Is selling your privacy for a cheaper phone really a good idea?

Xiaomi continues to launch impressive flagship products, with both the Xiaomi 13 Pro and Xiaomi 13 Ultra making the most of the company’s new Leica partnership. Heck, the Xiaomi 13 Ultra is practically a high-powered camera with a premium smartphone on the back. However, not everything is great news surrounding the Chinese brand. Questions about how Xiaomi handles privacy persist. Security researchers raised concerns as far back as 2020 over the data that Xiaomi collected through its web browser, even when users were in incognito mode. We’re now well into 2023, so how is Xiaomi progressing in terms of protecting your privacy? Let’s take a look.

Xiaomi has put some new practices into effect, but we’re ultimately going to look at whether or not they go far enough, as well as revisit the question of if you should consider trading some of your private data for a more affordable smartphone.

The data Xiaomi — and others — collect

To be perfectly clear — Xiaomi isn’t the only OEM that collects data. Your personal data is often just as important, if not more important, to companies than the phone in your pocket. It’s pretty much become a fact of life that you’ll have to surrender some privacy in order to use most services these days. However, lines need to be drawn in the sand, and credible claims dating back to 2020 show that certain OEMs have no problem crossing them.

What is most concerning about the findings is that, according to Cirlig, the company uses unique numbers which identify devices and, therefore, users. According to Forbes, “The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page.”

Xiaomi responded quickly to refute the original claims, stating that they are “misrepresentative of the facts.” Tierney later followed up on Xiaomi’s blog post with a Twitter thread defending the original findings with further evidence. In the said blog post, the Chinese manufacturer claimed all collected data is anonymized and that its practices are no different from the industry standard. However, actions speak louder than words. Not long after issuing the statement, Xiaomi pushed an update to its browsers, allowing users to toggle off data collection in incognito mode.

So, the problem is solved, right? Wrong! Adding a toggle-off option seems like a weak attempt to appease users. It does not address the core issue either. Why is Xiaomi collecting all this data in the first place if your “privacy and security are of top priority?” Exact URLs and search queries are not telemetry or usage statistics necessary for maintaining its products.

To make matters worse, it doesn’t appear as if Xiaomi has taken steps to minimize its data collection in the years since the original report. In February 2023, researchers from Edinburgh and Dublin published a new study, which once again took a look at some of the most popular Android brands in China. This time, Xiaomi was joined under the microscope by OnePlus and Realme as researchers took a look at how various preinstalled apps were managing users’ data. What they found was that devices would “send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators.”

To make matters worse, the devices were transmitting much of this information whether or not the users had a SIM card installed.

You do have something to hide

Don’t think you have nothing to hide, either. Think of every embarrassing incognito hypochondriac search on WebMD, every silly question you’ve typed into Google, every piece of adult content you’ve watched on your phone in incognito mode — are you really comfortable with a company having this data if you are not comfortable enough having a record of it on your device? Even if we assume no malicious intent on Xiaomi’s side, data breaches are common, and sensitive information could end up anywhere.

Xiaomi claims all data it collects is anonymized, although the security researchers’ findings have disputed this. Yet, even if we take Xiaomi’s side in this argument, there has been evidence that you can still link some anonymized data to other users. The New York Times proved this with anonymous location data. While browser information might be harder to connect to a person than location data, it could be possible depending on how it is collected and stored.

We also take issue with Xiaomi essentially saying that they are doing what everyone else does. It’s a poor excuse and textbook example of whataboutism. Companies have a vested interest in establishing a lower status quo for privacy to harvest more precious data from consumers. With no consequences for their actions, we’re likely to see even more invasive data collection in the future.

In Xiaomi’s case, adding the toggle-off option is also frustrating because this means the default hasn’t changed. The Chinese company will keep collecting incognito browser data unless users are aware of the toggle and explicitly opt out. This means that the status quo hasn’t changed for the average user that’s not particularly tech-savvy. Given that Xiaomi has grown to become the third-largest global OEM by market share as of early 2023, maintaining the status quo means that the privacy policy will continue to hurt a massive number of users worldwide.

Is selling your privacy worth it just for a discounted product?

I know that many will chime in with the inevitable answer, “Just change your browser.” While that’s a reasonable suggestion and probably something you should do (and you can see some of our favorite browsers here), it does not let Xiaomi off the hook. The company already collects data for targeted advertising. In fact, Xiaomi often calls itself an “internet company that sells hardware” because most of its revenue is derived from services and ads. Unfortunately, this ultimately means that you and your data are the product, whether you like it or not.

So, when it is revealed that even incognito mode is not safe from harvesting, it begs the question: where does it end? Is getting a good smartphone bargain really worth your online privacy? In my view, it’s time to reevaluate how valuable our data is and to start holding companies accountable. Besides, there are other ways to get cheap Android phones without sacrificing your deepest, darkest secrets.

Has Xiaomi made any changes?

In the year since we originally wrote this post, Xiaomi has made a few privacy changes. In May 2021, Xiaomi confirmed that since the 12.1.4 and 3.4.3 updates, data collection in incognito mode is turned off by default in both the Mi and Mint browsers. The initial conclusion that users had to opt out stemmed from confusion about the data collection toggle in both apps. As previously stated, tapping on “Enhanced Incognito mode” was actually designed to let users opt in, not out.

Xiaomi has also gone so far as to launch a new Trust Center dedicated to a transparent relationship. It features security, privacy, compliance, and transparency sections so you can investigate exactly how Xiaomi operates and what it does with your information. It started out with a bang, uploading several high-level white papers in early 2022, but went silent right afterward. We haven’t seen any new documents drop surrounding MIUI 14, even as it continues to reach more devices.

The US has also removed Xiaomi from its list of boycotted companies following a successful challenge in federal court. As you might remember, the company joined the list in the sunset days of the Trump administration. A judge blocked the move in early March, and now the saga has ended in Xiaomi’s favor.

Is it a positive sign of Xiaomi developments to come? We’ll have to wait and see.