If you follow tech news you most probably heard about the recent investigation by Gabi Cirlig on behalf of Forbes on Xiaomi’s web browsers. If not, I will write in short what it is all about, but first I would like to state that I am not taking Xiaomi’s side or any side for that matter. I am simply stating the facts and try to shed a bit of light on the whole situation and if the whole situation is as grave as initially though.
First, a bit of history in the original report. Gabi Cirlig, a security researcher, has published a report stating that Xiaomi’s Mi Pro Browser and Ming Browser, along with a few other Xiaomi devices send data to Xiaomi’s servers, servers that belong to internet giant Alibaba. The data contains browsing history as well as other information related to the state of the device you are using: Android version, MIUI version, network state, phone model, screen resolution, etc. This happens even when browsing in incognito mode, which poses the biggest problem. TO make things worse, the data is unencrypted…sort-off.
Let’s get the encryption part out of the way. Indeed, when the request to Xiaomi’s server, it does a POST request where one of the payload parameters is the information that was presented above. This data is indeed unencrypted. Instead, it is encoded using Base64, which can be easily decoded without the need for any encryption key. It just a different way of representing data so that it can be easily (and more compactly) be sent. Think of it of using base 16 to represent number instead of base 10, the one we are used to. Yes, it is not humanly readable as-is, but transforming it into a human-readable format is easy and does not require any additional information.
When the data leaves your phone though, it is encrypted. It uses the TLS1.2 standard so even if someone intercepts the data while in transit, it can’t read it. This is a standard encryption standard that is used even in banking and online payments services, so it is secure. Once it reaches Xiaomi’s servers, the data is again in the Base64 format which can be easily parsed by the computer for statistical and analysis purposes.
The data is stored on servers belonging to Alibaba and rented by Xiaomi. This in itself is not a problem. Alibaba is a big internet entity in China, similar to how Amazon is in the US. The simple fact that they belong to Alibaba is not the problem. Xiaomi, being a Chinese company, it is more or less natural that they rent servers from another Chinese company. A big portion of the western online services run on Amazon AWS, like Spotify, Netflix or Airbnb. Similarly, a lot of the online services in China run on Alibaba’s servers.
Most applications installed on your smartphone or PC send back usage information. The amount of data varies per app, but most of them do it. If you read the terms of service from such applications you would find a sentence similar to this: “We gather anonymous usage information and data for statistical purposes and to improve our service”. Some of the apps ask you on first launch if you would like to participate while others simply do this without any other info besides the ToS being shown. Apps like Facebook, Mail, Chrome and many more do this in one way or another. Where Xiaomi is at fault is in the fact that it is gathering a bit too much, including navigation done in Incognito Mode. Do other browsers to the same? Maybe, but only a detailed analysis would tell the truth and to what extend. Xiaomi just made the mistake that it made it too easy to see what it is doing.
Xiaomi claims that the data is not tied to an individual and the analysis done so far more or less proves it. Each request has a randomly-generated ID and does not provide a device-specific ID. Still, with the amount of data being received, as well as other meta-data like IP, location or signatures, a bigger picture and be assembled. Yes, they probably don’t know that you, “John” searched for nudity last night, but they can tie that search with the rest of the recent browsing history, if they wanted to.
All in all, this is just another privacy scandal that we’ve been seeing in the bast few years. What Xiaomi is doing is not out of the ordinary and most big tech companies are doing similar stuff. Is it right? I would say no. Each individual has the right to know and trim as much as they like the amount of personal information that companies have about him. This just proves once again that privacy online is a myth, or extremely hard to achieve, especially using free services. This is how they are making money.