Update: May 20, 2020 (7:13AM ET): Xiaomi has confirmed that since the 12.1.4 and 3.4.3 update, data collection in incognito mode is turned off by default in both the Mi and Mint browsers, respectively. The initial conclusion that users had to opt-out stemmed from confusing labeling of the data collection toggle in both apps. Tapping on “Enhanced Incognito mode” was actually designed to let users opt-in, not opt-out as previously stated.
A Xiaomi spokesperson assured Android Authority that to avoid confusion, the description of the toggles will be modified in the browsers’ next update. The update is expected to arrive on the Google Play Store very soon, pending Google approval. Here’s what has been changed:
Original article: May 17, 2020 (10AM ET): Even if you have never owned one of its phones, Xiaomi would probably be among the brands you think of when looking for a good bargain. From budget phones to flagship killers and more, the Chinese manufacturer offers a plethora of affordable gadgets with great specs to boot. Yet, recent revelations put its privacy practices into question.
Speaking to Forbes, security researchers Gabriel Cirlig and Andrew Tierney claimed that Xiaomi’s web browsers collect an inordinate amount of data even in incognito mode. This allegedly included all URLs and search queries made in the stock MIUI browser, as well as Mi Browser Pro and Mint Browser. Combined, these browsers have more than 15 million downloads on the Google Play Store.
This inevitably leads to a question: Is a cheap phone worth the cost of your privacy?
The data Xiaomi collects
It’s true that data collection has become so rampant nowadays, many people simply take it as a fact of life. However, lines need to be drawn in the sand and with these credible claims, Xiaomi seems to have crossed them. What is most concerning about the findings is that, according to Cirlig, the company uses unique numbers, which identify devices and therefore users. According to Forbes, “The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page.”
Xiaomi responded quickly in an effort to refute the claims, stating that they are “misrepresentative of the facts.” Tierney later followed up on Xiaomi’s blog post with a Twitter thread defending the original findings with further evidence. In said blog post, the Chinese manufacturer claimed all collected data is anonymized and that its practices are no different from the industry standard. However, actions speak louder than words. Not long after issuing the statement, Xiaomi pushed an update to its browsers, allowing users to toggle off data collection in incognito mode.
So, problem solved, right? Wrong! Adding a toggle off option seems like a weak attempt to placate users. It does not address the core issue either. Why is Xiaomi collecting all this data in the first place, if your “privacy and security are of top priority?” Exact URLs and search queries are not telemetry or usage statistics necessary for the maintenance of its products.
You do have something to hide
Don’t think you have nothing to hide, either. Think of every embarrassing incognito hypochondriac search on WebMD, every silly question you’ve typed into Google, every piece of adult content you’ve watched on your phone in incognito mode — are you really comfortable with a company having this data if you are not comfortable enough having a record of it on your device? Even if we assume no malicious intent on Xiaomi’s side, data breaches are common, and sensitive information could end up anywhere.
Xiaomi claims all data it collects is anonymized, although this has been disputed by the findings of the security researchers. Yet, even if we take Xiaomi’s side in this argument, there has been evidence that some anonymized data can still be linked to users. The New York Times proved this with anonymous location data. While browser information might be harder to link to a person than location data, it could be possible depending on how the data is collected and stored.
I also take issue with Xiaomi essentially saying that they are doing what everyone else does. It’s a poor excuse and textbook example of whataboutism. Companies have a vested interest in establishing a lower status quo for privacy so they can harvest more precious data from consumers. With no consequences for their actions, the more we’re likely to see more invasive data collection in the future.
In Xiaomi’s case, the addition of the toggle off option is also frustrating because this means the default hasn’t changed. The Chinese company will keep collecting incognito browser data unless users are aware of the toggle and explicitly opt-out. This means that for the average user that’s not particularly tech-savvy, the status quo hasn’t changed. Given the fact that Xiaomi is the fourth-largest smartphone manufacturer by market share, this will likely be the case for millions of users.
Is selling your privacy worth it just for a discounted product?
I know that many will chime in with the inevitable answer, “just change your browser.” While that’s a totally reasonable suggestion and probably something you should do, it does not let Xiaomi off the hook. The company already collects data for targeted advertising. In fact, Xiaomi often calls itself an Internet company that happens to sell hardware because most of its revenue is derived from services and ads. Yet, ultimately this means that you and your data are the product.
So, when it is revealed that even incognito mode is not safe from harvesting, it begs the question: where does it end? Is getting a good smartphone bargain really worth your online privacy? In my view, it’s time to reevaluate how valuable our data is and to start holding companies accountable.
Want to stay secure while using your phone? Be sure to check out some of our privacy and security content below!