UPDATE (3 May / 10:20 PM): Xiaomi has since responded to the original story by providing their side of the tale through a very detailed blog post on its official website.
ORIGINAL STORY (2 May / 4:20 PM):
Xiaomi isn’t a brand that would usually raise alarms when it comes to privacy on their devices. Unfortunately, that concern changed overnight after it was caught allegedly recording both phone and internet usage of millions of customers.
The discovery was reported by Forbes, who in turn was speaking to a cybersecurity expert by the name of Gabi Cirlig. Specifically, Cirlig discovered says that he discovered his Redmi Note 8 was logging in and tracking his every action made with the device. What’s even more alarming was that the tracking still persisted even when he allegedly entered into an “incognito” mode.
It should be noted that the data logging seemed to occur on the device’es default Xiaomi browser, as well as Xiaomi’s Mi Browser Pro and Mint Browser. The browsers, which are available on Google Play, have been downloaded more than 15 million times. beyond the browsers, Cirlig also discovered that the Xiaomi Music Player was also listening in on his choice of music. Logging what songs he was playing and even when they were played.
To that end, the Redmi Note 8 isn’t the only Xiaomi device that seems to be executing the same data logging. At the time of writing, Cirlig confirmed that the privacy issue was also prevalent on the Mi 10, Redmi K20, and Mi MIX 3. Worst still was the way Xiaomi seems to be transferring the recorded data to its servers; Xiaomi says that its data is encrypted during transfer, but Cirlig supposedly proved otherwise by easily decoding a chunk of hidden information with a form of crackable encoding called base64.
In response to the findings, Xiaomi brushed off Cirlig’s discovery, citing that privacy and security have always been a top concern for the company. In addition, a spokesperson for the brand did confirm that the brand was collecting data, but in order to better understand its users’ behaviour. It also stated that these users had consented to the tracking, although that point is debatable.
“Xiaomi has reviewed a recent article by Forbes on our privacy policies and believes the reporting to be misrepresentative of the facts. At Xiaomi, our users’ privacy and security are of top priority. We strictly follow and are fully compliant with user privacy protection laws and regulations in the countries and regions we operate in. In light of the misrepresentations, we would like to clarify the following:
1. In all global markets where Xiaomi is officially present, in order to offer the best possible user experience, increase compatibility between the operating system and various apps, as well as undertake the obligation of protecting user privacy, all collected usage data is based on permission and consent given explicitly by our users. Additionally, we ensure the whole process is anonymous and encrypted. The collection of aggregated usage statistics data is used for internal analysis, and we do not link any personally identifiable information to any of this data. Furthermore, this is a common solution adopted by internet companies around the world to improve the overall user experience of various products, while safeguarding user privacy and data security.
2. Xiaomi hosts information on a public cloud infrastructure that is common and well known in the industry. All information from our overseas services and users is stored on servers in various overseas markets where local user privacy protection laws and regulations are strictly followed and with which we fully comply.
3. Prior to publication, the reporter emailed us with questions relevant to the article and Xiaomi responded with full transparency, providing detailed answers regarding our technology and privacy policies. We believe the article published does not accurately reflect the content and facts of these communications. After the article was posted, we contacted the reporter with further clarification and are currently in discussion with the intention of swiftly reassuring him with how our data security works in action. In parallel, we created a live post on Xiaomi’s official blog to share this same information with the public. The Forbes article, which details how we protect users’ privacy and comply with all laws and regulations, has recently been updated to include a link to our blog post: https://blog.mi.com/en/2020/05/02/live-post-evidence-and-statement-in-response-to-media-coverage-on-our-privacy-policy/
4. As an internet company, internet security, safety and user privacy are Xiaomi’s core principles and the foundation of our day-to-day work. Our products, technologies, performance and measures on user privacy protection are constantly being improved. In the latest launch of our operating system, MIUI 12, we have adopted the industry’s most stringent and transparent privacy protection measures, to date. For additional transparency, we always welcome fact-based supervisions, inquiries and discussions from the public to continuously improve our products and services for our beloved users and Mi Fans.