Xiaomi’s response to private browsing data collection allegations analysed and explained

By Digit NewsDesk | Published on 04 May 2020
Xiaomi’s response to private browsing data collection allegations analysed and explained

Late last month, Xiaomi was accused of collecting browser data even from incognito sessions.

A bunch of security researchers confirmed private data is being collected and sent to overseas servers with sub-standard encoding.

Xiaomi responded with a detailed blog post explaining its privacy policies and data collection practices.


IBM Developer Contest

Take the quiz to test your coding skills and stand a chance to win exciting vouchers and prizes upto Rs.10000

Click here to know more

A Forbes article claimed Xiaomi smartphones are collecting browser data including from incognito sessions and sending it to servers in Russia and Singapore. While rampant data collection is indeed an unfortunate status quo of internet companies, it’s the nature of encoding that Xiaomi is using that has alarmed cybersecurity experts. Xiaomi released a detailed blog explaining their privacy policies and data collection practices with Manu Kumar Jain even recording a video to debunk the ghastly claims made by the Forbes article

While the response is listed out in full detail on Xiaomi’s blog, it can all seem a little too technical. To help you understand it, we have broken down each claim made on the Forbes piece and Xiaomi’s response to it —

Claim 1: Mi Browser and Mint Browser tracking all activity, even when in incognito

Gabriel Cirlig, the cybersecurity expert quoted in the Forbes piece was the first to discover this. He found the Mi browser (installed by default in all Xiaomi phones), as well as Mint Browser (available on Google Play Store with thousands of installs), were tracking the URLs you visited as well as the search terms you used on DuckDuckGo as well as Google Search. The browser tracked the URL even when users were in private or incognito mode. This data is being sent to servers owned by Alibaba in Russia and Singapore and rented by Xiaomi.

Xiaomi’s response

Xiaomi admits to collecting data such as system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports. These are anonymised and aggregated and cannot be used to identify an individual. Xiaomi also admits that URLs are collected to identify slow-loading web-pages but doesn’t mention whether it also looks at what the user is searching on search engine websites. Furthermore, Xiaomi states the data collection is done with user consent which the user permits when they agree to the terms and conditions when setting up a Xiaomi smartphone.

The company further confirmed that it collects usage stats while in incognito mode as well, and usage stats also includes URLs which is ironic considering incognito mode is enabled so that such data is not collected.

Counter Response  from cybersecurity researchers

Another cybersecurity expert who Forbes spoke to, Andrew Tierney (goes by the alias @Cybergibbons) tweeted out a proof of concept which countered Xiaomi’s response. While most of it is too technical to explain in simple terms, the video basically shows that the data collected has a UUID or a universally unique identifier which easily lets someone identify where the data came from.

Claim 2: Sending data to remote servers using sub-standard encoding

The researchers also claimed Xiaomi is storing the data in foreign servers based on Russia and Singapore. These servers are owned by Alibaba and rented by Xiaomi. They have web domains registered in Beijing. Furthermore, it was found Xiaomi is using base64 encoding which the researchers claimed can be easily decoded on the client-side, once again potentially revealing individual identities.

Xiaomi’s response

“Xiaomi hosts information on a public cloud infrastructure that is common and well known in the industry. All information from our overseas services and users is stored on servers in various overseas markets where local user privacy protection laws and regulations are strictly followed and with which we fully comply.”

Indeed, this is a standard practice among many software companies. Collecting aggregated and anonymised data is performed by the largest internet giants like Google and Facebook. And this is one place where Xiaomi alone can’t be taken to task.

Xiaomi also claimed the data sent to overseas servers are all anonymised and there’s no way it can be traced back to an individual. However, the researchers found Xiaomi is using base64 encoding which is easily trackable, at least from the client-side.

Xiaomi’s response didn’t really touch this part of the claim. It did, however, state that they use TLS 1.2 encryption standard. As a result, while it may be difficult to intercept the data in transit, there’s no way to tell how the data is treated once it reaches it destination.

Claim 3: User data collected isn’t anonymous, as claimed by Xiaomi. The UUID is specific for each user for 24 hours and not randomly assigned as suggested by Xiaomi

Gabi and other researchers found that the data shared from the Mi Browser and Mint Browser all carry unique identifiers which are specific for individual devices. For instance, two sets of data sent from the same smartphone within 24 hours will carry the same UUID, which again potentially allows server clients to identify the origin of the data.

Xiaomi’s response:

“This screenshot shows the code for how we create randomly generated unique tokens to append to aggregate usage statistics, and these tokens do not correspond to any individuals.”

Xiaomi response to assigning UUID to data packets collected from Mi Browser and Mint Browser

Counter response by the researchers:

The POC video released by Andrew clearly shows that the UUID is the same for data sent within 24 hours, debunking Xiaomi’s claim of using randomised tokens. He even debunked the screenshot shared by Xiaomi on Twitter.

Is it fair for Xiaomi to collected private browser data?

Xiaomi took a day to jot down its side of the story which maintained that the research done by Forbes for the story is flawed. The company further stated that collecting usage data is a standard industry practice. Almost every web browser in the world collects user data. However, it’s the nature of collecting data by Xiaomi that is under scrutiny.

For instance, while Chrome and Firefox are known to keep track of the URLs you visit, collecting data generate during an incognito session isn’t heard of, and can’t be considered normal or an industry practice which can be accepted.

The private mode exists specifically to prevent URLs being listed on browser history and to prevent cookies and other trackers to be inserted. Including search terms is even more alarming.

Furthermore, which it’s proven that the data stays encrypted while in transit, having an UUID means the data can potentially be traced back to the individual.

Xiaomi’s response of calling out the research as flawed without substantiating the claim with relevant evidence and pointers isn’t right. The company needs to come clean of its data collection practices in light of the recent revelations.

Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.

DMCA.com Protection Status