Xiaomi defends its data practices in light of recent privacy violation accusations
A security researcher argues that the company was tracking an online behavior and harvesting data from his Redmi Note 8.
Xiaomi is protecting itself against allegations of collecting private data from users who own its phones and install certain web browser apps. It also follows a Forbes report on Thursday that raised concerns for a Chinese phone maker due to the fact that the company was ostensibly collecting private data on the website’s users visit and peculiar information about apps used and files opened.
In a Friday blog post, Xiaomi explained its data practices, suggesting that it collects aggregated usage statistics on aspects such as responsiveness and performance and that such a data may not be to specifically identify individuals. The company also expressed that a web browsing history synchronises with its databases only in the case if people have the accordant feature turned on in their settings. Eventually, Xiaomi denied any wrongdoing and commented on Forbes misunderstanding ts data privacy principles and policy.
"At Xiaomi, our users' privacy and security are of top priority," the company said in its post. "We strictly follow and are fully compliant with user privacy protection laws and regulations around the world."
On Thursday, Forbes referenced multiple security researchers who said the company was collecting web history and phone data, namely "unique numbers for identifying the specific device and Android version" that could be connected device owner’s identity. The data combination and numbers identification could let Xiaomi trace the data back to the individuals, which security researcher Gabi Cirlig expressed to Forbes was the most concerning aspect of his findings.
Cirlig explained the publication that when using the default Xiaomi browser on his Redmi Note 8, it "recorded all the sites he visited, including search engine queries" and "every item viewed on a news feed feature of the Xiaomi software." Cirlig found that this tracking happens even when browsing in incognito or private mode, according to Forbes.
The phone also recorded opened folders and screen swipes. Cirlig said to Forbes that the data was transmissioned to remote servers hosted by Chinese tech giant Alibaba.
Other browsers, such as Chrome (Google) and Firefox (Mozilla), also collect an aggregated user information about sites visited. Nevertheless, the difference in these cases is that these browser makers offer detailed information about how the data is protected. Google, for instance, says that Chrome collects "anonymous, randomized data" with no associations to user identifiers. Mozilla launched a program in 2017 to collect usage data from Firefox users, protected with a process called differential privacy that makes it very difficult to see if a given individual's data is included.
Although, smartphones that run Apple's iOS or Google's Android operating systems are not without a privacy criticism, and researchers often need to dig into the devices to identify what kinds of location and app usage data third party apps are collecting and sending to advertisers. But this is different from the phone maker itself collecting user data, which Apple says it tries to limit as much as possible by leaving the bulk of data on users’ phones.
Google also processes data on the phone, similar to Apple, and both companies have developed differential privacy methods for analyzing their aggregate data collections. Additionally, Google has developed federated learning programs, which let computer programs analyze data with machine learning on users' devices. The insights from the data are removed from the phone, instead of the data itself.
Lastly, it may not be clear from Xiaomi's statement whether the company uses any of these data-protecting systems on the aggregate data or collects it from users' phones and browsers. A representative for Xiaomi didn't immediately respond to a question on whether it uses differential privacy or federated learning.