinion and commercial incentives? That may lead to overprotection of personal information and could even hinder social progress. Of course, this problem is still far from materializing under current conditions, but we should remain alert to the risk of overcorrection.

3. Professional Norms

a) Developers: Ethical Constraints on Data Collection, Mining, and Use

The development side includes mobile-app developers, designers of data-mining algorithms, and users of those models. By using personal information and usage data, developers can provide personalized services and create benefits for both sides. But developers should not monopolize all the gains brought by big-data technology, let alone infringe on users’ rights in order to obtain even more benefits for themselves. We should not repeat the old path of “pollute first, treat later” from the first and second industrial revolutions. The damage caused by out-of-control data technology today is impossible to measure.

b) Regulators: Defining the Boundary of Personal Data Rights

More important than industry self-discipline is that national regulators should legally clarify the ownership of personal digital property rights and formulate relevant industry laws and regulations. In 2018, the EU’s General Data Protection Regulation officially came into force. It covers every stage of personal-data use and is regarded as one of the strictest laws on personal-data protection. The United States also enacted the California Consumer Privacy Act of 2018. These laws provide strong examples for improving China’s Cybersecurity Law and for future legislation on personal information protection and data security.
As for the collection and use of personal data, mobile apps can currently be distributed to users without any review at all, and this clearly needs to be improved in the future.

c) Executors: Balancing Personal Digital Security and Social Development Rights

At bottom, data collection is still carried out at the operating-system level, which is also why MIUI 12 can protect user privacy. One particularly innovative aspect of MIUI 12 is that it tells users about apps’ permission requests and uses public scrutiny to supervise apps’ intrusion into privacy. This is progressive today: it avoids letting phone manufacturers directly determine whether behavior is lawful, while still regulating and supervising apps in a relatively reasonable way. But in the future, users will naturally tend toward fully protecting their privacy, and MIUI may impose unreasonably strict restrictions in order to cater to users, thereby hindering technological progress.
I believe the operating system should remain neutral between personal privacy protection and big-data applications, protecting individuals’ legitimate digital rights strictly according to laws and regulations. That should be an obligation, not an “advantage.” At the same time, protecting data security can be a highlight, but excessive secrecy around personal data should not continue to serve as a “selling point” in the future.

4. Conclusion

Applications of big-data technology in the mobile-internet era must balance the protection of individual privacy with the development of data technology. MIUI 12 has taken the lead among major vendors and provided meaningful protection for ordinary users. But protecting personal privacy only at the operating-system level is neither sufficient nor fully fair, and it carries the risk of overcorrection in the future. Therefore, governments should accelerate the improvement of relevant laws and regulations, and practitioners should establish ethical norms so that privacy protection and advanced technology can be balanced across the entire industry chain, minimizing the negative side effects of technology while maximizing its value to society.

References
[1.] Xiaomi: Working to Address the Risk of Personal Privacy Information Leakage https://mp.weixin.qq.com/s/tnEynV1dJPe7VZrKX_oC6w
[2.] Take Control of Privacy, MIUI 12 Protects Your Information Security https://www.xiaomi.cn/post/22087434
[3.] Ge Qiuping, Wang Jue. Ethical Regulation of Personal Digital Identity in Big Data Applications[J]. Zhongzhou Academic Journal, 2020, 42(10): 95-101.
[4.] Yang Zhangbo, Wang Xinlei. Research on Data Ownership in Big-Data Transactions[J]. Information Studies: Theory and Application, 2018, 41(6): 52.
[5.] Floridi, Luciano and Taddeo, Mariarosaria, What is Data Ethics? (November 14, 2016). Phil. Trans. R. Soc. A, Volume 374, Issue 2083, December 2016, Available at SSRN: https://ssrn.com/abstract=2907744