Xiaomi refutes allegations of mining data via phone software 'backdoors'
What's the story
Xiaomi has refuted the data mining allegations leveled by two popular security searchers. The experts had claimed that the Chinese smartphone giant uses certain "backdoors" on its devices to silently collect user activity data on remote servers. However, the company says that the claims are untrue and the duo has misinterpreted its data handling practices. Here's more about it.
Collection
Allegations of data collection via backdoors
While speaking to Forbes, researcher Gabi Cirlig claimed Xiaomi was "watching much of what he was doing on his phone." He said that the company has implemented some loopholes in its own pre-installed smartphone apps, like the Mi Browser, and is using them to gather data on users' web activity as well as things like the folders they opened and the screens they swiped.
Transfer
Transfer to servers hosted in China
Cirlig added that the Mi Browser loophole collected users' browsing data even when they searched in the incognito mode or on privacy-focused search engines like DuckDuckGo. All the data was allegedly sent to remote servers, which were located in Singapore and Russia but were hosted by web domains in Beijing. The claims were further backed by Andrew Tierney, another security expert contacted by Forbes.
Response
However, Manu Jain categorically denied the claims
Following these allegations, Manu Jain, the Managing Director of Xiaomi India, wrote an open letter to the press refuting the claims. Jain clarified that the Mi Browser, which has over 15 million downloads, follows the same protocols used by other leading browsers. He added the platform does not collect any data without explicit user consent and encrypts and anonymizes all incognito mode-related web activity.
Certifcations
Privacy practices certified by leading organizations
Among other things, Jain emphasized that several leading international organizations, including TrustArc and British Standard Institution (BSI), have certified the privacy and security practices followed for Xiaomi smartphones and default apps. He also addressed questions over data transfer to Chinese servers, noting that Indian users' Mi Cloud and Mi Browser data is stored locally on Amazon Web Services' servers in India.
Company response
Xiaomi provided further details in official blog post
Backing up Jain's response, Xiaomi issued a full-length blog post refuting the allegations and clarifying that it only collects some data from phones - such as system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports - to improve user experience. It added that the data remains completely anonymized and is not shared with any third-party
Quote
Here's an excerpt from Xiaomi's official statement
"We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user's privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations," stated Xiaomi.