A security expert working with Forbes has shared that Xiaomi devices may be getting more web data from its users even if they have put up privacy firewalls. The data it collects is being sent to domains that are hosted in Beijing. And even if the Chinese OEM says that the data they collect for research purposes is anonymous and cannot be traced to an individual, the researcher is saying that there is still the possibility to correlate the metadata to an actual person.

Gabriel Cirlig is a security researcher for White Ops and part of his work is to figure out things like this, and figure out he did. He shared with Forbes that his Redmi Note 8 apparently still found out the things he did on his device like which screens he viewed, the folders he opened, etc. This happens despite the fact that he was in incognito mode or even when he used the privacy-focused DuckDuckGo browser.

His encrypted data, which was still easy to decode if you knew how to do it, was sent to domains hosted in Beijing but whose servers were in Russia and Singapore. And when he tried this too with firmware for the other popular Xiaomi smartphones, the same security issues were also detected. Even the music player app was also collecting data like which songs were played and when they were played.

Another cybersecurity researcher, Andrew Tierney, also found out that browsers like Mi Browser Pro and the Mint Browser, were also collecting the same data. He said that while other browsers like Chrome collect analytics data, this is more about usage and crashing. What Xiaomi is doing is “as bad as it gets”, with getting browser behavior without the explicit consent of the user.

For its part, Xiaomi denied they are collecting this kind of data and said that the ones they do get are anonymized. Even when presented with video showing data collection in incognito mode, the spokesperson denied this as well. Tierney said that even if the data is supposedly anonymous, the metadata they gather include unique numbers for the specific device and Android version, which can be correlated with the person behind the screen.