UPDATE:
Xiaomi, in a blog post, has revealed that it has added a new option in incognito mode for users to opt-out of aggregated data collection. So Mi users can turn off data collection in private mode, which wasn’t available earlier.
Incognito browsing has always been a mode to opt-out of data tracking, so users should ensure that this feature is TURNED OFF in the private browsing mode.
This new option is available on the latest versions of its Mi browser, Mi browser Pro (v12.1.4), and Mint Browser (v3.4.3).
While this is a good move from Xiaomi, the ideal response would have been to completely remove user data tracking in the private mode, instead of giving a toggle.
You can read their new statement from here.
Original Story as follows..
A couple of days back, Forbes published a major story about how Xiaomi was collecting browser data including URLs visited by Mi users. While data collection is common among most browsers in the market today, the report highlighted that search terms and URLs were tracked even in the browser’s private aka incognito mode.
Earlier today, Xiaomi published a blog in response to this story, explaining their side of the story. You can read their official response from here.
To better understand what’s happening in this story, I’ve summarized all of the accusations and the responses to each of them. I’ll have also added what the researcher Andrew Tierney had to say about each of the responses.
Finding 1:
Gabriel Cîrlig (he was the first to find this and explain it in the Forbes story) found that Xiaomi’s Mi Browser and Mint Browser tracked all websites visited by a Mi user including search terms on both Google and DuckDuckGo. The tracking was prevalent even when the browser was set to private or incognito mode. The phone also tracked usage data and sent it back to Xiaomi servers.
Xiaomi’s Response:
Xiaomi admits to collecting User Data such as “system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports”.
It does not explicitly mention search terms but adds that it collects URLs – “The URL is collected to identify web pages which load slowly; this gives us insight into how to best improve overall browsing performance.”
Xiaomi also added that it collects browsing data only when the user is signed into his Mi account and Sync setting is turned on.
Xiaomi also confirmed that it collects User Statistics Data even in Incognito mode. This is surprising given that URLs are also a part of User Statistics Data (as confirmed by their official statement).
In addition to the official statement from the Mi Blog, Xiaomi India’s CEO said in a special video today that Xiaomi only collects data that users have consented too. He also stressed that the data collected in the incognito mode is “encrypted and anonymized”. You can see the video below (some parts are in Hindi but he has explained it in English as well).
Researcher’s Response:
Well, Andrew Tierney wasn’t convinced with Xiaomi’s response.
Firstly, I and several others have re-confirmed the findings today, across multiple devices. There is no doubt that the Mint Browser sends search terms and URLS whilst in Incognto mode.
— Cybergibbons (@cybergibbons) May 1, 2020
While Xiaomi denied collecting user data in incognito mode, Andrew released a new video just a few minutes back demonstrating how Xiaomi’s Mint Browser was collecting important user data, even in the private mode. What’s interesting to see here is that the data collected has a UUID (universally unique identifier) which doesn’t change, at least for 24 hours. So the data collected and sent to the servers can be potentially traced to an individual user.
Finding 2:
Mi user data was being sent to remote servers in countries like Singapore and Russia, with web domains registered in Beijing.
Xiaomi’s Response:
“Xiaomi hosts information on a public cloud infrastructure that is common and well known in the industry. All information from our overseas services and users is stored on servers in various overseas markets where local user privacy protection laws and regulations are strictly followed and with which we fully comply.”
Xiaomi India CEO also said in his video that “All data from Mi users in India remains in Indian servers”.
Editor’s Pick: MIUI 12 could be the Last Major Update for Mi 6, Mi 6X, Mi Note 3, Mi Mix 2, and Redmi Note 5
Finding 3:
The user data sent to the servers were encoded using base64 – which is easily trackable. So the data could be read, at least on the client-side.
Xiaomi’s Response:
Well, Xiaomi didn’t really touch this point in their blog post. It did mention that the data sent is encrypted using TLS 1.2 encryption. So, the data being transferred cannot be intercepted. But the company didn’t talk about the base64 encoding of the data on the client-side.
This image shared by Xiaomi shows that usage statistic data is transferred with the HTTPS protocol of TLS 1.2 encryption.
Researcher’s Response:
Oh good, it's TLS 1.2. At least some random can't intercept it.
I don't think this was ever disputed. This is transport encryption to servers, sending data I did not consent to send. pic.twitter.com/sENH5OhEzN
— Cybergibbons (@cybergibbons) May 1, 2020
Finding 4:
The collected user data wasn’t anonymous. Gabi and other researchers found that the user data sent to the Xiaomi servers could potentially be identified to a specific user because it had an assigned UUID (universally unique identifier).
Xiaomi’s Response:
“This screenshot shows the code for how we create randomly generated unique tokens to append to aggregate usage statistics, and these tokens do not correspond to any individuals.”
Researcher’s Response:
Well, Andrew’s demo video revealed that his data collected by the browser was assigned a specific UUID for all data being sent for over 24 hours. He wasn’t convinced by the image used by Xiaomi to show the data was anonymized.
I am particularly interested as this is post-obfuscation code – the c.b etc. shows this isn't raw source.
Why is that?
But, more to the point, calling a UUID "anonymous" does not make it anonymous.
— Cybergibbons (@cybergibbons) May 1, 2020
Our Take:
Almost every browser in the world collects user data. Some might restrict this to crash reports while other browsers can be a bit more invasive and collect usage data too.
While we aren’t sure of how much data is collected by browsers like Google Chrome and Firefox, we do know that collecting search terms and URLs, even in the incognito mode isn’t normal.
The private browsing mode or the incognito mode specifically exists to avoid tracking. And Andrew’s demo video clearly shows how much data is being sent back to Xiaomi servers which includes search terms and URLs in the incognito mode. Xiaomi claims that this data is anonymized (probably on the server-side) but it needs to come out and explain this process in detail.
Xiaomi’s official statements have stressed that they only gather data that has been consented by the user. So the company also needs to clarify if their privacy and data collection policies include the gathering of search terms and other user data even in the incognito mode.
Calling this report as fake news isn’t really the best response. Xiaomi has to come forward and refute each of the findings of the two researchers. If Xiaomi is unable to do this, the company should explain itself and revise its data collection policies as soon as possible.
UP NEXT: Huawei seems to have begun development for EMUI 11
