[UPDATED] Report: Built-in web browser on Xiaomi phones records activity, even in Incognito Mode

[ UPDATE 04/05/2020 19:17 ] A representative of Xiaomi has reached out with an official press statement in response to the allegations. Full statement can be viewed at the bottom of this article.

====== 

Xiaomi‘s smartphones—actually, their entire range of products—is based on a business model that sells devices at ultra-competitive prices at a low profit margin. Instead, the company depends on generating huge volume in sales, while the low prices are offset with revenue from additional services and data.

However, a Forbes report claims that the Chinese company’s default web browser (built-in to most Xiaomi smartphones) tracks browsing activity, before sending the data to remote servers purportedly owned by the Chinese company. The alarming aspect to the claim is that Xiaomi’s mobile browsers allegedly track your online activity, even in Incognito Mode.

What’s being recorded?

According to a cybersecurity researcher discovered the issue when using his new Redmi Note 8 smartphone. Besides tracking information, he discovered that data includes folders and screens that he accessed on the smartphone, along with search engine queries.

Researchers have also discovered that the company collects data on various information on the device besides browsing activity. This even includes unique numbers to identify mobile devices and Android OS versions—which could theoretically be used to identify individual users.

Additionally, this practice reportedly extends to Xiaomi’s proprietary browsers that are available for free on the Google Play store: Mi Browser Pro and the Mint Browser.

This data is then encrypted, and transferred to servers. However, the Base64 encryption used is fairly basic, with the researcher referring to the standard as “easily crackable”. This arguably raises the issue of potential security vulnerabilities, in addition to privacy concerns over having your activity tracked by your browser.

Xiaomi: Claims are untrue

While Xiaomi has admitted that the company does indeed collect browsing data, the company argues that this any data collected is anonymous in nature, which means that the data cannot be used to identify individual user’s habits.

A global VP at Xiaomi called the allegations “false news”, reiterating that all of Xiaomi’s products are “100% safe”. The company assured users that its protocols are “fully compliant with local laws and regulations on user data privacy matters”, and that users have consented to browser tracking.

However, a spokesperson for the company denied claims that their browsers track activity in Incognito Mode. This is a claim that has disputed by researchers, who have offered proof that the icognito mode activity is still tracked.

This, supposedly, is still considered to be “anonymous browsing data” by the Chinese company. In fact, Xiaomi argues that the practise is commonplace in the industry:

“This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information.”

Finally, Xiaomi has announced that an update will give users the option to opt out of “data collection” when in Incognito Mode. However, it’s worth noting that it is still on by default, and the setting isn’t exactly easily accessible. Instead, it requires going through three pages before you come across the setting—which means that plenty of users might not even notice the option.

In the meantime, it might be worthwhile to simply use one of to the other browser options in the market right now.

Full statement from Xiaomi:

“Xiaomi has reviewed a recent article by Forbes on our privacy policies and believes the reporting to be misrepresentative of the facts. At Xiaomi, our users’ privacy and security are of top priority. We strictly follow and are fully compliant with user privacy protection laws and regulations in the countries and regions we operate in. In light of the misrepresentations, we would like to clarify the following:

1. In all global markets where Xiaomi is officially present, in order to offer the best possible user experience, increase compatibility between the operating system and various apps, as well as undertake the obligation of protecting user privacy, all collected usage data is based on permission and consent given explicitly by our users. Additionally, we ensure the whole process is anonymous and encrypted. The collection of aggregated usage statistics data is used for internal analysis, and we do not link any personally identifiable information to any of this data. Furthermore, this is a common solution adopted by internet companies around the world to improve the overall user experience of various products, while safeguarding user privacy and data security.

2. Xiaomi hosts information on a public cloud infrastructure that is common and well known in the industry. All information from our overseas services and users is stored on servers in various overseas markets where local user privacy protection laws and regulations are strictly followed and with which we fully comply.

3. Prior to publication, the reporter emailed us with questions relevant to the article and Xiaomi responded with full transparency, providing detailed answers regarding our technology and privacy policies. We believe the article published does not accurately reflect the content and facts of these communications. After the article was posted, we contacted the reporter with further clarification and are currently in discussion with the intention of swiftly reassuring him with how our data security works in action. In parallel, we created a live post on Xiaomi’s official blog to share this same information with the public. The Forbes article, which details how we protect users’ privacy and comply with all laws and regulations, has recently been updated to include a link to our blog post: https://blog.mi.com/en/2020/05/02/live-post-evidence-and-statement-in-response-to-media-coverage-on-our-privacy-policy/

4. As an internet company, internet security, safety and user privacy are Xiaomi’s core principles and the foundation of our day-to-day work. Our products, technologies, performance and measures on user privacy protection are constantly being improved. In the latest launch of our operating system, MIUI 12, we have adopted the industry’s most stringent and transparent privacy protection measures, to date. For additional transparency, we always welcome fact-based supervisions, inquiries and discussions from the public to continuously improve our products and services for our beloved users and Mi Fans.“

[ SOURCE ]