Xiaomi Accused Of Harvesting Private Data: Here's Everything We Know So Far

So Xiaomi has been called out by a security researcher for allegedly harvesting user information gained from activity logs through its in-house mobile browsers and sending the data to remote servers hosted by Alibaba.

A White Ops security researchers, Gabi Cirlig and Andrew Tierney wrote about about theur findings in an article for Forbes, claiming that they found Xiaomi’s default browser on his Redmi Note 8 recording all the websites he accessed, in addition to capturing all search engine queries, even when he used Google or the privacy-focused DuckDuckGo search engines.

What's the allegation about?

What's further surprising is that the recording did not stop even when he switched to the more private Incognito mode. Incognito mode is essentially meant to keeps browsing sessions private from websites by not saving browsing history, cookies and or information entered in forms and that's why this bit of information was baffling. Cirlig also alleged that the phone was recording details on folders and screens he accessed.

To find out what user information was being relayed from the Xiaomi phone, Gabi Cirlig first decoded a chunk of garbled data hidden with base64 and within seconds was able to see them in readable format. Now, 'Base64' is a form of encoding used to represent all binary data in an ASCII string and is easily crackable.

Cirlig suspects this was not a one-off incident and is happening was other models also sold by Xiaomi. To verify this, he downloaded a firmware for other Xiaomi phones such as Mi 10, Redmi K20 and Mi MIX 3 and found that they had the browser code. Though the remote severs were in Singapore and Russia the web domains they hosted were registered in Beijing.

To validate Cirlig’s claims, Forbes reached out to Andrew Tierney, a leading cybersecurity researcher to investigate it further. As per the Forbes report, Tierney confirmed that the phone’s default browsers namely Mi browser Pro and the Mint browser were collecting user data.

What has Xiaomi's response been

In a blog post, Xiaomi clarified its data practices, saying it collects aggregated usage statistics on things like responsiveness and performance that can't be used to identify individuals. The company also said it syncs web browsing history if people have the feature turned on in their settings. It denied any wrongdoing and said Forbes misunderstood its data privacy principles and policy.

"At Xiaomi, our users' privacy and security are of top priority," the company said in its post. "We strictly follow and are fully compliant with user privacy protection laws and regulations around the world."