Xiaomi accused of tracking users, sending data to remote servers

The privacy issues reportedly affect a number of Xiaomi devices, including Redmi Note 8, Redmi K30, Mi 10, and Mi MIX 3.

Highlights
  • Cybersecurity researchers claim Xiaomi devices and browsers are tracking users’ data without explicit consent
  • Xiaomi is allegedly tracking web browsing, the apps they use, and screens they swipe, and the folders they open
  • The company has dismissed the report as “untrue” and it has only browsing data with user consent to understand their behaviour

Update: Xiaomi has provided the following statement on the matter: “Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.

Xiaomi is allegedly recording and sending users’ data to remote servers that are reportedly leased by the company in Russia and Singapore. Seasoned cybersecurity researcher Gabi Cirlig told Forbes that he noticed Xiaomi tracking his phone’s usage and browsing activities, along with information about his device, and sending it to remote servers without explicit consent. Another cybersecurity researcher, Andrew Tierney, found the same privacy issues with Xiaomi’s Mi Browser Pro and Mint Browser. The company, meanwhile, has denied the research claiming it to be “untrue”.

Cirlig first noted the privacy breach on his Redmi Note 8 smartphone and then verified that other phones by the brand — including the premium Mi 10 and Mi MIX 3 as well as the mid-ranger Redmi K20 — also have the same browser code, suggesting they suffer the same privacy issues. Xiaomi smartphones, which come preloaded with the company’s browser, are used by hundreds of millions of people worldwide. The company’s Mi Browser Pro and Mint Browser have more than 15 million downloads on Google Play Store.

According to the report, a worrying amount of his [Cirlig’s] behaviour was being tracked, whilst various kinds of device data were also being harvested.” Xiaomi is said to be recording almost every activity of the researcher, including folders and apps he opened, the screens he swiped, and even his web browsing on Google and the privacy-focused DuckDuckGo. Apparently, search queries on even the supposedly private incognito mode were tracked and sent to the remote servers. While other browsers such as Google Chrome and Apple Safari also collect users’ data, the researchers believe that Xiaomi’s browser is more invasive.

“It’s a lot worse than any of the mainstream browsers I have seen,” Tierney said. “Many of them take analytics, but it’s about usage and crashing. Taking browser behaviour, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”

“All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing,” added the report. Both Cirlig and Tierney claim Xiaomi was not just tracking website or Web search but phone’s unique identification numbers and Android version as well.

Questions have also been raised at the way Xiaomi is collecting the data. Though the Chinese company claimed the data was being encrypted when transferred in an attempt to protect user privacy, Cirlig was able to crack the coding and decipher what was being taken from his device within seconds. “My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” warned the researcher.

Xiaomi has denied the allegations of violating user privacy and called the research untrue.

Xiaomi responded to the Forbes report saying the research is “untrue” and “Privacy and security are of top concern.” The company added it strictly follows and fully complies with local laws and regulations on user data privacy matters. Even though Xiaomi collects data, it’s only after users’ consent, it says.

Forbes says they showed Xiaomi a video of browsing data on a Xiaomi smartphone being sent to remote servers, a company spokesperson remained steadfast that users’ information was not being recorded without their consent. The spokesperson was quoted as saying, “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information.”