A hot potato: Xiaomi is being accused of recording users’ interactions with its phones and sending the data to servers hosted by Alibaba in Singapore and Russia that have been rented by the Chinese phone giant.

Forbes’ Thomas Brewster and cybersecurity researchers Gabriel Cirlig and Andrew Tierney discovered that the Redmi Note 8 was observing users’ phone habits and sending them to Xiaomi’s rented servers.

It was found that when browsing the web using the handset’s default Xiaomi browser, all the websites and search engine queries were recorded. It also monitored each item viewed on a news feed feature of Xiaomi’s software. Worryingly, the surveillance appeared to be happening even when browsing using incognito mode.

The phone also sent data about what folders were opened and interactions with the home screen, along with unique device numbers and Android versions.

Tierney discovered that in addition to the pre-installed stock browser on MIUI, Xiaomi’s Android-based OS, the company’s Mi Browser Pro and the Mint Browser—both available on Google Play with a combined 15 million+ downloads—were also collecting user data.

Cirlig found the same browser tracking code was present in the firmware code of other Xiaomi phones, including the Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3 devices.

Xiaomi said that the data being sent was encrypted, but it was encoded in the easily crackable base64, meaning the researcher was able to decode the information in a few seconds. “My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” warned Cirlig.

Responding to the report, Xiaomi did admit to collecting users’ browser data but said it was by consent and anonymized. It also denied recording browsing data when using incognito mode. Forbes provided Xiaomi with a video proving that it was recording private browsing sessions, but it continued to deny it.

“This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” said a spokesperson.

While collecting user data is something most tech companies do, it isn’t supposed to be this easy to link it with specific users, which appears to be the case here.

Xiaomi’s full statement:

Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user's privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.

Image credit: testing via Shutterstock