Xiaomi Smartphones have been extensively collecting user data. Moreover, everything is being tracked and sent to servers hosted by Alibaba in Singapore and Russia. Xiaomi rents these servers and has complete access to them. After such reports surfaced and gained wide circulation in Xiaomi’s key markets, the Chinese smartphone giant has issued a statement that attempts to clarify why and how the data collected is utilized.
Xiaomi’s smartphones, irrespective of the sub-brand, have been reportedly observed to harvest massive amounts of user data. Interestingly, Xiaomi has not refuted the claims and accepted that its Android smartphones do indeed collect user data and information. However, through a blog post on the official Xiaomi blog, the company has offered a detailed explanation about the methods, processing techniques, and usage of the data that flows into the servers that Xiaomi has full access to.
Xiaomi Does Collect And Harvest User Data But Anonymizes The Same For Analytics And Service Improvement?
Security researcher Gabi Cirlig made a rather concerning claim that the Xiaomi branded device he used had been tracking usage habits, and all the data was allegedly being sent to servers hosted by Alibaba in Singapore and Russia that have been rented by Xiaomi. The amount, frequency, and scope of the data that Xiaomi collected was even more concerning.
According to Cirlig, the data being collected included folders he opened on his phone, the screens he swiped to including the status bar, and the settings menu. Xiaomi was even tracking what music Cirlig was listening to using the default music player on his Redmi phone. The security researcher also claimed that whenever he browsed the web using Xiaomi’s default browser app, it kept a record of all the websites he visited, search engine queries, and the items viewed on the browser’s newsfeed.
Well, unsurprisingly, Xiaomi are saying that we're wrong that their browsers send all your data in Incognito mode.
So here's the evidence.
— Cybergibbons (@cybergibbons) April 30, 2020
Incidentally, this doesn’t appear to be an isolated incident. Another security researcher Andrew Tierney discovered the same behavior in Xiaomi’s Mi Browser Pro and Mint Browser. Both the browsers are available as Free to Download and Use on Android’s Google Play Store.
The user data collection practices of large tech, social media, and smartphone companies are widely known. However, the security researchers went on to add the extent of the data collection policies. Cirlig claimed Xiaomi’s invasive data collection continued even when using the incognito mode in the browser.
Xiaomi, in its official blog has claimed that it thoroughly encrypts the data. However, Cirlig claimed that he was easily able to decode and find readable information from it. Interestingly, there’s a video that allegedly exposes how the data is exposed.
Is Xiaomi Misusing User Data Which It Harvests?
Xiaomi has officially accepted that its Android smartphones do collect user data. However, the company has stressed that it takes all relevant and necessary precautions to ensure user privacy. The company added that the data does not expose user identity or link the actual data to the user at any stage. Moreover, Xiaomi added that it collects, stores and processes the data as per “Industry Standards”, which include anonymizing and encrypting the user data at all stages.
In its blog post, hosted on the official Mi website, Xiaomi has attempted to explain how it collects, stores, processes, analyzes the data. At the very beginning, Xiaomi clarifies that it collects user data “to offer the best possible user experience, increase compatibility between the operating system and various apps.” The company added that it secures relevant permissions and user consent prior to collecting data. In other words, Xiaomi claims that all the data collection policies practices are allowed by the end-users themselves.
— Mishaal Rahman (@MishaalRahman) May 1, 2020
As an industry practice, there are two types of data that Xiaomi’s servers collect. Data such as system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports are aggregated and anonymized. This ensures third-party apps, developers or malicious software creators cannot link the data with individual users even if they somehow manage to access the same. The second type of data involves individual’s user browsing data (history) which the user ties up with a Mi account. Such data too is collected and stored using secure encryption practices, assured Xiaomi.
Did users really consent in an informed way? I doubt it. Besides that, 'we do not link any personally identifiable information to any of this data' doesn't say much, as long as they don't disclose their definition of PII. pic.twitter.com/r61CC71xBC
— Wolfie Christl (@WolfieChristl) May 1, 2020
As for access, Xiaomi claimed it has secured four certifications that have certified the security and privacy practices of Xiaomi’s smartphone and its default apps follow. These are ISO27001:2013, ISO27018:2014, ISO29151:2017, and TRUSTe.
Xiaomi has partnered with Chinese startup Sensors Analytics. The company claims to provide “an in-depth user behavior analysis platform and professional consulting services.” Xiaomi has confirmed it works with the company. However, the company claimed that all the collected data is stored on its own servers and not shared with any third-party company.