Even if you have never owned one of its phones, Xiaomi would probably be among the brands you consider when looking for a good bargain. From budget phones to flagship killers and more, the Chinese manufacturer offers many affordable gadgets with great specs to boot. Yet, past revelations put Xiaomi’s privacy practices into question.
Speaking to Forbes in early 2020, security researchers Gabriel Cirlig and Andrew Tierney claimed that Xiaomi’s web browsers collect an inordinate amount of data even in incognito mode. This allegedly included all URLs and search queries made in the stock MIUI browser, Mi Browser Pro, and Mint Browser. Combined, these browsers have more than 15 million downloads on the Google Play Store.
This inevitably leads to a question: Is a cheap phone worth the cost of your privacy?
The data Xiaomi collects
Data collection has become so rampant nowadays, and many people consider it a fact of life. However, lines need to be drawn in the sand, and with these credible claims, Xiaomi seems to have crossed them. What is most concerning about the findings is that, according to Cirlig, the company uses unique numbers, which identify devices and, therefore, users. According to Forbes, “The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page.”
Xiaomi responded quickly to refute the claims, stating that they are “misrepresentative of the facts.” Tierney later followed up on Xiaomi’s blog post with a Twitter thread defending the original findings with further evidence. In the said blog post, the Chinese manufacturer claimed all collected data is anonymized and that its practices are no different from the industry standard. However, actions speak louder than words. Not long after issuing the statement, Xiaomi pushed an update to its browsers, allowing users to toggle off data collection in incognito mode.
So, problem solved, right? Wrong! Adding a toggle-off option seems like a weak attempt to placate users. It does not address the core issue either. Why is Xiaomi collecting all this data in the first place if your “privacy and security are of top priority?” Exact URLs and search queries are not telemetry or usage statistics necessary for the maintenance of its products.
You do have something to hide
Don’t think you have nothing to hide, either. Think of every embarrassing incognito hypochondriac search on WebMD, every silly question you’ve typed into Google, every piece of adult content you’ve watched on your phone in incognito mode — are you really comfortable with a company having this data if you are not comfortable enough having a record of it on your device? Even if we assume no malicious intent on Xiaomi’s side, data breaches are common, and sensitive information could end up anywhere.
Xiaomi claims all data it collects is anonymized, although the security researchers’ findings have disputed this. Yet, even if we take Xiaomi’s side in this argument, there has been evidence that you can still link some anonymized data to other users. The New York Times proved this with anonymous location data. While browser information might be harder to link to a person than location data, it could be possible depending on how it is collected and stored.
I also take issue with Xiaomi essentially saying that they are doing what everyone else does. It’s a poor excuse and textbook example of whataboutism. Companies have a vested interest in establishing a lower status quo for privacy so they can harvest more precious data from consumers. With no consequences for their actions, the more we’re likely to see more invasive data collection in the future.
In Xiaomi’s case, adding the toggle-off option is also frustrating because this means the default hasn’t changed. The Chinese company will keep collecting incognito browser data unless users are aware of the toggle and explicitly opt-out. This means that the status quo hasn’t changed for the average user that’s not particularly tech-savvy. Given that Xiaomi is the fourth-largest smartphone manufacturer by market share, this will likely be the case for millions of users.
Is selling your privacy worth it just for a discounted product?
I know that many will chime in with the inevitable answer, “just change your browser.” While that’s a totally reasonable suggestion and probably something you should do, it does not let Xiaomi off the hook. The company already collects data for targeted advertising. In fact, Xiaomi often calls itself an Internet company that sells hardware because most of its revenue is derived from services and ads. Yet, ultimately this means that you and your data are the product.
So, when it is revealed that even incognito mode is not safe from harvesting, it begs the question: where does it end? Is getting a good smartphone bargain really worth your online privacy? In my view, it’s time to reevaluate how valuable our data is and to start holding companies accountable.
Has Xiaomi made any changes?
In the year since we originally wrote this post, Xiaomi has made a few privacy changes. Last May, Xiaomi confirmed that since the 12.1.4 and 3.4.3 update, data collection in incognito mode is turned off by default in both the Mi and Mint browsers, respectively. The initial conclusion that users had to opt-out stemmed from confusing the data collection toggle in both apps. Tapping on “Enhanced Incognito mode” was actually designed to let users opt-in, not opt-out, as previously stated.
Xiaomi has also gone so far as to launch a new Trust Center dedicated to a transparent relationship. It features security, privacy, compliance, and transparency sections so you can investigate exactly how Xiaomi operates and what it does with your information. Many of the site’s highest-level documents have been uploaded within the past few months, so it will be interesting to see how the Trust Center grows in the future.
The US is also removing Xiaomi from its list of boycotted companies following a successful challenge in federal court. As you might remember, the company joined the list in the sunset days of the Trump administration. A judge blocked the move in early March, and now the saga has come to an end in Xiaomi’s favor.
Is it a positive sign of Xiaomi developments to come? We’ll have to wait and see.
Want to stay secure while using your phone? Be sure to check out some of our privacy and security content below!