Xiaomi recording users' ‘private’ web and phone use: Expert tells Forbes
Skip to main content
  • Home
  • Economy
    • Aviation
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
    • Book Review
    • Brands
    • Earth
    • Explorer
    • Fact Check
    • Family
    • Food
    • Game Reviews
    • Good Practices
    • Habitat
    • Humour
    • In Focus
    • Luxury
    • Mode
    • Panorama
    • Pursuit
    • Wealth
    • Wellbeing
    • Wheels
  • Epaper
  • More
    • Subscribe
    • Videos
    • Thoughts
    • Splash
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • COVID-19
    • Games
    • Long Read
    • Interviews
    • Offbeat
    • Podcast
    • Quiz
    • Tech
    • Trial By Trivia
    • Magazine
  • বাংলা
The Business Standard

Friday
January 27, 2023

Sign In
Subscribe
  • Home
  • Economy
    • Aviation
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
    • Book Review
    • Brands
    • Earth
    • Explorer
    • Fact Check
    • Family
    • Food
    • Game Reviews
    • Good Practices
    • Habitat
    • Humour
    • In Focus
    • Luxury
    • Mode
    • Panorama
    • Pursuit
    • Wealth
    • Wellbeing
    • Wheels
  • Epaper
  • More
    • Subscribe
    • Videos
    • Thoughts
    • Splash
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • COVID-19
    • Games
    • Long Read
    • Interviews
    • Offbeat
    • Podcast
    • Quiz
    • Tech
    • Trial By Trivia
    • Magazine
  • বাংলা
FRIDAY, JANUARY 27, 2023
Xiaomi recording users' ‘private’ web and phone use: Expert tells Forbes

Tech

TBS Report
02 May, 2020, 02:10 pm
Last modified: 02 May, 2020, 04:47 pm

Related News

  • Xiaomi starts manufacturing smartphone motherboard locally
  • China lays out vision for how data will power economic growth
  • Ain O Salish Kendra condemns police for breaching privacy centring BNP rally
  • India says Xiaomi misled Deutsche Bank on 'illegal' royalty payments
  • CCTVs in polls are deterrent to those with ill motives: EC Ahsan Habib

Xiaomi recording users' ‘private’ web and phone use: Expert tells Forbes

The device also documented the files he opened, including the status bar and the settings tab, and the screens he swipped to

TBS Report
02 May, 2020, 02:10 pm
Last modified: 02 May, 2020, 04:47 pm
The logo of Xiaomi is seen inside the company's office in Bengaluru, India, January 18, 2018/ Reuters
The logo of Xiaomi is seen inside the company's office in Bengaluru, India, January 18, 2018/ Reuters

Gabi Cirlig, a cybersecurity researcher, recently discovered that is Xiaomi phone is doing more than what meets the eye. He spoke to Forbes after finding out that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. Then he dug much deeper only to find that data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were apparently rented by Xiaomi. 

When he looked around the Web on the default Xiaomi browser, it registered all the websites he visited, including search engine queries with either Google or the privacy based search engine DuckDuckGo, and any item viewed on the Xiaomi software newsfeed feature. The monitoring continued to occur even if he used the allegedly private "incognito" mode.

The device also documented the files he opened, including the status bar and the settings tab, and the screens he swipped to. All the data was packed and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.

In the meantime cybersecurity analyst Andrew Tierney further researched at Forbes' request. He also found browsers that Xiaomi shipped on Google Play — Mi Browser Pro and the Mint Browser — gathered the same info. According to Google Play figures, they together have more than 15 million downloads.

It's possible that many more millions would be impacted by what Cirlig described as a serious privacy issue, though Xiaomi denied that there was a problem, reports Forbes.

Xiaomi is one of the world's top four smartphone manufacturers by market share. Priced at $50 billion, it is behind Apple, Samsung and Huawei. Xiaomi has big sales with its cheap devices with many of the same features that higher-end smartphones have. However, it comes with the hefty price of losing one's privacy.

Cirlig thinks the issues concern a lot more models than the one he's been studying. For other Xiaomi phones, he downloaded firmware — including Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3. He then verified that they had the same browser code which led him to believe that they had the same privacy issues.

And there seem to be problems with the way Xiaomi transfers the data to its servers. While the Chinese company stated that the data was being encrypted while transmitted in an effort to preserve user privacy, Cirlig found that by decoding a chunk of information covered with an easily crackable type of encoding, known as base64, he was able to quickly see exactly what was being taken from his computer. It took only a few seconds for Cirlig to transform the garbled data into readable chunks of information.

"My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user," warned Cirlig.

Xiaomi's response

In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security are of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." But a spokesperson acknowledged that it was collecting browsing data, saying that the information was anonymized so that it was not connected to any identification. They said users consented to this sort of monitoring.

However, as Cirlig and Tierney have pointed out, it was not just the website or Web search that was submitted to the server. Xiaomi also collected phone data including unique numbers for the individual device and Android version. Cirlig said such "metadata" could "easily correlate with an actual human behind the computer."

Xiaomi's spokesperson also denied that incognito mode was capturing browsing data. However, both Cirlig and Tierney found in their independent research that their web habits were sent off to remote servers regardless of which mode the browser was set to, providing evidence of both images and videos.

When Forbes sent a video made by Cirlig to Xiaomi showing how his Google search for "porn" and a visit to the PornHub site were sent to remote servers, the company spokesperson continued to deny that the information was being registered. "This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information," they added.

Both Cirlig and Tierney said Xiaomi's behaviour was more invasive than other browsers like Google Chrome or Apple Safari. "It's a lot worse than any of the mainstream browsers I have seen," Tierney said. "Many of them take analytics, but it's about usage and crashing. Taking browser behaviour, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets."

Cirlig also believed that Xiaomi was tracking the use of the device, as a chunk of information would be sent to a remote server any time he opened an app. Another researcher who had checked Xiaomi products, though he was under an NDA to publicly discuss the matter, said he had seen similar data collected by the manufacturer's phone. Xiaomi did not answer questions on the matter.

Behavioural Analytics

Xiaomi seems to have yet another purpose to collect the data: to better understand its users' behaviour. It's using the services of a behavioural analytics company called Sensors Analytics. Since its founding in 2015, the Chinese company, also known as Sensors Data, has raised $60 million, most recently taking $44 million in a round led by New York private equity firm Warburg Pincus which also featured Sequoia Capital China. As described in Pitchbook, a tracker of company funding, Sensors Analytics is a "provider of an in-depth user behaviour analysis platform and professional consulting services." Its tools help its clients in "exploring the hidden stories behind the indicators in exploring the key behaviours of different businesses."

Both Cirlig and Tierney discovered that their Xiaomi apps sent data to domains that appeared to reference Sensors Analytics, including frequent use of SA. The page contained one sentence when clicking on any of the domains: "Sensors Analytics is ready to receive your data!" There has been an API named the SensorDataAPI — an API (application programming interface) is the framework that enables access to sensor data from third parties. Xiaomi is also classified on the Sensors Data's website as a client.

The founder and CEO of Sensors Data, Sang Wenfeng, has a long history of tracking users. According to his company profile, he developed a big data framework for user logs at Chinese internet giant Baidu.

Xiaomi's spokesperson confirmed the relationship with the startup: "While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi's own servers and will not be shared with Sensors Analytics, or any other third-party companies."

Top News

privacy / Xiaomi / data / server

Comments

While most comments will be posted if they are on-topic and not abusive, moderation decisions are subjective. Published comments are readers’ own views and The Business Standard does not endorse any of the readers’ comments.

Top Stories

  • Manufacturers feel the pinch as consumers tighten belt
    Manufacturers feel the pinch as consumers tighten belt
  • Sugar turning bitter!
    Sugar turning bitter!
  • Island hopping in Bangladesh?
    Island hopping in Bangladesh?

MOST VIEWED

  • Bye bye! Photographer: Michael Zarrilli/Getty Images North America via Bloomberg
    Meta says Trump to be allowed back on Facebook, Instagram
  • A view of the Twitter logo at its corporate headquarters in San Francisco, California, U.S. November 18, 2022. REUTERS/Carlos Barria
    Twitter faces legal complaint in Germany over anti-Semitic content
  • Silhouettes of laptop and mobile device users are seen next to a screen projection of Microsoft logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo
    Microsoft cloud outage hits users around the world
  • The logo for Google LLC is seen at the Google Store Chelsea in Manhattan, New York City, US, November 17, 2021. REUTERS/Andrew Kelly
    US Justice Dept sues Google over digital advertising dominance
  • FILE PHOTO: A Microsoft logo is seen on an office building in New York City, U.S. on July 28, 2015. REUTERS/Mike Segar/File Photo
    Microsoft to invest more in OpenAI as tech race heats up
  • A smartphone and a headset are seen in front of a screen projection of Spotify logo, in this picture illustration taken April 1, 2018. REUTERS/Dado Ruvic
    Spotify to trim 6% of workforce in latest tech layoffs

Related News

  • Xiaomi starts manufacturing smartphone motherboard locally
  • China lays out vision for how data will power economic growth
  • Ain O Salish Kendra condemns police for breaching privacy centring BNP rally
  • India says Xiaomi misled Deutsche Bank on 'illegal' royalty payments
  • CCTVs in polls are deterrent to those with ill motives: EC Ahsan Habib

Features

Island hopping in Bangladesh?

Island hopping in Bangladesh?

1h | Panorama
According to the CAB president Ghulam Rahman, one of the most common complaints of consumers is being deceived by sellers when it comes to the weight of goods. Photo: TBS

Has the Directorate improved consumer rights in Bangladesh?

2d | Panorama
A 2022 survey of 1,000 companies by professional services consultancy PwC found that between a sixth and a quarter had used AI in recruitment or employee retention in the past 12 months. Illustration: Bloomberg

AI is coming to your workplace. Is the world ready?

2d | Panorama
Edison Desdemona, the newly launched stellar project of Edison Real Estate, located at Bashundhara Residential Area. Photo: Courtesy

EDISON DESDEMONA: A creation like no other

3d | Habitat

More Videos from TBS

Kajol’s road paintings bring change in Gafargaon

Kajol’s road paintings bring change in Gafargaon

14h | TBS Stories
Carew & Company witnessed a remarkable growth

Carew & Company witnessed a remarkable growth

15h | TBS Stories
PCB recalls cricketers from BPL ahead of PSL

PCB recalls cricketers from BPL ahead of PSL

17h | TBS SPORTS
Why Misha Sawdagar became villain instead of a Hero?

Why Misha Sawdagar became villain instead of a Hero?

16h | TBS Entertainment

Most Read

1
Picture: Collected
Bangladesh

US Embassy condemns recent incidents of visa fraud

2
Four top bankers arrested in DSA case filed by S Alam group 
Bangladesh

Four top bankers arrested in DSA case filed by S Alam group 

3
Illustration: TBS
Banking

16 banks at risk of capital shortfall if top 3 borrowers default

4
Photo: Collected
Splash

Hansal Mehta responds as Twitter user calls him 'shameless' for making Faraaz

5
A frozen Beyond Burger plant-based patty. Photographer: AKIRA for Bloomberg Businessweek
Bloomberg Special

Fake meat was supposed to save the world. It became just another fad

6
Representational Image
Banking

Cash-strapped Islami, Al-Arafah and National turn to Sonali Bank for costly fund

EMAIL US
[email protected]
FOLLOW US
WHATSAPP
+880 1847416158
The Business Standard
  • About Us
  • Contact us
  • Sitemap
  • Privacy Policy
  • Comment Policy
Copyright © 2023
The Business Standard All rights reserved
Technical Partner: RSI Lab

Contact Us

The Business Standard

Main Office -4/A, Eskaton Garden, Dhaka- 1000

Phone: +8801847 416158 - 59

Send Opinion articles to - [email protected]

For advertisement- [email protected]