In a recent Forbes cybersecurity article, researchers claimed to have discovered proof that Xiaomi was collecting a worrying amount of information from its native smartphone browser application. This included not only aggregated usage analytics, but even personally identifiable information. Xiaomi has come out with a statement denying the claims outright, explaining in the blog post about how they do not collect any such information.
The researchers at Forbes reported that Xiaomi’s default browser would collect information such as websites the user visited, including search engine queries and items viewed in the browser’s news feed. More importantly, the researchers had noted that the browser collected this information even when it was set in incognito mode.
They claim that the information, while supposedly encrypted, could be used to identify the user as the encoding used, Base64, is easily crackable. This packaged information was apparently being sent to remote servers in Singapore and Russia. Forbes also discovered that other Xiaomi-developed browsers – Mi Browser Pro and the Mint Browser, exhibited the same data collection behaviour.
Xiaomi has replied to these claims in a blog post, plainly denying the claims made by Forbes. They have stated that their “user’s privacy and internet security is of top priority at Xiaomi”, and explained their data collection practices.
Mi Fans, I shot a video explaining false news regarding Mi Browser. Watch it: https://t.co/JJNqcXDCp2
I repeat, Mi Browser & all Mi internet products are 100% safe. Moreover all data of Indian users is stored locally in India!
— Manu Kumar Jain (@manukumarjain) May 2, 2020
Xiaomi collects two types of data: Aggregated usage statistics data and user browsing data syncs. Aggregated usage statistics include data such as system information, preferences, user interface feature usage, responsiveness, etc. which is collected by nearly every mainstream browser. The second type includes information like browsing data history that sync when a user signs in and when data sync function is turned on.
Xiaomi denied collecting browser history information when the browser is set to incognito mode and also showed their browser software code as proof. However, the researchers at Forbes still believe that the browser is still “collecting data about the phone, including unique numbers for identifying the specific device and Android version.”
Check out the Forbes article on the claim here