In a recent turn out, Xiaomi has been accused of collecting data and web usage pattern of its customers and storing it in servers in China. The man behind these findings is Gabi Cirlig along with Cyber Security researcher Andrew Tierney. Their research revealed shocking information which was passed on to Forbes.
Cirlig found out that his RedMi Note 8 had been collecting his phone usage and sending that data to servers in China. Surprisingly, these servers belong to the Chinese Tech Giant Alibaba.
More shocking part is that even the data which was searched in Incognito mode, a mode solely meant for privacy, was also being tracked. The device was even following the folders that he had opened and to the extreme, the screens that he had swiped on. Isn’t that too creepy? Not just in China, the data so collected were being stored in servers located in Russia and Singapore as well.
Cirlig continued his research with other Xiaomi devices like the Redmi K20 and Mi 10 and not much to his surprise, both contained the same encryption codes as his earlier tested device. Which meant that these devices would also have privacy issues. The data being sent had the most basic level of encryption.
Quoting Cirlig’s words, the data sent had “a form of easily crackable encoding, known as base64”.
These datas could be easily correlated with the users themselves. Cirlig: “such metadata could be easily correlated with an actual human behind the screen.”
Xiaomi expelled all the allegations and said that the data is being collected with the consent of the user maintaining their anonymity. They denied to have recorded any activity in the users’ incognito mode. But the researchers strike back with evidence.
Cirling and Andrews have collected photo and video proof of their findings and have posted them online. In the video, Cirlig is seen surfing through porn sites in Incognito and simultaneously he shows live how the activity is being recorded and sent to a server.
Cirlig: “Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple Safari.”
Cirlig also found out that Xiaomi has been tracking and collecting information every time he used the Xiaomi music player app. During their research, they came across Sensors Analytics as the one on the receiving end of the data sent.
Sensors Analytics, The Chinese StartUp, also known As Sensors Data, is a company that works for Xiaomi. It’s a behavioral analytics company who use data to analyse the behavioral pattern of their clients’ businesses. Both Cirlig and Andrew found out that their apps were sending data to Sensor Analytics as each time of their research, they found a reference to the same.
The researchers: “When clicking on one of the domains, the page contained one sentence: ‘Sensors Analytics is ready to receive your data!’”
In response, Xiaomi’s spokesperson confirmed the relationship with the startup:
“While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi’s own servers and will not be shared with Sensors Analytics, or any other third-party companies.”
Xiaomi also announced that in its next browser update, it would allow customers to stop their visited websites being sent to the Chinese company’s servers. Though that’s a quite good assurance, all this points out to the fact that Xiaomi could possibly be indulged in activities it has been accused of.
Xiaomi users beware!
In response to the allegations, Xiaomi has released a blog post claiming the data collection to be aggregated and based on user consent.
The company has updated its blog post with another announcement. The latest update of the Mi browser (v12.1.4) and Mint browser (v3.4.3) includes a toggle to turn off aggregated usage data collection in the incognito mode.