Chinese electronics giant Xiaomi, which has an estimated hundreds of millions of users of its smartphones and web apps, has been accused of collecting sensitive personal information from customers without notification. A number of security researchers have come forward with claims that the company’s phones and apps are recording the internet activity of users and forwarding it to servers hosted by fellow Chinese tech giant Alibaba. Xiaomi claims that it only collects anonymized usage tracking statistics, but researchers say it goes far beyond that: browser histories, search engine queries, and lists of apps and files that are opened among other items.
Xiaomi’s usage tracking: Over the line?
The first public reports of Xiaomi’s intrusive usage tracking came from researcher Gabriel Cirlig with New York-based security firm White Ops. Cirlig told Forbes that he had discovered his new Xiaomi Redmi Note 8 phone passing lists of websites he visited, search queries, lists of songs played and folders he’d opened back to mysterious Alibaba-owned servers located in Singapore and Russia.
After verifying his claims, Forbes reached out to researcher Andrew Tierney of Pen Test Partners. Tierney found that two of Xiaomi’s browsers listed on the Google Play Store (Mi Browser Pro and Mint Browser) exhibited the same behavior. Meanwhile, Cirlig downloaded and examined the firmware for several other recent Xiaomi phone models and found that they contained the same browser code.
Forbes reported that the data is being transferred using base64 encoding, which is not recognized as a method of encryption and is relatively easy to crack. This means that anyone with access to the data can easily match it to a specific user identity. Among the data being collected is the unique identification number for each device plus the version of Android it is running.
Xiaomi has issued a statement categorically denying the illicit data collection. The company says that it does collect browsing data, but it is anonymized and not as extensive as the findings of the researchers indicate. The company also claimed that data collection did not take place when the user is in “incognito” mode, but both Cirlig and Tierney’s findings contradict that claim. Forbes also cites an anonymous developer who worked on Xiaomi’s phones who claimed that they had personally seen this type of data collection while testing the devices.
Data collection on behalf of sensors analytics
While it’s natural to assume that any Chinese company engaging in surreptitious data collection is passing it directly on to the governing CCP, the Forbes investigation found that this information is being funneled to Xiaomi partner Sensors Analytics.
The young company was founded in 2015, but CEO Sang Wenfeng has a questionable history with customer usage tracking that predates it. Prior to founding Sensors Analytics, Wenfeng helped to build Baidu’s data analysis platform — which faced similar allegations in the past.
Differential privacy principles vs Xiaomi’s data collection
Xiaomi claims that it is collecting only anonymous data, in a manner that is standard in the industry and that is in compliance with all local and national laws. If the claims of the researchers are accurate, however, there is no way that this sort of data collection and usage tracking can be in compliance with privacy laws such as the GDPR and CCPA.
Xiaomi is using the classic “but everyone else is doing it” defense, but this level of data collection goes farther than most. There is no phone manufacturer of the size of Xiaomi that does anything comparable. Browser publishers, such as Google and Mozilla, do collect various forms of anonymized user data but do so under “differential privacy” policies that are much less intrusive. That is not to say that these Western tech giants have not had their own privacy issues, but the regular data collection that happens internally in these browsers is much more limited in scope and is generally decoupled from individual user identities.
These browsers are also usually collecting telemetry metrics for engineering purposes. What does Xiaomi need with a list of songs the phone user has played? Or the names of the files and directories they have opened?
Though it is not clear exactly what the ultimate purpose of all of this data collection and usage tracking is, the Xiaomi incident highlights the inherent problem of using the services of any tech company based in China; if the data makes its way back to servers in the country, local law allows for it to be seized and viewed by the government. The Chinese government has data privacy rules for its private tech firms and does actively police them, but this is essentially just to maintain a monopoly on surveillance; the country’s laws also make it extremely difficult for any app developed in-country to incorporate potent encryption so as to not limit the government’s access. Even if Xiaomi has nothing but good intentions in terms of usage tracking and data collection, a weak form of encoding such as base64 is likely to leave a hole somewhere in the process.
Xiaomi claimed in a recent blog post that the next web browser update will provide an option to opt out of usage tracking while in incognito mode, but it appears that the other forms of data collection will remain.