Xiaomi Found Recording 'Private' Web and Phone Use, Researchers Claim

According to an exclusive report from Forbes, cybersecurity researcher Gabi Cirlig discovered that his Xiaomi Redmi Note 8 smartphone was watching much of what he was doing and sending that data to remote servers hosted by Chinese tech giant Alibaba, which were ostensibly rented by Xiaomi. From the report: The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode.

The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes' request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested. In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymized and users had consented to it.

Cirlig and Tierney pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version," reports Forbes. "Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen.'"

The researchers also say they found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi," adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies."

"Privacy and security is of top concern,"

[Hans Lehmann]

Any time any company says that, they're lying.

Re:

[DontBeAMoran]

Except Apple of course, because they >think different [wikipedia.org].

You know Apple is lying when they say things like "low-cost" and "entry-level".

Re:

[saloomy]

I don't think Apple has really ever used "Low Cost" or "Entry Level" to describe their products. They usually lead with "best one ever", and "2x better than the last one".

Apple products are not for everyone. But they sure have seemed to go the extra mile to protect user's privacy. I think some of that is to swipe at their primary competitor (Google), but I really care more about the what, than the why. I knew of a case involving iMessages being sent to someone's device they bought for a relative, which en

Re:

[saloomy]

I should mention, the user signed in themselves to load apps, not realizing the iMessages were being received on the device as well. That was user mis-understanding the tools, not a fault of Apple's.

Re:

[rickb928]

Just bought my wife an 'SE2020'. And this one Apple would call 'low-cost'.

It's fabulous, btw, she loves it, her iPhone 7 was past its prime.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:"Privacy and security is of top concern,"

[h33t l4x0r]

They're just as bad as US companies. It's shocking!

steal from the best

[mschaffer]

Of course. Where else do you think the Chinese companies learned that from?

Re:"Privacy and security is of top concern,"

[the_povinator]

I'm a Westerner working for Xiaomi in Beijing (search for "Daniel Povey").

I do believe that they make an effort with privacy and care about it. I don't know any specifics about this though. There is a push for more AI so if this data is being collected, it may relate to the desire to do analytics for that.

Re:

[Anonymous Coward]

The push is to protect it against other companies, not against man-in-the-middle by Chinese intelligence or to protect customers from them. All data in Beijing has been effectively man-in-the-middle accessible to Chinese intelligence, including AWS hosted content, since Beijing was given back to China. They rootkit the firewalls, especially Cisco, proxies to steal the private keys and do man-in-the-middle, If you run your own proxy, you can relyin on it being rootkitted using local physical necessary.

Re:

[mschaffer]

I have no doubt that Xiaomi wants to keep their actions private. One great way to misdirect is to hire rubes and bombard them with fake information.
Search for "disinformation".

Re: "Privacy and security is of top concern,"

[NoMoreACs]

I'm a Westerner working for Xiaomi in Beijing (search for "Daniel Povey").
  I do believe that they make an effort with privacy and care about it. I don't know any specifics about this though. There is a push for more AI so if this data is being collected, it may relate to the desire to do analytics for that.

There. Now will you please let my wife and children go?

Re: "Privacy and security is of top concern,"

[ruemere]

China Uighurs: Detained for beards, veils and internet browsing: https://www.bbc.com/news/world... [bbc.com]

Re:

[the_povinator]

Ha. I'm not a complete patsy: I do sometimes post stuff critical of China on Twitter, although my wife (who is not Chinese and who lives in the USA right now) usually makes me take it down pretty quick.

For what it's worth, Xiaomi does not have a close relationship with the Chinese government, and would certainly push back harder than other Chinese manufacturers if asked to give them data. E.g. I have heard this explanation (not close relationship with the gov't) as an explanation when I complained that

Re: "Privacy and security is of top concern,"

[Type44Q]

For what it's worth, Xiaomi does not have a close relationship with the Chinese government,

For that to actually be true, they'd have to be a figment of our imagination and not actually exist.

Re:

[AmiMoJo]

So basically the same as western companies. Pre-ticked opt-in box somewhere, note buried in the privacy policy you didn't read.

Where it gets dicey is that these guys are from Romania, which is in the EU, which means they are covered by GDPR. So unless they got very specific and clear opt-in permission they could be in trouble.

Re:

[rickb928]

The company I work for says 'Security and privacy are *A* top concern.

And ti seems to be, from the internal practices I see and am subject to. But 'top concern'? It only on a par with ethical practices, profitability, and growth.

And yes, I've witnessed multiple examples in almost 14 years where ethical behavior triumphed over profit or even convenience. I work for a company where i don;t get into trouble for doing the right thing. Not blameless or perfect, but well above the norm, and surprisingly so. Othe

They were not "Found" they were caught.

[bobstreo]

Privacy and security are very important to Xiaomi, because that's what they are selling.

Re:They were not "Found" they were caught.

[h33t l4x0r]

They were caught sending private data to their own cloud, which may or may not be an agreed ToS. They were not caught selling that data. In terms of actual privacy violation (measured in Facebook units), I give this a one miili-facebook (.001 FBs) with potential to go higher if we learn more about the story.

Re:

[JaredOfEuropa]

Terms of service are never agreed upon, they are presented by the vendor in the most long-winded and obfuscated manner, then summarily dismissed by the customer. The only agreement here is the mutual tacit understanding that this is how a TOS is supposed to work.

Re:

[h33t l4x0r]

Sure, but unless they're found to be selling private data (ala Facebook), there's nothing particularly egregious about sending data home. They claim it's used in aggregate, which may or may not be the case, but as of now there's no evidence to suggest otherwise (other than "China bad").

Re:

[AmiMoJo]

Since these researchers are in Romania then GDPR applies, which requires clear and affirmative opt-in confirmation for this kind of stuff. If you don't ask up front in plain language it's not legal.

In other news

[Rosco P. Coltrane]

Google and Facebook have a privacy policy too, and they too make it a top priority.

Re:

[Errol backfiring]

Off course it is top priority. Other people's privacy is their main source of revenue.

Re:

[hawk]

specifically, the policy is:

All of your privacy are belong to us!
:)

hawk

Lol

[jwymanm]

Is anyone frigging surprised?

Re:

[RitchCraft]

Nope, not at all. If a company has any link to China it's suspect. If it's a Chinese company it's definite. The world can help itseff by not dealing with communist countries period. If communist countries want to play in the free market lose the communism otherwise get lost.

Re:Lol

[Miles_O'Toole]

So where do you suggest the world go to find a free market? Thanks to its addiction to crony capitalism and perpetual taxpayer-funded bailouts of corporations that make bad choices, the United States certainly doesn't have one.

Of course they're stealing data

[Anonymous Coward]

Xiaomi, like any mainland China-based company, only exists because the Chinese government allows it to exist, and that in part is paid for by complying with whatever 'requests' (read as: demands) the Chinese government makes -- so if the Chinese government says "we want all data you can collect on use of your devices by the West", they'll pony it up to them without so much as a peep because they don't want to have the entire company shut down, executives and managers arrested, and all company assets seized.

LineageOS

[hyanakin]

The first thing you do when you get an Android phone is purge the firmware and put LineageOS on it.

Re:

[ArchieBunker]

You still have no idea what the LTE modem is up to.

Re:

[drinkypoo]

Right, but that's true no matter who you get a phone from, literally.

Re:

[lexman098]

Great, now my camera is shit and I get random reboots. Thanks!

"users had consented"

[Antiocheian]

I own a Xiaomi phone with Miui. I do remember when I first opened its default Browser there was a popup informing me about data collection & consent, so I think Xiaomi is right. However, I didn't want to face a dilemma between Xiaomi and Google (which is MUCH worse), so I simply installed Firefox.

Re:

[RitchCraft]

How is installing Firefox going to help you? The phone itself and its OS are corrupted.

Re:

[dstwins]

Assuming they didn't embed trackers in the chips themselves, the only way to do this is get the hardware and then use a OS/set like from xdev on this. Outside of that..not much in the way of options here other than just don't buy their products.

Re:

[Antiocheian]

Thanks I'll have a look at Bromite.

Oh oh

[Impy the Impiuos Imp]

Can someone tell me why we haven't moved to a whitelist-only model of connection for all code except your approved browser?

How can an app just go contact places without you knowing it?

Re:

[thereddaikon]

Because it would break the internet. The current generation of developers are lazy and would rather put your safety and security at risk by demanding you run unvetted javascript automatically and without question on every webpage rather than do it right.

Xiaomi Band user here

[bazorg]

I wear the Xiaomi Band, now gen 4, as I was quite happy with the gen 3. I'm sure the Chinese government knows where I am at all times.

They must be quite disappointed with the ROI for that initiative.

Re:

[drinkypoo]

Not really. They can just sell that data to your government.

Re:

[bazorg]

I'm still stuck at home though.

China

[rlwinm]

Doing business with China seems to be quite a liability. Hopefully many companies will figure out that it's better to not do it. Even better would be if governments enact some restrictions on dealing with China after all this Corona stuff is over.

opinion

[barodius64]

Is it strange that I was expecting them to get caught with something like this? I'm a cybersecurity fanatic and care deeply for my privacy and security and that's why I use https://spinbackup.com/product... [spinbackup.com] for my data.