For those who have not been following, cybersecurity researcher Cirlig told Forbes that every single touch on his Redmi Note 8 is being recorded and sent to remote servers. This includes what folder is opened, which screen is swiped, which song is played, among others.
Cirlig’s biggest concern was the browsing data that was being recorded on Xiaomi’s default browser and Mint browser. The researcher claimed Xiaomi was recording Google queries, websites visited, items viewed on the news feed.
Cirlig proved in a video that the recording of private data didn’t stop even in Incognito mode. He was also able to confirm the same practice being followed on other Xiaomi smartphones.
In the blog post, Xiaomi claims the collected data is aggregated and used for internal analysis. Moreover, everything is user consented and based on permissions.
Xiaomi writes that aggregated usage statistics data such as system information, user interface feature usage, responsiveness, and performance cannot be used to identify a single user. It also says that browsing data is only “synced” when the feature is turned on.
As for incognito mode in Xiaomi’s default browser, the company denies the researcher’s claims of data collecting; however, it writes that aggregated usage statistics are still collected. Moreover, Xiaomi has only partially denied the video proof of web data being recorded in incognito mode. It said the video shows collecting “anonymous browsing data”.
Interestingly, the entire blog post doesn’t include anything substantial that Xiaomi’s spokesperson didn’t tell Forbes already. Although the data collected is aggregated, Cirlig told that Xiaomi’s phone data includes unique numbers for identifying the specific device. This along with the data procured from the browser could “easily be correlated with an actual human behind the screen.”