Xiaomi has been tracking and recording an insane amount of private data, from user’s phone habits to queries in the Xiaomi’s default browsers.
According to a cybersecurity researcher, Cirlig, Xiaomi records all the search queries and items viewed on its default browser (Mi Browser Pro) as well as on the Mint browser. The tracking extends to Incognito mode as well.
The researcher was able to confirm the same pattern on other Xiaomi phones, including Mi 10, Redmi K20, and Mi MIX 3.
Xiaomi, in response, confirmed that it collects browsing data. However, the company says the data sent is anonymized, and users have consented to the data tracking. Meanwhile, it denied claims of information being monitored in Incognito mode.
The researcher, however, was able to prove that Xiaomi is recording Incognito mode data as well. In a video, he showcases how the information of him visiting a porn website in incognito mode is being sent to the servers.
When shown with proof, Xiaomi said, “collection of anonymous browsing data, is one of the most common solutions adopted by internet companies.”
Is it really anonymous?
When the information tracked in browsers is compiled with phone’s “metadata” collected by Xiaomi, Cirlig says the company can easily identify a single person.
Other than the browser data, Cirlig also noticed monitoring in Xiaomi apps and his touches on every screen. For instance, he observed the Xiaomi default music player app collecting information on his listening habits.
Upon much digging, the researcher was able to connect the app’s data monitoring with SensorDataAPI, which enables third-party access to app data. In the case of Xiaomi, the third-party was Sensors Analytics, a startup known for tracking users.
While Xiaomi validated the findings, it claimed that the data collected by Sensors Analytics remains anonymous and is stored on Xiaomi’s personal servers.
In response to the allegations, Xiaomi has released a blog post claiming the data collection to be aggregated and based on user consent.
On the other hand, it says the incognito mode Xioami’s default browser does collect aggregated usage data, but it cannot be used to identify a single user. According to the company, the aggregated data includes system information, user interface feature usage, responsiveness, and performance, among other things.
The company has updated its blog post with another announcement. The latest update of the Mi browser (v12.1.4) and Mint browser (v3.4.3) includes a toggle to turn off aggregated usage data collection in the incognito mode.