Friday, May 22, 2020

Xiaomi’s user data collection - why it is worrisome?

All companies that sell smartphones and smart devices do collect user data which is not big news but when it comes to misleading users with word jugglery, it is definitely unacceptable. With the Mi 10 (buy it on  having hit the stores some time ago and the Mi 10 Pro coming soon, these fears get compounded. 

This is where Xiaomi finds itself on a sticky wicket. The Chinese smartphone giant’s Mi and Mint Browsers were recently caught in a controversy over ‘user data collection’ even while on the ‘incognito mode’.  Before we move on to the recent update, let’s understand how it was discovered and the indisputable repercussions on user data privacy and identity. 

Snoopy behaviour

In the last week of April, 2020, cybersecurity researcher Gabi Cirlig made an alarming discovery that his brand new Redmi Note 8 smartphone was ‘watching much of what he was doing on the phone’. If that wasn’t serious enough, the data was also being sent to remote servers hosted by Alibaba.  The servers were apparently rented by Xiaomi. 

The researcher tested Xiaomi’s default browser, only to find that it recorded all the websites he visited, including search engine queries on Google and the privacy-focused DuckDuckGo. Everything he viewed on the device’s news feed feature of the Xiaomi software was also being shared. 

Another security expert, Andrew Tierney concurred with Cirlig’s findings and added that Xiaomi’s browsers on Google Play, including Mi Browser Pro and the Mint Browser, were similarly collecting the same data.

Is the incognito mode really so? 

Even with ‘incognito mode’ turned on, the browser continued tracking his activity. Not just that, the smartphone was recording which folders he had opened and to which screens he swiped, including the status bar and the settings page. This data was being sent to remote servers in Singapore and Russia, while the Web domains they hosted were registered in Beijing. Xiaomi has, however, denied all these allegations of unauthorised data collection.

Mi and Mint Browser privacy mode

Responding to user data collection on its browsers in incognito mode, Xiaomi released an update and added a toggle in the browser settings to better explain what happens in incognito mode.  

The “enhanced incognito mode” toggle reads: “Aggregated data stats won’t be uploaded when incognito mode is on.” However, users believed it to mean that if the toggle is ‘on’, user data stats won’t be uploaded. But the reverse was true. 

The images below illustrate the issue

If the toggle is on, the text changes to say “Improve your user experience by uploading aggregated data stats when incognito mode is on.” Sharing data while in the incognito mode, quite defeats the purpose of being in the privacy mode in the first place, and the words ‘Enhanced Incognito Mode’ don’t describe it accurately. No wonder, most users were puzzled at this choice of words.

An update to the update!

Finally, Xiaomi has got it right by rewording the toggle description to ‘Help us improve Mi/Mint Browser’. Now, that’s easy for users to understand and there isn’t any room for ambiguity. This fix will be available on version 12.2.4 of the Mi Browser and version 3.4.6 of the Mint Browser.

Here’s how the updated incognito toggle looks like

It is recommended to keep the data collection option disabled. However, considering that many users are already paranoid about Chinese brands collecting data without consent, it is simpler and safer to switch to Google’s Chrome or Mozilla’s Firefox browser on Android. It is also good to keep in mind that there is no such thing as being totally anonymous and safe online.

Via Forbes


Post a Comment


Popular Posts

Blog Archive