Is selling your privacy for a cheaper phone really a good idea?

Even if you’ve never owned one of its phones, Xiaomi would probably be among the brands you consider when looking for a good bargain. The Chinese manufacturer offers many affordable gadgets with great specs to boot, from budget phones to flagship killers and more. Yet, past revelations put Xiaomi’s privacy practices into question.

Speaking to Forbes in early 2020, security researchers Gabriel Cirlig and Andrew Tierney claimed that Xiaomi’s web browsers collect an excessive amount of data even in incognito mode. This allegedly included all URLs and search queries made in the stock MIUI browser, Mi Browser Pro, and Mint Browser. Combined, these browsers have more than 15 million downloads on the Google Play Store. The company has since taken steps to be more transparent in its collection practices, but concerns remain — and not just with Xiaomi.

Trying to save some money still leads to a question: Is a cheap phone worth the cost of your privacy?

The data Xiaomi — and others — collect

Data collection has become so rampant that many people consider it a fact of life. However, lines need to be drawn in the sand, and with these credible claims, OEMs seem willing to cross them. What is most concerning about the findings is that, according to Cirlig, the company uses unique numbers which identify devices and, therefore, users. According to Forbes, “The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page.”

Xiaomi responded quickly to refute the original claims, stating that they are “misrepresentative of the facts.” Tierney later followed up on Xiaomi’s blog post with a Twitter thread defending the original findings with further evidence. In the said blog post, the Chinese manufacturer claimed all collected data is anonymized and that its practices are no different from the industry standard. However, actions speak louder than words. Not long after issuing the statement, Xiaomi pushed an update to its browsers, allowing users to toggle off data collection in incognito mode.

Related: The best privacy web browsers for Android

So, problem solved, right? Wrong! Adding a toggle-off option seems like a weak attempt to appease users. It does not address the core issue either. Why is Xiaomi collecting all this data in the first place if your “privacy and security are of top priority?” Exact URLs and search queries are not telemetry or usage statistics necessary for maintaining its products.

You do have something to hide

Don’t think you have nothing to hide, either. Think of every embarrassing incognito hypochondriac search on WebMD, every silly question you’ve typed into Google, every piece of adult content you’ve watched on your phone in incognito mode — are you really comfortable with a company having this data if you are not comfortable enough having a record of it on your device? Even if we assume no malicious intent on Xiaomi’s side, data breaches are common, and sensitive information could end up anywhere.

Xiaomi claims all data it collects is anonymized, although the security researchers’ findings have disputed this. Yet, even if we take Xiaomi’s side in this argument, there has been evidence that you can still link some anonymized data to other users. The New York Times proved this with anonymous location data. While browser information might be harder to connect to a person than location data, it could be possible depending on how it is collected and stored.

Don’t miss: Why Xiaomi phones have ads, or the tricky business of balancing ads and usability

I also take issue with Xiaomi essentially saying that they are doing what everyone else does. It’s a poor excuse and textbook example of whataboutism. Companies have a vested interest in establishing a lower status quo for privacy to harvest more precious data from consumers. With no consequences for their actions, we’re likely to see even more invasive data collection in the future.

In Xiaomi’s case, adding the toggle-off option is also frustrating because this means the default hasn’t changed. The Chinese company will keep collecting incognito browser data unless users are aware of the toggle and explicitly opt out. This means that the status quo hasn’t changed for the average user that’s not particularly tech-savvy. Given that Xiaomi is the fourth-largest smartphone manufacturer by market share, this will likely be the case for millions of users.

Is selling your privacy worth it just for a discounted product?

I know that many will chime in with the inevitable answer, “just change your browser.” While that’s a reasonable suggestion and probably something you should do, it does not let Xiaomi off the hook. The company already collects data for targeted advertising. In fact, Xiaomi often calls itself an Internet company that sells hardware because most of its revenue is derived from services and ads. Yet, ultimately this means that you and your data are the product.

See also: Would you give up some security if face unlock worked with a face mask on?

So, when it is revealed that even incognito mode is not safe from harvesting, it begs the question: where does it end? Is getting a good smartphone bargain really worth your online privacy? In my view, it’s time to reevaluate how valuable our data is and to start holding companies accountable.

Has Xiaomi made any changes?

In the year since we originally wrote this post, Xiaomi has made a few privacy changes. In May 2021, Xiaomi confirmed that since the 12.1.4 and 3.4.3 updates, data collection in incognito mode is turned off by default in both the Mi and Mint browsers. The initial conclusion that users had to opt out stemmed from confusion about the data collection toggle in both apps. As previously stated, tapping on “Enhanced Incognito mode” was actually designed to let users opt in, not out.

Xiaomi has also gone so far as to launch a new Trust Center dedicated to a transparent relationship. It features security, privacy, compliance, and transparency sections so you can investigate exactly how Xiaomi operates and what it does with your information. Many of the site’s highest-level documents were uploaded around April 2022, but the site has gone quiet in the nine months since. It will be interesting to see if it picks back up around the launch of MIUI 14, but we haven’t seen anything yet.

See also: What’s a VPN? And why do you need one?

The US has also removed Xiaomi from its list of boycotted companies following a successful challenge in federal court. As you might remember, the company joined the list in the sunset days of the Trump administration. A judge blocked the move in early March, and now the saga has ended in Xiaomi’s favor.

Is it a positive sign of Xiaomi developments to come? We’ll have to wait and see.