Xiaomi Found Recording 'Private' Web and Phone Use, Researchers Claim (forbes.com) 54
According to an exclusive report from Forbes, cybersecurity researcher Gabi Cirlig discovered that his Xiaomi Redmi Note 8 smartphone was watching much of what he was doing and sending that data to remote servers hosted by Chinese tech giant Alibaba, which were ostensibly rented by Xiaomi. From the report: The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode.
The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes' request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested. In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymized and users had consented to it.
Cirlig and Tierney pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version," reports Forbes. "Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen.'"
The researchers also say they found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi," adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies."
The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes' request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested. In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymized and users had consented to it.
Cirlig and Tierney pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version," reports Forbes. "Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen.'"
The researchers also say they found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi," adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies."
"Privacy and security is of top concern," (Score:5, Insightful)
Re: (Score:2)
Except Apple of course, because they >think different [wikipedia.org].
You know Apple is lying when they say things like "low-cost" and "entry-level".
Re: (Score:3, Informative)
Apple products are not for everyone. But they sure have seemed to go the extra mile to protect user's privacy. I think some of that is to swipe at their primary competitor (Google), but I really care more about the what, than the why. I knew of a case involving iMessages being sent to someone's device they bought for a relative, which en
Re: (Score:2)
Re: (Score:2)
Just bought my wife an 'SE2020'. And this one Apple would call 'low-cost'.
It's fabulous, btw, she loves it, her iPhone 7 was past its prime.
Re: (Score:3, Informative)
Re:"Privacy and security is of top concern," (Score:5, Funny)
steal from the best (Score:2, Flamebait)
Of course. Where else do you think the Chinese companies learned that from?
Re:"Privacy and security is of top concern," (Score:5, Interesting)
I do believe that they make an effort with privacy and care about it. I don't know any specifics about this though. There is a push for more AI so if this data is being collected, it may relate to the desire to do analytics for that.
Re: (Score:1)
The push is to protect it against other companies, not against man-in-the-middle by Chinese intelligence or to protect customers from them. All data in Beijing has been effectively man-in-the-middle accessible to Chinese intelligence, including AWS hosted content, since Beijing was given back to China. They rootkit the firewalls, especially Cisco, proxies to steal the private keys and do man-in-the-middle, If you run your own proxy, you can relyin on it being rootkitted using local physical necessary.
Re: (Score:3)
I have no doubt that Xiaomi wants to keep their actions private. One great way to misdirect is to hire rubes and bombard them with fake information.
Search for "disinformation".
Re: "Privacy and security is of top concern," (Score:5, Funny)
I'm a Westerner working for Xiaomi in Beijing (search for "Daniel Povey").
I do believe that they make an effort with privacy and care about it. I don't know any specifics about this though. There is a push for more AI so if this data is being collected, it may relate to the desire to do analytics for that.
There. Now will you please let my wife and children go?
Re: "Privacy and security is of top concern," (Score:4, Informative)
China Uighurs: Detained for beards, veils and internet browsing: https://www.bbc.com/news/world... [bbc.com]
Re: (Score:2)
For what it's worth, Xiaomi does not have a close relationship with the Chinese government, and would certainly push back harder than other Chinese manufacturers if asked to give them data. E.g. I have heard this explanation (not close relationship with the gov't) as an explanation when I complained that
Re: "Privacy and security is of top concern," (Score:2)
For what it's worth, Xiaomi does not have a close relationship with the Chinese government,
For that to actually be true, they'd have to be a figment of our imagination and not actually exist.
Re: (Score:2)
So basically the same as western companies. Pre-ticked opt-in box somewhere, note buried in the privacy policy you didn't read.
Where it gets dicey is that these guys are from Romania, which is in the EU, which means they are covered by GDPR. So unless they got very specific and clear opt-in permission they could be in trouble.
Re: (Score:2)
The company I work for says 'Security and privacy are *A* top concern.
And ti seems to be, from the internal practices I see and am subject to. But 'top concern'? It only on a par with ethical practices, profitability, and growth.
And yes, I've witnessed multiple examples in almost 14 years where ethical behavior triumphed over profit or even convenience. I work for a company where i don;t get into trouble for doing the right thing. Not blameless or perfect, but well above the norm, and surprisingly so. Othe
They were not "Found" they were caught. (Score:1)
Privacy and security are very important to Xiaomi, because that's what they are selling.
Re:They were not "Found" they were caught. (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Since these researchers are in Romania then GDPR applies, which requires clear and affirmative opt-in confirmation for this kind of stuff. If you don't ask up front in plain language it's not legal.
In other news (Score:5, Insightful)
Google and Facebook have a privacy policy too, and they too make it a top priority.
Re: (Score:3)
Re: (Score:2)
specifically, the policy is:
:)
All of your privacy are belong to us!
hawk
Lol (Score:1)
Re: (Score:3)
Re:Lol (Score:5, Insightful)
So where do you suggest the world go to find a free market? Thanks to its addiction to crony capitalism and perpetual taxpayer-funded bailouts of corporations that make bad choices, the United States certainly doesn't have one.
Of course they're stealing data (Score:1)
LineageOS (Score:5, Interesting)
The first thing you do when you get an Android phone is purge the firmware and put LineageOS on it.
Re: (Score:2)
You still have no idea what the LTE modem is up to.
Re: (Score:2)
Right, but that's true no matter who you get a phone from, literally.
Re: (Score:2)
"users had consented" (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Assuming they didn't embed trackers in the chips themselves, the only way to do this is get the hardware and then use a OS/set like from xdev on this. Outside of that..not much in the way of options here other than just don't buy their products.
Re: (Score:1)
Oh oh (Score:2)
Can someone tell me why we haven't moved to a whitelist-only model of connection for all code except your approved browser?
How can an app just go contact places without you knowing it?
Re: (Score:2)
Because it would break the internet. The current generation of developers are lazy and would rather put your safety and security at risk by demanding you run unvetted javascript automatically and without question on every webpage rather than do it right.
Xiaomi Band user here (Score:2)
I wear the Xiaomi Band, now gen 4, as I was quite happy with the gen 3. I'm sure the Chinese government knows where I am at all times.
They must be quite disappointed with the ROI for that initiative.
Re: (Score:3)
Not really. They can just sell that data to your government.
Re: (Score:2)
I'm still stuck at home though.
China (Score:2)
opinion (Score:1)