Security researcher Gabi Cirlig has discovered that his Redmi Note 8 usage habits were being tracked and sent to servers hosted by Alibaba in Singapore and Russia that have been rented by Xiaomi. This included the folders he opened on his phone, the screens he swiped to including the status bar and the settings menu. As if that was not enough, Xiaomi was even tracking what music Cirlig was listening to using the default music player on his Redmi phone.
The security researcher also found that whenever he browsed the web using Xiaomi's default browser app, it kept a record of all the websites he visited, search engine queries, and the items viewed on the browser's newsfeed. More worryingly, the behavior continued even when using the incognito mode in the browser. The security researcher found the same tracking code in other Xiaomi phones as well including premium models like the Redmi K20, Mi 10, and Mi Mix 3.
Another security researcher Andrew Tierney discovered the same behavior in Xiaomi's Mi Browser Pro and Mint Browser, both of which are available on the Google Play Store and have over 15 million downloads combined. What's even more worrying is that despite Xiaomi's claims that the data was being encrypted for security reasons, Cirlig found that he was easily able to decode and find readable information from it.
When reached out by Forbes, Xiaomi did confirm that it was collecting users' browsing data, though it was anonymizing them for privacy reasons. It also claimed that users consented to have their browsing history tracked. The company, however, denied that it was tracking data when incognito mode was used in the browser.
When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for “porn” and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added.
Xiaomi is seemingly collecting the data to understand users' behavior. The company has partnered with Chinese startup Sensors Analytics which provides "an in-depth user behavior analysis platform and professional consulting services." Xiaomi confirmed its relationship with Sensor Analytics, though it noted that all the collected data are stored on its own servers and not shared with any third-party company.
Update: Xiaomi has issued a new statement about the entire matter. The company says that its original communication was "misunderstood" and that user's privacy and internet security is a top priority for it. It notes that under incognito mode, a user's browsing data is not synced but aggregated usage statistics is collected. It has also posted the relevant screenshot of the code as proof. The aggregated usage statistics data is used by the company for internal analysis and its a common approach by many internet companies. For any data Xiaomi collects, it makes sure that they are anonymous and encrypted.