Collecting Private Data
Last Friday, cybersecurity researcher Gabi Cirlig told Forbes that he had discovered that his smartphone had collected a lot of his data, even when he was using the incognito mode. Xiaomi then sent this data to servers hosted by Chinese tech giant Alibaba. The browser recorded which websites he had visited, what he had entered into search engines like Google and DuckDuckGo, which news items he had viewed, and which folders he had opened. All of this data was collected and sent to Beijing, and then continued its journey to Singapore and Russia. Forbes asked Andrew Tierney to continue Cirlig’s research and found that the other browsers created by Xiaomi, the Mi Browser Pro and the Mint Browser, were collecting all of this data as well. Cirlig can’t conclude from his research that the issue he found on his phone is limited to the model that he uses. He found that other models used the same browser code, so that might point to the fact that it’s a wider issue. He also researched the way in which Xiaomi transfers the data to their servers. They claim to have encrypted all data so that the privacy of their users is protected at any time. But Cerlig found that he could decode the encryption easily. This means that hackers might be able to connect this data to a specific user.
Xiaomi’s Response
Xiaomi responded to these accusations by issuing an official statement. In this statement they say that the researchers “have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.” Xiaomi confirmed that they collected browsing data, and stated that users had given consent for them to do so. Interestingly, the company denied that they collect data in incognito mode. The big issue is that they weren’t just collecting browsing data. The metadata about the phone its use could be traced back to an actual person. And questions about the collection of such data weren’t answered.
Updated Browsers
Even though it seems pretty clear that Xiaomi isn’t admitting they’ve done anything wrong, they have decided to roll out an update for their browsers. You can switch off the ‘aggregated data collection’ in incognito mode in this update. The company stated that they “believe this functionality, in combination with [their] approach of maintaining aggregated data in non-identifiable form, goes beyond any legal requirements and demonstrates [the] company’s commitment to user privacy.” The updated versions – Mi Browser/Mi Browser Pro v12.1.4 and Mint Browser v3.4.3 – are now available in the Google Play Store. You will still have to manually disable the data collection, since the privacy setting has not been set as a default. Simply go into your incognito mode settings and enable the ‘Enhanced Incognito mode’.