Forbes: Xiaomi collects usage data from its browsers in incognito mode

Xiaomi mobile browsers forward URLs and other data to Xiaomi servers when the user runs the browser in Incognito mode. That claims Forbes based on claims by two researchers. Xiaomi denies.

According to Forbes, security experts say Xiaomi’s default browser and the company’s browsers in the Play Store, Mi Browser Pro and Mint Browser, send a sizable amount of data to Alibaba’s servers, which Xiaomi rents. According to the site, this concerns all websites a user visits, searches from, for example, Google and DuckDuckGo and every item viewed in the Xiaomi news feed.

In addition, Xiaomi would collect data about folders that the user opens and menus that he opens. That data would be sent to servers in Russia and Singapore, although the web domains are registered in Beijing. The data collection would also continue in incognito mode. Forbes relies on claims made by Romanian security researcher Gabi Cirlig of the company WhiteOps. The site had the claims verified by another researcher, Andrew Tierney.

In a response, Xiaomi acknowledges collecting browsing data, but this would only be anonymized and encrypted, and users would be required to consent to the tracking. The researchers state that the data is only encoded with base64 and can therefore be retrieved. Moreover, by collecting metadata, the data could easily be traced back to individuals. Xiaomi denies that the browsers also forward in incognito mode, despite Forbes showing the company a video of a “porn” search and a visit to PornHub being forwarded.