Buckle up, folks. This is gonna be a rough one. Special warning to those folks that use Xiaomi devices because this news will make you more than a little concerned. Cyber security researcher Gabi Cirlig revealed to Forbes that Xiaomi’s default browser, used by millions, is secretly tracking and farming user’s personal data. Beyond the default browser, Xiaomi’s external browsers that have shipped on the Google Play Store, Mi Browser Pro and the Mint Browser, have been caught doing exactly the same thing, meaning nearly every owner of a Xiaomi device could have personal data gathered and sent to remote servers, owned by Chinese tech giant Alibaba, in Singapore and Russia.
Which is more than a little scary. Cirlig first noticed this occurring with his Xiaomi Redmi Note 8, but extended his research beyond the original phone and noticed the same thing happening with the Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3.
The data pulled from the devices included all the websites accessed by the apps, search engine results, search terms and every item viewed on the Xiaomi news feed feature. Xiaomi denied the allegations in a statement to Forbes, attempting to explain that all the data that had been collected was secure and safely encrypted…until Cirlig was able to “easily” decrypt some of the data himself, showing that in the wrong hands it could be traced back to an individual without much hassle.
Responding to Forbes, Xiaomi stated, “The research claims are untrue,” and “Privacy and security is of top concern,” which is obviously what they would say. Xiaomi went on to confirm that data was being harvested by their devices but that the process was to help them better understand their customers, all of whom had consented to the process. You win this round, fine print in the Terms and Conditions document!
Xiaomi recently released a blog post detailing how they intended to fix this breach of privacy, announcing that an update was releasing for its browser that would include “an option in incognito mode … to switch on/off the aggregated data collection,” so users can better control which data is sent off to a remote server. We don’t know though. It’s very easy to say that but this should have been in place before all Xiaomi’s shenanigans were exposed for the world to see. A cover-up only works if the public aren’t already aware of the truth.