Xiaomi's Data Collection Antics Raise Serious Questions About Consumer Trust
The illuminated logo of Xiaomi is seen at one of its international facilities. (Photo: Reuters)
In response, Xiaomi's official developer account replied, "Sorry for the inconvenience. Mi Browser is the pre-installed one in Mi Phone, just like the Safari on iPhone. If you think you do not have enough memory, please consider delete some other Apps so as to compensate and organize your space. We hope in this way the problem will be solved : )"
Overlooking the affable smiley for a moment, it is rather embarrassing to see one of the world's largest smartphone makers — number one in India and number four globally — suggest that its users uninstall other apps as a solution. This, though, does not seem to be an isolated act. Last night, on May 3, Xiaomi released an update to their web browsers, which include Mi Browser, Mi Browser Pro and Mint Browser. The blog post for the update read:
Given our goal of providing world class secure services and products to all users, our next Mint Browser and Mi Browser software update will include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection, in an effort to further strengthen the control we grant users over sharing their own data with Xiaomi. We believe this functionality, in combination with our approach of maintaining aggregated data in non-identifiable form, goes beyond any legal requirements and demonstrates our company’s commitment to user privacy.
Unfortunately, offering an opt-out switch hardly qualifies as a "company's commitment to user privacy". While we have all submitted to certain degrees of data collection, there still has to be a mandatory fine line that companies must not over-step. Case in point are incognito modes in other, arguably more popular browsers — while most browsers collect some amounts of personal data, the way Xiaomi's browsers are behaving seem disproportionate.
Speaking about the main issue at hand, Andrew Tierney, an independent cyber security researcher who found Xiaomi's data problems, told News18, "I can't see Chrome or Firefox sending the URLs (that) I visit to Google or Mozilla in Incognito mode. There could be all sorts of web analytics, cookies etc tracking you, but no direct sending of URLs." This brings up an issue of consumer trust, and crosses what may be deemed as a fine line — between acceptable data collection and breach of a customer's faith. In fact, even with the new update, the effective, privacy-forward impact appears to be minimal.
Two steps forward, one step back!When the device isn't sending URLs in Incognito mode... it still sends a message saying you are in Incognito mode. pic.twitter.com/I9luEkDbDM— Cybergibbons (@cybergibbons) May 4, 2020
"I'm not sure what the line is, but I don't think most people were expecting their browsing history to be sent to Xiaomi, especially when not signed in, or in incognito," added Tierney, and it is this that sums up the real issue at hand. By first collecting open and allegedly identifiable data from incognito browsing modes, subsequently denying such reports, and then going on to confirm the allegations by introducing a mode that should not even have been required in the first place, Xiaomi has essentially deemed itself a brand that can be difficult to trust.
Case in point is the fact that Xiaomi's interface refuses to let its users delete any pre-installed app, even against their will. Then, are certain privileges and permissions that some of Xiaomi's fundamental apps ask from users. For instance, the 'Clock' app in MIUI requests internet connectivity "to provide personalised services". With the only required features being alarm, stopwatch and a world clock that can be programmed offline, the question remains: Did Xiaomi even require this permission from a user? What is it even being used for?
In an era where data privacy, localisation and security are heavily discussed aspects, the ideal objective for a company that claims to be user-first is to minimise the amount of data that it collects, not extrapolate it. In such a climate, and with Xiaomi's particularly flimsy pretense of caring for user data, the question remains, should it still be treated as such a trusted company?