The data was being compiled and sent to remote servers in Singapore and Russia hosted by web domains registered in Beijing.
India’s top-selling smartphone brand, Xiaomi, has reportedly been accused of recording the data of millions of its users, raising privacy concerns.
Cybersecurity researcher Gabi Cirlig discovered that his Redmi Note 8 was ‘watching much of what he was doing on his phone’. The smartphone apparently tracked the user behaviour and sent data to remote servers hosted by another Chinese firm, Alibaba, reported Forbes.
While investigating, Cirlig further found that the default Xiaomi browser recorded all the websites that were visited on the device. This also included search activities on Google and privacy-focused DuckDuckGo. Cirlig also noticed that the device tracked his activities even when he was supposedly using the incognito mode — a setting that prevents browsing history or cache from being stored.
Furthermore, the device was also found tracking and recording other tasks and activities like the folders being opened, the various screens that were being swiped, etc. The data was being compiled and sent to remote servers in Singapore and Russia hosted by web domains registered in Beijing.
Another cybersecurity researcher Andrew Tierney found that other Xiaomi browsers — Mi Browser Pro and the Mint Browser — listed on the Google Play Store were collecting similar data.
On further investigation, Cirlig found similar results on other Xiaomi devices like Mi 10, Redmi K20, etc., after he downloaded the firmware of these devices.
Xiaomi, in its response to Forbes, denied the allegations, stating that the research claims are untrue. It noted that privacy and security are of its top concerns and that it “strictly follows and complies to the local law and regulations on user data privacy.”
However, a Xiaomi spokesperson did confirm that the company was collecting browsing data, claiming the information was anonymised so it was not tied to any identity. They denied collecting user data while browsing using the incognito mode.
To counter the response, Forbes provided Xiaomi with a video shared by Cirlig, that showed how his Google search for “porn” and a visit to the site PornHub was sent to remote servers, even when in incognito mode. The Xiaomi spokesperson, again, denied the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analysing non-personally identifiable information,” the spokesperson said.
Xiaomi did not respond to questions raised upon the monitoring of app usage and sending that data to remote servers.The Chinese manufacturer is the fourth largest smartphone brand in the world, behind Apple, Samsung and Huawei. In India, Xiaomi has been the number one smartphone seller for several quarters. It was reported that the company shipped over 10.3 million devices in India and had a market share of 30.6 percent in Q1 2020.