Even more worryingly, the phone also appeared to log many local actions such as “what folders he opened and to which screens he swiped, including the status bar and the settings page,” said the report. It continues to note that “All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.”
Chinese technology companies have come under scrutiny in western press before for allegedly harvesting user data without consent. While the Huawei trade ban is more complicated than just such accusations, a large part of the US’ reluctance to use Huawei 5G equipment was the possibility that US citizens’ data could be sent to China via ‘backdoors’.
Forbes also said it asked another security researcher to try and verify the original claims against Xiaomi, reporting that “researcher Andrew Tierney … found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics.
Cirlig said that the issue was not confined to the Redmi Note 8, and said he found the firmware for the Xiaomi Mi 10, Redmi K20 and Mi MIX 3 had the same browser code.
Xiaomi is not denying the data is sent to servers but is said to have responded that the data was encrypted when transferred. Cirlig was able to decrypt it easily as the transfer uses the common base64 encoding.
Many tech companies hold user data on their servers, but it is commonly anonymised to protect basic right to privacy. Cirlig concluded that “My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user.”
Xiaomi said that the claims were “untrue”, that data was collected anonymously and that users had consented to such collection. However, Forbes said that Xiaomi continued to deny data collection was happening in incognito mode despite being shown a video that proves the contrary.
Since the report Xiaomi has published a blog in response where it makes some denials but also has said an update to its browser will allow customers to stop visited site data being sent to Xiaomi servers.