A recent shocking report from Forbes’s cybersecurity contributor and associate editor, Thomas Brewster, reveals that Xiaomi browsers are sending browsing data to Xiaomi-rented remote servers in Singapore and Russia.
Speaking to Forbes, Gabi Cirlig, a seasoned cybersecurity researcher, said he increasingly worried about his behavior being tracked on his new Redmi Note 8 phone. Cirlig found out that all of his web activities were tracked from web searches to even the websites he visited, independent of the used searched engine – even while using privacy-friendly DuckDuckGO, or in incognito mode.
The phone was also allegedly keeping tabs of all “the folders opened, to which screens he swiped, including the status bar and the settings page,” plus every item viewed on the News Feed feature, which is usually found in the Xiaomi’s custom MIUI Android skin.
Browser data collection is also allegedly done on several other phones as well running MIUI, including recent ones like the MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3, which run a similar browser code.
Andrew Tierney, another cybersecurity researcher, also dug into the matter and found more mind-blowing information. Even Xiaomi-owned browsers that are available on the Play Store – Mi Browser Pro and the Mint Browser – had similar behavior. Cirlig also claims Xiaomi’s music player app collected some data on his listening habits.
For a company that has quickly climbed to the top and claimed the “value” pricing crown unanimously across the industry, Xiaomi doesn’t think this is a problem.
The Chinese tech company says it encrypts the data first – using base64 encryption technology – and that this data is anonymized concealing user identity.
According to Cirlig, he was able to crack the encryption code in “just a few seconds.” On the anonymity part, Cirlig told Forbes that the collected data could be pinpointed at a specific user “very easily” since the company was also collecting “metadata” like device ID and Android version.
Xiaomi also termed the claims as “untrue.” On the other hand, the company admits that users’ browsing data is being collected, and users have consented to this. The company also argued about collecting data in incognito, although the two researchers had provided a proof-of-concept video showcasing that.
Xiaomi was also found pinging domains related to Sensors Analytics, a Chinese startup company, also called Sensors Data, which pitches itself as a “provider of an in-depth user behavior analysis.”
The Chinese company admitted having a relationship with Sensor Analytics but denied sharing any user data with them.
UPDATE: In a blog post, the company has further provided clarity how and when it collects user data and the types of data it collects. You can read more about that here.