Xiaomi, accused of tracking 'private' phone use, defends data practices

A security researcher says the company was tracking behavior and harvesting data from his Redmi Note 8.

Carrie Mihalcik Former Managing Editor / News
Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News | Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Carrie Mihalcik
Laura Hautala
3 min read

Xiaomi's Redmi Note 8 was one of the best-selling Android phones of 2019, according to market analyst Canalys.

Óscar Gutiérrez/CNET

Xiaomi is defending itself against accusations that it's been collecting private data from people who use its phones and web browser apps. This follows a report Thursday from Forbes that raised concerns the Chinese phone maker is collecting private data on the websites users visit as well as granular information about apps used and files opened on devices. 

In a blog post Friday, Xiaomi laid out some of its data practices, saying it collects aggregated usage statistics on things like responsiveness and performance that can't be used to identify individuals. The company also said it syncs web browsing history if people have the feature turned on in their settings. It denied any wrongdoing and said Forbes misunderstood its data privacy principles and policy. 

"At Xiaomi, our users' privacy and security are of top priority," the company said in its post. "We strictly follow and are fully compliant with user privacy protection laws and regulations around the world."

On Thursday, Forbes cited multiple security researchers who said the company was collecting web history as well as phone data such as "unique numbers for identifying the specific device and Android version" that could be connected to the person using the device. The combination of the data and the identifying numbers could let Xiaomi associate all the data it collects with individuals, which security researcher Gabi Cirlig told Forbes was the most concerning aspect of his findings.

Cirlig told the publication that when using the default Xiaomi browser on his Redmi Note 8 , it "recorded all the sites he visited, including search engine queries" and "every item viewed on a news feed feature of the Xiaomi software." Cirlig said this tracking appeared to happen even when browsing in incognito or private mode, according to Forbes. 

The phone also reportedly recorded things like folders that were opened and screen swipes. Cirlig told Forbes that the data was sent to remote servers hosted by Chinese tech giant Alibaba, which were rented by Xiaomi.

Other browsers, such as Chrome (made by Google) and Firefox (made by Mozilla), also collect aggregated user information about sites visited. However, these browser makers also offer detailed information about how the data is protected. Google says that Chrome collects "anonymous, randomized data" about usage that isn't associated with user identifiers. In 2017, Mozilla launched a program to collect usage data from Firefox users, protected with a process called differential privacy that makes it very difficult to see if a given individual's data is included.

Phones that run Apple's iOS or Google's Android operating systems come with their share of privacy concerns, and researchers often have to delve deep into the devices to see what kinds of location and app usage data third party apps are collecting and sending to advertisers. But this is different from the phone maker itself collecting user data, which Apple says it tries to limit as much as possible by processing user data on the phone and leaving it there. 

Google also processes data on the phone when possible, and both companies have developed differential privacy methods for analyzing their aggregate data collections. In addition, Google has developed federated learning programs, which let computer programs analyze data with machine learning on users' devices. The insights from the data are removed from the phone, instead of the data itself.

In response to a question on whether it uses differential privacy or other protections on user data, Xiaomi said it has used the technology in a limited way for beta testers in China. "We have plans to expand the technology further to our products and users globally," the company said in its statement, "and will continue to improve and implement even more stringent privacy measures to ensure the internet security of our users."

Watch this: Xiaomi unveils Redmi Note 9 series worldwide