SINGAPORE - When popular Chinese handset maker Xiaomi Inc admitted that its devices were sending users'personal information back to a server in China, it prompted howls of protest and an investigation by Taiwan's government.
The affair has also drawn attention to just how little we know about what happens between our smartphone and the outside world. In short: it might be in your pocket, but you don't call the shots.
As long as a device is switched on, it could be communicating with at least three different masters: the company that built it, the telephone company it connects to, and the developers of any third party applications you installed on the device - or were pre-installed before you bought it.
All these companies could have programmed the device to send data 'back home' to them over a wireless or cellular network - with or without the user's knowledge or consent. In Xiaomi's case, as soon as a user booted up their device it started sending personal data 'back home'.
This, Xiaomi said, was to allow users to send SMS messages without having to pay operator charges by routing the messages through Xiaomi's servers.
To do that, the company said, it needed to know the contents of users' address books.
"What Xiaomi did originally was clearly wrong: they were collecting your address book and sending it to themselves without you ever agreeing to it," said Mikko Hypponen, whose computer security company F-Secure helped uncover the problem. "What's more, it was sent unencrypted."
Xiaomi has said it since fixed the problem by seeking users'permission first, and only sending data over encrypted connections, he noted.
Xiaomi is by no means alone in grabbing data from your phone as soon as you switch it on.
A cellular operator may collect data from you, ostensibly to improve how you set up your phone for the first time, says Bryce Boland, Asia Pacific chief technology officer at FireEye, an internet security firm.
Handset makers, he said, may also be collecting information, from your location to how long it takes you to set up the phone.
"It's not that it's specific to any handset maker or telco,"said Boland. "It's more of an industry problem, where organisations are taking steps to collect data they can use for a variety of purposes, which may be legitimate but potentially also have some privacy concerns."
Many carriers, for example, include in their terms of service the right to collect personal data about the device, computer and online activities - including what web sites users visit.
One case study by Hewlett-Packard and Qosmos, a French internet security company, was able to track individual devices to, for example, identify how many Facebook messages a user sent.
The goal: using all this data to pitch users highly personalized advertising.
But some users fear it's not just the carriers collecting such detailed data.
Three years ago, users were alarmed to hear that US carriers pre-installed an app from a company called Carrier IQ that appeared to transmit personal data to the carrier.
Users filed a class-action lawsuit, not against the carriers but against handset makers including HTC Corp, Samsung Electronics and LG Electronics which, they say, used the software to go beyond collecting diagnostic data the carriers needed.
The suit alleges the handset firms used the Carrier IQ software to intercept private information for themselves, including recording users' email and text messages without their permission - data the users claim may also have been shared with third parties. The companies are contesting the case.
And then there are the apps that users install. Each requires your permission to be able to access data or functions on your device - the microphone, say, if you want that device to record audio, or locational data if you want it to provide suggestions about nearby restaurants.