Xiaomi, accused of tracking ‘private’ phone use, defends data practices

Xiaomi is defending itself against accusations that it’s been collecting private data from people who use its phones and web browser apps. This follows a report Thursday from Forbes that raised concerns the Chinese phone maker is collecting private data on the websites users visit as well as granular information about apps used and files opened on devices.

In a blog post Friday, Xiaomi laid out some of its data practices, saying it collects aggregated usage statistics on things like responsiveness and performance that can’t be used to identify individuals. The company also said it syncs web browsing history if people have the feature turned on in their settings. It denied any wrongdoing and said Forbes misunderstood its data privacy principles and policy.

“At Xiaomi, our users’ privacy and security are of top priority,” the company said in its post. “We strictly follow and are fully compliant with user privacy protection laws and regulations around the world.”

On Thursday, Forbes cited multiple security researchers who said the company was collecting web history as well as phone data such as “unique numbers for identifying the specific device and Android version” that could be connected to the person using the device. The combination of the data and the identifying numbers could let Xiaomi associate all the data it collects with individuals, which security researcher Gabi Cirlig told Forbes was the most concerning aspect of his findings.
Making privacy a priority

Apple and Google's coronavirus tracking tool: How privacy fits in
EU working on privacy guidelines for phone location tracking of COVID-19
8 mobile apps that protect your phone's privacy, because no, you're not doing enough

Cirlig told the publication that when using the default Xiaomi browser on his Redmi Note 8, it “recorded all the sites he visited, including search engine queries” and “every item viewed on a news feed feature of the Xiaomi software.” Cirlig said this tracking appeared to happen even when browsing in incognito or private mode, according to Forbes.

The phone also reportedly recorded things like folders that were opened and screen swipes. Cirlig told Forbes that the data was sent to remote servers hosted by Chinese tech giant Alibaba, which were rented by Xiaomi.

Other browsers, such as Chrome (made by Google) and Firefox (made by Mozilla), also collect aggregated user information about sites visited. However, these browser makers also offer detailed information about how the data is protected. Google says that Chrome collects “anonymous, randomized data” about usage that isn’t associated with user identifiers. In 2017, Mozilla launched a program to collect usage data from Firefox users, protected with a process called differential privacy that makes it very difficult to see if a given individual’s data is included.

Phones that run Apple’s iOS or Google’s Android operating systems come with their share of privacy concerns, and researchers often have to delve deep into the devices to see what kinds of location and app usage data third party apps are collecting and sending to advertisers. But this is different from the phone maker itself collecting user data, which Apple says it tries to limit as much as possible by processing user data on the phone and leaving it there.

Google also processes data on the phone when possible, and both companies have developed differential privacy methods for analyzing their aggregate data collections. In addition, Google has developed federated learning programs, which let computer programs analyze data with machine learning on users’ devices. The insights from the data are removed from the phone, instead of the data itself.

It’s not clear from Xiaomi’s statement if the company uses any of these data-protecting systems on the aggregate data it collects from users’ phones and browsers. A representative for Xiaomi didn’t immediately respond to a question on whether it uses differential privacy or federated learning.