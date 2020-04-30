Please create an account to participate in the Slashdot moderation system

 


Privacy Android China The Internet

Xiaomi Found Recording 'Private' Web and Phone Use, Researchers Claim (forbes.com) 49

Posted by BeauHD from the always-watching dept.
According to an exclusive report from Forbes, cybersecurity researcher Gabi Cirlig discovered that his Xiaomi Redmi Note 8 smartphone was watching much of what he was doing and sending that data to remote servers hosted by Chinese tech giant Alibaba, which were ostensibly rented by Xiaomi. From the report: The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode.

The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes' request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested. In response to the findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymized and users had consented to it.

Cirlig and Tierney pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version," reports Forbes. "Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen.'"

The researchers also say they found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi," adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies."

  • "Privacy and security is of top concern," (Score:5, Insightful)

    by Hans Lehmann ( 571625 ) on Thursday April 30, 2020 @10:06PM (#60009560)
    Any time any company says that, they're lying.

    • Except Apple of course, because they >think different [wikipedia.org].

      You know Apple is lying when they say things like "low-cost" and "entry-level".

      • Re: (Score:3, Informative)

        by saloomy ( 2817221 )
        I don't think Apple has really ever used "Low Cost" or "Entry Level" to describe their products. They usually lead with "best one ever", and "2x better than the last one".

        Apple products are not for everyone. But they sure have seemed to go the extra mile to protect user's privacy. I think some of that is to swipe at their primary competitor (Google), but I really care more about the what, than the why. I knew of a case involving iMessages being sent to someone's device they bought for a relative, which en
        • I should mention, the user signed in themselves to load apps, not realizing the iMessages were being received on the device as well. That was user mis-understanding the tools, not a fault of Apple's.

        • Just bought my wife an 'SE2020'. And this one Apple would call 'low-cost'.

          It's fabulous, btw, she loves it, her iPhone 7 was past its prime.

    • Re: (Score:3, Informative)

      by reboot246 ( 623534 )
      And any time a Chinese company says anything, they're lying.

    • The company I work for says 'Security and privacy are *A* top concern.

      And ti seems to be, from the internal practices I see and am subject to. But 'top concern'? It only on a par with ethical practices, profitability, and growth.

      And yes, I've witnessed multiple examples in almost 14 years where ethical behavior triumphed over profit or even convenience. I work for a company where i don;t get into trouble for doing the right thing. Not blameless or perfect, but well above the norm, and surprisingly so. Othe

  • Privacy and security are very important to Xiaomi, because that's what they are selling.

    • Re:They were not "Found" they were caught. (Score:5, Insightful)

      by h33t l4x0r ( 4107715 ) on Thursday April 30, 2020 @11:05PM (#60009652)
      They were caught sending private data to their own cloud, which may or may not be an agreed ToS. They were not caught selling that data. In terms of actual privacy violation (measured in Facebook units), I give this a one miili-facebook (.001 FBs) with potential to go higher if we learn more about the story.
      • Terms of service are never agreed upon, they are presented by the vendor in the most long-winded and obfuscated manner, then summarily dismissed by the customer. The only agreement here is the mutual tacit understanding that this is how a TOS is supposed to work.
        • Sure, but unless they're found to be selling private data (ala Facebook), there's nothing particularly egregious about sending data home. They claim it's used in aggregate, which may or may not be the case, but as of now there's no evidence to suggest otherwise (other than "China bad").

        • Re: (Score:2)

          by AmiMoJo ( 196126 )

          Since these researchers are in Romania then GDPR applies, which requires clear and affirmative opt-in confirmation for this kind of stuff. If you don't ask up front in plain language it's not legal.

  • In other news (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Thursday April 30, 2020 @10:45PM (#60009612)

    Google and Facebook have a privacy policy too, and they too make it a top priority.

  • Lol (Score:1)

    by jwymanm ( 627857 )
    Is anyone frigging surprised?
    • Nope, not at all. If a company has any link to China it's suspect. If it's a Chinese company it's definite. The world can help itseff by not dealing with communist countries period. If communist countries want to play in the free market lose the communism otherwise get lost.

  • Of course they're stealing data (Score:1)

    by Anonymous Coward
    Xiaomi, like any mainland China-based company, only exists because the Chinese government allows it to exist, and that in part is paid for by complying with whatever 'requests' (read as: demands) the Chinese government makes -- so if the Chinese government says "we want all data you can collect on use of your devices by the West", they'll pony it up to them without so much as a peep because they don't want to have the entire company shut down, executives and managers arrested, and all company assets seized.

  • LineageOS (Score:5, Interesting)

    by hyanakin ( 1545359 ) on Friday May 01, 2020 @12:06AM (#60009750)

    The first thing you do when you get an Android phone is purge the firmware and put LineageOS on it.

  • "users had consented" (Score:3, Informative)

    by Antiocheian ( 859870 ) on Friday May 01, 2020 @12:11AM (#60009760) Journal
    I own a Xiaomi phone with Miui. I do remember when I first opened its default Browser there was a popup informing me about data collection & consent, so I think Xiaomi is right. However, I didn't want to face a dilemma between Xiaomi and Google (which is MUCH worse), so I simply installed Firefox.
    • How is installing Firefox going to help you? The phone itself and its OS are corrupted.

      • Re: (Score:2)

        by dstwins ( 167742 )

        Assuming they didn't embed trackers in the chips themselves, the only way to do this is get the hardware and then use a OS/set like from xdev on this. Outside of that..not much in the way of options here other than just don't buy their products.

  • Can someone tell me why we haven't moved to a whitelist-only model of connection for all code except your approved browser?

    How can an app just go contact places without you knowing it?

    • Because it would break the internet. The current generation of developers are lazy and would rather put your safety and security at risk by demanding you run unvetted javascript automatically and without question on every webpage rather than do it right.

  • I wear the Xiaomi Band, now gen 4, as I was quite happy with the gen 3. I'm sure the Chinese government knows where I am at all times.

    They must be quite disappointed with the ROI for that initiative.

  • Doing business with China seems to be quite a liability. Hopefully many companies will figure out that it's better to not do it. Even better would be if governments enact some restrictions on dealing with China after all this Corona stuff is over.

