Gabi Cirlig, a White Ops security researcher, has accused Xiaomi of collecting its users’ browsing data and sending it to remote servers belonging to outsourced Chinese partners, according to a new report by Forbes.
Cirlig discovered that his Redmi Note 8 was “watching much of what he was doing on his phone” and was sending all that data to remote servers hosted by Chinese cloud giant Alibaba, which were apparently owned by Xiaomi itself.
According to Cirlig, the default Xiaomi browser on his Redmi Note 8 recorded each and every website he ever visited, including search activities on Google and privacy-focused DuckDuckGo. He found that the company was recording details even when he was using the incognito mode on the phone, the device tracked his activities.
Further, the device was also found keeping a track of what folders he opened as well as the various screens that he switched, which included the status bar and the settings page. All the data was being compiled and sent to remote servers in Singapore and Russia with the web domain registered and hosted in Beijing, where Xiaomi has its headquarters.
Besides Redmi Note 8, Cirlig found that the security flaws also existed on other Xiaomi premium devices such as Mi 10, Redmi K20 and Mi Mix 3.
According to Xiaomi, what the researcher found just shows “the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience.” It denied recording information and violating user privacy on website visits.
To validate Cirlig’s claims, Forbes reached out to Andrew Tierney, a leading cybersecurity researcher. Upon investigation, Tierney found that Xiaomi’s default browsers namely Mi browser Pro and the Mint browser available on the Google Play store were collecting similar user data.
While Xiaomi says that the data is encrypted for security reasons, Cirlig found that he was easily able to decode the encrypted data using a method called base64 and find readable information from it. Both the researchers claim that the Xiaomi apps were sending data to Sensor Analytics, a data analysis solution provider for Xiaomi.
Xiaomi, however, refuted the claims made by the researchers and said ‘the research claims are untrue,’ and that ‘privacy and security is of top concern.’
The Chinese smartphone responded to Forbes and said in a statement, “Xiaomi is disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.
However, a spokesperson from the company did accept that it was collecting users’ browsing data to offer better user experience, but the information was anonymized so that it can’t be tied to an individual. The company, however, denied allegations that it was tracking data when the incognito mode was used in the browser even after they were provided with enough evidence.