Gabi Cirlig, a cybersecurity researcher, recently discovered that is Xiaomi phone is doing more than what meets the eye. He spoke to Forbes after finding out that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. Then he dug much deeper only to find that data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were apparently rented by Xiaomi.
When he looked around the Web on the default Xiaomi browser, it registered all the websites he visited, including search engine queries with either Google or the privacy based search engine DuckDuckGo, and any item viewed on the Xiaomi software newsfeed feature. The monitoring continued to occur even if he used the allegedly private "incognito" mode.
The device also documented the files he opened, including the status bar and the settings tab, and the screens he swipped to. All the data was packed and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.
In the meantime cybersecurity analyst Andrew Tierney further researched at Forbes' request. He also found browsers that Xiaomi shipped on Google Play — Mi Browser Pro and the Mint Browser — gathered the same info. According to Google Play figures, they together have more than 15 million downloads.
It's possible that many more millions would be impacted by what Cirlig described as a serious privacy issue, though Xiaomi denied that there was a problem, reports Forbes.
Xiaomi is one of the world's top four smartphone manufacturers by market share. Priced at $50 billion, it is behind Apple, Samsung and Huawei. Xiaomi has big sales with its cheap devices with many of the same features that higher-end smartphones have. However, it comes with the hefty price of losing one's privacy.
Cirlig thinks the issues concern a lot more models than the one he's been studying. For other Xiaomi phones, he downloaded firmware — including Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3. He then verified that they had the same browser code which led him to believe that they had the same privacy issues.
And there seem to be problems with the way Xiaomi transfers the data to its servers. While the Chinese company stated that the data was being encrypted while transmitted in an effort to preserve user privacy, Cirlig found that by decoding a chunk of information covered with an easily crackable type of encoding, known as base64, he was able to quickly see exactly what was being taken from his computer. It took only a few seconds for Cirlig to transform the garbled data into readable chunks of information.
"My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user," warned Cirlig.
In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security are of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." But a spokesperson acknowledged that it was collecting browsing data, saying that the information was anonymized so that it was not connected to any identification. They said users consented to this sort of monitoring.
However, as Cirlig and Tierney have pointed out, it was not just the website or Web search that was submitted to the server. Xiaomi also collected phone data including unique numbers for the individual device and Android version. Cirlig said such "metadata" could "easily correlate with an actual human behind the computer."
Xiaomi's spokesperson also denied that incognito mode was capturing browsing data. However, both Cirlig and Tierney found in their independent research that their web habits were sent off to remote servers regardless of which mode the browser was set to, providing evidence of both images and videos.
When Forbes sent a video made by Cirlig to Xiaomi showing how his Google search for "porn" and a visit to the PornHub site were sent to remote servers, the company spokesperson continued to deny that the information was being registered. "This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information," they added.
Both Cirlig and Tierney said Xiaomi's behaviour was more invasive than other browsers like Google Chrome or Apple Safari. "It's a lot worse than any of the mainstream browsers I have seen," Tierney said. "Many of them take analytics, but it's about usage and crashing. Taking browser behaviour, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets."
Cirlig also believed that Xiaomi was tracking the use of the device, as a chunk of information would be sent to a remote server any time he opened an app. Another researcher who had checked Xiaomi products, though he was under an NDA to publicly discuss the matter, said he had seen similar data collected by the manufacturer's phone. Xiaomi did not answer questions on the matter.
Xiaomi seems to have yet another purpose to collect the data: to better understand its users' behaviour. It's using the services of a behavioural analytics company called Sensors Analytics. Since its founding in 2015, the Chinese company, also known as Sensors Data, has raised $60 million, most recently taking $44 million in a round led by New York private equity firm Warburg Pincus which also featured Sequoia Capital China. As described in Pitchbook, a tracker of company funding, Sensors Analytics is a "provider of an in-depth user behaviour analysis platform and professional consulting services." Its tools help its clients in "exploring the hidden stories behind the indicators in exploring the key behaviours of different businesses."
Both Cirlig and Tierney discovered that their Xiaomi apps sent data to domains that appeared to reference Sensors Analytics, including frequent use of SA. The page contained one sentence when clicking on any of the domains: "Sensors Analytics is ready to receive your data!" There has been an API named the SensorDataAPI — an API (application programming interface) is the framework that enables access to sensor data from third parties. Xiaomi is also classified on the Sensors Data's website as a client.
The founder and CEO of Sensors Data, Sang Wenfeng, has a long history of tracking users. According to his company profile, he developed a big data framework for user logs at Chinese internet giant Baidu.
Xiaomi's spokesperson confirmed the relationship with the startup: "While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi's own servers and will not be shared with Sensors Analytics, or any other third-party companies."