Researcher Andrew Tierney on Friday reiterated his claim of Xiaomi collecting data in the incognito mode on user devices. In a series of tweets, Tierney responded to Xiaomi’s statement on a Forbes report that said Xiaomi web browsers were sending data to remote servers in China. Thomas Brewster, security, surveillance and privacy reporter for Forbes along with Tierney and researcher Gabriel Cirlig in a report said that Xiaomi browsers recorded the history of all websites visited by a user. Further, the report said that the search queries, URLs and every item visited on the Xiaomi news feed were also part of the data that are being sent to servers in China. Crucially, the report said that Xiaomi tracked the data even if the incognito mode is turned on by the user.
Xiaomi “Disappointed” with Forbes Report
Xiaomi on Friday said that it was “disappointed” with the Forbes report and that the contributors “misunderstood” Xiaomi’s data privacy principles and policy.
“Xiaomi was disappointed to read the recent article from Forbes,” the company said in its response to the Forbes report. “We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.”
Xiaomi said that there are two types of data that are being collected by the company including usage statistics data and syncing of user browser data.
The company provides seven parameters of data that are collected under usage statistics data including system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports. Xiaomi said in its example of usage statistics data that URLs are “collected to identify web pages which load slowly.” Xiaomi said that the usage statistics aid the company by offering insights on how it can “improve overall browsing performance.” The company said that the usage statistics data is aggregated and “cannot alone be used to identify any individual.”
Additionally, Xiaomi said that the user browsing data including history are synced when the user is signed into the Mi account and when the data sync function is enabled in the settings. The company said that the feature enables quick access to an user’s previously visited websites when the user switches between the devices after logging into Mi accounts. Xiaomi said that user browsing data is not synced when the user is under the incognito mode but that usage statistics data are still collected.
The company further provided screenshots of its codes in its response as it tried to break down its process of collecting data from user devices. Xiaomi said that the codes in its screenshots establish that the data are collected through “randomly generated unique tokens” that “do not correspond to any individuals.”
Researcher Not Backing Down on the Forbes Report
Tierney on Friday said that Xiaomi’s response to the Forbes report “is whataboutism and denial at it’s finest.”
“There is no doubt that the Mint Browser sends search terms and URLS whilst in Incognto mode [sic],” Tierney said in his tweet.
Tierney said that none of the researchers signed up to syncing of user browser data and that the company’s response on usage statistics data “makes no sense.”
The researcher explains that Xiaomi in its response to the report highlighted various parameters that are collected under usage statistics data but in its example provides URL as a parameter.
“There is a massive gap here,” Tierney said in his tweet. “They list data they gather, not including URLS, and then they gather URLs.”
Tierney said that the screenshot of the code provided by Xiaomi that is said to explain how the company generates unique tokens showed “nothing of the sort.” Further, Tierney also dismissed several other codes that were provided by Xiaomi which is said to explain where the data is being sent and how it is transferred from a user device.
“I really don’t care who it gets sent to,” Tierney said in his tweet. “I’ve never claimed it gets sent to any entity in particular. It is going from my device to another entity. The only thing they have actually said is false is gathering data in Incognito, which they do. The rest of it is fluff. Padding. Pick another fight Xiaomi.”
It has to be noted that the Forbes report highlighted the Xiaomi browsers have over 15 million downloads on Google Play Store. Further, the data collected by Xiaomi are said to be sent to a server hosted by Alibaba, a Chinese tech giant engaged in e-commerce, cloud computing, digital media and entertainment.
In an additional statement, Xiaomi said that it offers “best possible user experience” and that all the “collected usage data is based on permission and consent given explicitly” by its users.
The company said that the collection of usage statistics data is for its own “internal analysis” and that Xiaomi does not link any personal information to any of its collected data.
“This is a common solution adopted by internet companies around the world to improve the overall user experience of various products, while safeguarding user privacy and data security,” Xiaomi said its statement.
According to the company, the information collected from user devices are said to be stored on a public cloud infrastructure “that is common and well known in the industry.” Further, Xiaomi said that the data from its overseas services and users are stored on servers in several overseas markets and that the company complies to local privacy protection laws and regulations.
“As an internet company, internet security, safety and user privacy are Xiaomi’s core principles and the foundation of our day-to-day work,” Xiaomi said. “Our products, technologies, performance and measures on user privacy protection are constantly being improved. In the latest launch of our operating system, MIUI 12, we have adopted the industry’s most stringent and transparent privacy protection measures, to date.”