Episode 18: Xiaomi Brazenly Collects User Data on Their Phones

The fourth biggest smartphone maker in the world, Xiaomi from China, makes very cheap phones with decent features. But it looks like they are selling out your privacy to recoup some of the money you’re saving when you buy their phones.

In this episode of The Private Citizen, we are going to talk about smartphones. Xiaomi (founded in 2010) is the world’s number four when it comes to smartphone manufacturing. They are the leading in the two biggest markets for these devices: China and India. They are mostly known for making realtively cheap phones that still have quite good specs. And they’ve just been caught spying on their customer in pretty egregious ways.

A Backdoor with Phone Functionality

Last week, Forbes broke the story of how the Chinese mobile phone manufacturer Xiaomi collects massive amounts of user data.

“It’s a backdoor with phone functionality,” quips Gabi Cirlig about his new Xiaomi phone. He’s only half-joking. Cirlig is speaking with Forbes after discovering that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were ostensibly rented by Xiaomi. The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company.

So what did they actually discover? On the Redmi Note 8, the following data is collected:

  • The default browser records all websites visited and all search engine queries (Google and DuckDuckGo)
  • All items viewed on the OS’s news feed feature are recorded
  • The browser tracking happens in incognito mode
  • The OS records what folders are opened and also what screens are used (including the status bar and settings page)
  • There are suspicions that the phone also reports whenever an app is opened

All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Though the Chinese company claimed the data was being encrypted when transferred in an attempt to protect user privacy, Cirlig found he was able to quickly see just what was being taken from his device by decoding a chunk of information that was hidden with a form of easily crackable encoding, known as base64. It took Cirlig just a few seconds to change the garbled data into readable chunks of information. “My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” warned Cirlig.

But this isn’t only happening if you have an actual Xiaomi phone. Their apps do it too.

Meanwhile, at Forbes’ request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play – Mi Browser Pro and the Mint Browser – were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics.

Nor is only the Redmi Note 8 affected, it seems.

Cirlig thinks that the problems affect many more models than the one he tested. He downloaded firmware for other Xiaomi phones – including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices. He then confirmed they had the same browser code, leading him to suspect they had the same privacy issues.

Why are they collecting this data?

Both Cirlig and Tierney found their Xiaomi apps were sending data to domains that appeared to reference Sensors Analytics, including the repeated use of SA. When clicking on one of the domains, the page contained one sentence: “Sensors Analytics is ready to receive your data!” There was an API called SensorDataAPI—an API (application programming interface) being the software that allows third parties access to app data. Xiaomi is also listed as a customer on Sensors Data’s website.

The Chinese startup, also known as Sensors Data, has raised $60 million since its founding in 2015, most recently taking $44 million in a round led by New York private equity firm Warburg Pincus, which also featured funding from Sequoia Capital China. As described in Pitchbook, a tracker of company funding, Sensors Analytics is a “provider of an in-depth user behavior analysis platform and professional consulting services.” Its tools help its clients in “exploring the hidden stories behind the indicators in exploring the key behaviors of different businesses.” The founder and CEO of Sensors Data, Sang Wenfeng, has a long history in tracking users. At Chinese internet giant Baidu he built a big data platform for Baidu user logs, according to his company bio.

Xiaomi’s Barefaced Response

So Xiaomi got caught with doing something that is probably OK at home in China but doesn’t fly over here in the west. How do they react?

In response to the findings, Xiaomi said, “The research claims are untrue,” and “privacy and security is of top concern,” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking.

But, as pointed out by Cirlig and Tierney, it wasn’t just the website or Web search that was sent to the server. Xiaomi was also collecting data about the phone, including unique numbers for identifying the specific device and Android version. Xiaomi’s spokesperson also denied that browsing data was being recorded under incognito mode. Both Cirlig and Tierney, however, found in their independent tests that their web habits were sent off to remote servers regardless of what mode the browser was set to, providing both photos and videos as proof.

When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for “porn” and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added.

Both Cirlig and Tierney said Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple Safari. “It’s a lot worse than any of the mainstream browsers I have seen,” Tierney said. “Many of them take analytics, but it’s about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”

They also confirm that Sensor Analytics is involved.

Xiaomi’s spokesperson confirmed the relationship with the startup: “While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi’s own servers and will not be shared with Sensors Analytics, or any other third-party companies.”

I’m not quite sure how they are analysing data without having access to it, though.

A few days later, The Register reported:

Today, the phone vendor issued an update for its Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play to “include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection.” Which should, in theory, when disabled, stop Xiaomi’s software harvesting URLs and other stuff in private mode.

With other words they were doing wrong things and knew it and they only patched it (a little bit) once they got called out for this practice. Of course, the phone journos have already forgotten about this story again as they are chasing the next shiny thing.

Feedback

Mika wrote me in support of the show and also gave me some thoughts on the previous episode.

I am closely following, what you did sice you left Heise and their Uplink. I may often not be sharing your oppinion, but your well laid out thoughts often give me a second perspective on stuff, which I very much appreciate.

  1. The statistics of the R curve are hard. I know my way around statistcs from my Physics studies. Let me tell you, in such a graph you should make sure the acurracy of your data is clear. In Physics you do this by showing your satistical and systematical uncertanties in the graph, wherever aprropriate. This can not be done however without cluttering the plot. This being said, I fear the corrections in time for “real” dates (substract delays in forwarding data to the RKI…) reduce the systematical errors, but might very well increase the statistical uncertanty substantially. However this can be accounted for and should be laid out in scientific papers, since to judge if a measure is working at the date it is going into effect, I need to know if there is not an uncertanty of +-3days on these dates anyway.
  2. On the date the “lockdown” went into effect I was in home office by strong advice of my employer for over one week already. Also a lot of other buisnesses have done this even before us. So I would expect the R number to go down significantly during at least a week before the “lockdown”. So I would assume we did effective social distancing before, however the lockdown having no effect at all above the “self imposed” carefullness is somewhat strange.

Keep up the great work and keep the rants coming. Was loving those in your dayly Morning Call.

I had some messages back and forth with S.J. on Patreon and they also told me they love the show.

And finally, Bennett replied to me commenting on him skipping coronavirus-related episodes:

I do enjoy your podcats on the topic – it’s less exhausting when the coverage is not full of bullshit – but I like some variety and a break from time to time.

If you also have thoughts on the things discussed here, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Eric gPodder Test, Butterbeans, Kai Siers, Mark Holland, Steve Hoos, Shelby Cruver, Fadi Mansour, Vlad, Matt Jelliman, Joe Poser, Jackie Plage, 1i11g, ikn, Dave Umrysh, Dirk Dede, David Potter, Vytautas Sadauskas, RikyM, drivezero, Mika, Jonathan Edwards, Barry Williams and S.J.