Security researcher Gabriel Cirlig has apparently discovered that the Chinese phone maker “Xiaomi” is tracking and recording Web browsing activities via the default Internet browser. The researcher has shared his findings with Forbes after he conducted extensive tests on his Redmi Note 8, figuring out that all of his browsing data was sent to a remote server owned by Alibaba and rented by Xiaomi. This data-harvesting is alarming, to say the least, and reportedly covers all search engine queries (even on DuckDuckGo) made on any browsing mode (even the incognito mode).
Moreover, the device also recorded user actions via MIUI, such as the opening of folders, accessing settings, checking the status bar, what music the user likes to listen to, and plenty more. Even unique device identifiers that can be collocated with the owner’s identity flew off to remote servers in Singapore and Russia, and which were registered in Beijing. Forbes requested Andrew Tierney, another researcher, to investigate the claims made by Cirlig. What Tierney found was that the Mi Browser Pro, as well as the Mint Browser, are both collecting browsing data as previously reported. Subsequent tests on the Mi 10, Redmi K20, and the Mi Mix 3, showed that the privacy problem wasn’t specific to any single device.
Even worse, the data that flies from the phones and onto Xiaomi’s rented servers isn’t strongly encrypted. Instead, Xiaomi uses "based64" encoding, which is pretty easy to crack in a few seconds. The official response from Xiaomi calls the claims untrue and asserts that they are complying with the local laws and regulations, putting users’ privacy first and above all else. They denied recording incognito mode browsing data and disregarded the screenshots and videos that were produced by the two researchers as proof. Instead, all that they see in these videos is the collection of anonymous data and non-personally identifiable information.
As to why Xiaomi collects this data in the first place, the Chinese phone maker officially stated that everyone is doing this, and chose not to comment further. What everyone in the field is doing is collecting user data for ‘behavioral analytics’ purposes, and Xiaomi is known to do business with a firm that specializes in this sector, named “Sensors Analytics.” The apps on Xiaomi phones are using an API called “SensorDataAPI” to access the user data, so the dots are connecting. Xiaomi has admitted to doing business with that company but insists that the collected anonymous data are stored on their own servers, and none of this information is shared with Sensors Analytics.