The articles were based on findings of cybersecurity researcher Gabi Cirlig, who claims discovered that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were rented by Xiaomi, according to Cirlig. The device's default Xiaomi browser recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private “incognito” mode. The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing, according to Cirlig.
Cirlig thinks that the problems affect many more models than the one he tested, including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices.
Here is what Xiaomi said:
“Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.
The collection of aggregated usage statistics data is used for internal analysis, and we do not link any personally identifiable information to any of this data. Furthermore, this is a common solution adopted by internet companies around the world to improve the overall user experience of various products, while safeguarding user privacy and data security.
Xiaomi hosts information on a public cloud infrastructure that is common and well known in the industry. All information from our overseas services and users is stored on servers in various overseas markets where local user privacy protection laws and regulations are strictly followed and with which we fully comply."
The Chinese company said that data collection of aggregated usage statistics data (such as system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports) cannot alone be used to identify any individual. For example, Xiaomi says that a URL is collected to identify web pages which load slowly, giving the company insight into how to best improve overall browsing performance.
In addition, Xiaomi says that an individual’s user browsing data (history) is synced when the user is signed in on Mi Account, in case the data sync function is set to “On” under Settings.
Xiaomi says that under its browser's incognito mode, user browsing data is not synced, however, aggregate usage statistics data is still collected. The latter data create randomly generated unique tokens to append to aggregate usage statistics, and thus, these tokens do not correspond to any individuals. In addition, Xiaomi says that the usage statistic data is transferred with HTTPS protocol of TLS 1.2 encryption.