Xiaomi, the leading mobile brand in India has been reportedly accused of collecting web browser data from its user’s devices and sending them to remote servers in other parts of the world. This has been discovered by multiple cybersecurity experts, quoted in the Forbes article, who also claim the data includes browsing history of users who use the incognito mode. The report suggests although the data was encrypted, it would have been easy for anyone to decode and get the particular details sent through to the server.
Xiaomi is also allegedly using the help of one of its partner company called Sensor Analytics, as the mobile web browsers from Xiaomi were apparently pinging domains related to Sensor Analytics, and even the company’s API was spotted in the browser. Interestingly, Xiaomi is mentioned as a customer on the Sensor Analytics website. This activity is reportedly happening through phones that run MiUi from Xiaomi, or using one of Xiaomi’s browser; Mi Browser Pro or Mint Browser, both of which are also available on Google Play Store.
The researchers made a video to prove their point and this is what Xiaomi was quoted saying to Forbes on these allegations. “The research claims are untrue. Privacy and security are of top concern. This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information.”
The interaction between Xiaomi and researchers Gabriel Cirlig and Andrew Tierney has resulted in multiple assessments, but neither of the company is willing to let go of the claims made in the report. This is what Xiaomi highlighted in this blog post: “Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.”
While Xiaomi says the collection of data related to the web browser is a usual activity, Tierney and Cirlig point out, they are not bothered by the insecure methods from Xiaomi to send the data, they are accusing them of sending data which is never meant to leave the device.
It remains to be seen if Xiaomi has better ways of defending its practice, or else, the company and its position in the market will be scrutinised for activities that do not take the user’s consent.