China is no stranger to surveillance. Its government does it, and its companies are also doing it.
For example, back in 2017, WeChat admitted that it was providing user data to the government. Then there was the Cheetah Mobile case in collecting user data to "keep users safe".
Huawei, too, has been accused of snatching user data, despite little evidence has been shown to back up the claims.
This time, the tech giant Xiaomi was found to be violating users' privacy as well.
But unlike Huawei, there’s plenty of proof Xiaomi is snooping on its users.
According to a report from Forbes, its Mi Browser Pro and Mint Browser apps gathered huge amounts of data about any website users visited, even in incognito mode.
Xiaomi is "a backdoor with phone functionality,” said Gabi Cirlig, the seasoned cybersecurity researcher who discovered this.
Cirlig spoke to Forbes after discovering that his Redmi Note 8 smartphone was collecting much of what he was doing on the phone.
he said that his identity and his private life was being exposed to the Chinese company. Looking at his phone's default browser, he found that all the websites he visited, including search engine queries, the news he read and others were also collected, even in the supposedly private 'Incognito' mode.
Both Mi Browser Pro and Mint Browser apps have collectively amassed over 15 million downloads on Google Play.
And that is only the beginning.
Because of the massive amount of data Xiaomi was gathering, Cirlig became increasingly worried about what else Xiaomi was doing behind peoples' back.
And here he found that his device was also recording what folders he opened and to which screens he swiped, including what's in his status bar and the settings page.
After Forbes contacted cybersecurity researcher Andrew Tierney to investigate the case, Forbes found that Xiaomi indeed was collecting user data through methods explained by Cirlig.
“It’s a lot worse than any of the mainstream browsers I have seen,” Tierney said. “Many of them take analytics, but it's about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”
All of the data was then packaged and sent to remote servers in both Singapore and Russia, though the web domains they hosted were registered in Beijing. The researchers also found that some of the data was sent to remote servers owned by another Chinese technology giant, Alibaba, but rented by Xiaomi.
At first, Cirlig thought that the issue was only for his Redmi Note 8.
But later after reviewing the firmware of other Xiaomi devices - including the Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3 - he suspects the issue to also affect many more Xiaomi devices, considering that he found the same pieces of code in all these phones.
When confronted with the issue, Xiaomi denied any wrongdoing, saying that there were "untrue".
"Privacy and security is of top concern," the company said, adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters."
And when Forbes showed Xiaomi a video and photos from the researchers as proof, Xiaomi again denied the allegation.
“This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” the Chinese company said.
The tech giant also argued that all data is transferred is encrypted. While Xiamoi said that data is anonymized, Cirlig was able to easily decrypt considerable amount of the collected data to extract enough information to trace it back to an individual user.
Many more millions are likely to be affected by what Cirlig described as a serious privacy issue, though Xiaomi denied this allegation.
With a valuation of over $50 billion, Xiaomi is one of the most successful smartphone vendors in the world, trailing only behind Apple, Samsung and Huawei.
Xiaomi made a name by selling cheap phones that many have similar qualities as higher-end smartphones in the competition. But unfortunately for customers, buying low cost phones could come with a hefty price: their privacy.
Forbes noted one of the reasons Xiaomi collects such data is to better understand its users. Google does it, Samsung too, even Apple is also collecting user data. But the thing about Xiaomi is that, it's not transparent in what it is doing.
“My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” warned Cirlig.
Xiaomi also has another reason to collect user data, as it partners with Sensors Analytics, a behavioral analytics company, to better understand its users’ behavior. Also a company from China, its founder and CEO, Sang Wenfeng, has a long history in tracking users.