But nothing is new here. As long as a device is switched on, it could be communicating with the company that built it, the telephone company it connects to, and the developers of any third party applications you installed on the device.
All these companies could have programmed the device to send data 'back home' to them over a wireless or cellular network - with or without the user's knowledge or consent.
For instance, in Xiaomi's case, as soon as a user booted up their device it started sending personal data 'back home'. Xiaomi said that allowed users to send SMS messages without having to pay operator charges by routing the messages through Xiaomi's servers. To do that, the company said, it needed to know the contents of users' address books. A small but important detail here is that the address book info was sent to servers without encryption applied.
Xiaomi is not the only "bad guy" in the mobile industry. A cellular operator may collect data from you, ostensibly to improve how you set up your phone for the first time. Handset makers may also be collecting information, from your location to how long it takes you to set up the phone.
That's an industry problem, where organizations are taking steps to collect data they can use for a variety of purposes, which may be legitimate but potentially also have some privacy concerns.
Many carriers, for example, include in their terms of service the right to collect personal data about the device, computer and online activities - including what web sites users visit. Such information could be used to pitch users highly personalized advertising.
Users are also installing apps in their devices, without paying much attention to any prompts they get from their device during installation.
For instance, an app requires your permission to be able to access data or functions on your device, if you want that device to record audio, or location data if you want it to provide suggestions about nearby restaurants.