Xiaomi U-Turn: Admits Sending Private Data it Said it Didn’t
This just gets weirder: Xiaomi was caught out by security researchers, who found its devices phoning home with private data. But the Chinese company promised it did no such thing.
Then it doubled-down with a rambling blog post saying it didn’t do that. And an official PR spokesperson repeated the claim twice more.
And now? Now it’s released a software update that allows you to switch off the behavior. That’s right—it’ll stop doing the thing it “doesn’t do.” In today’s SB Blogwatch, we seek alternative facts.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Adobe legal recursion.
Mi Dissemblement
What’s the craic? Sareena Dayaram reports—“Xiaomi releases browser update amid accusations”:
Xiaomi released software updates for its browser apps … amid fresh accusations it’s been collecting private data from [users]. The release of the software update comes after a [report] suggested Xiaomi may be collecting data on the websites users visit as well as granular information about apps used and files opened on devices.
…
In response to the report, Xiaomi defended its practices. … The Redmi Note 8 … was the top-selling Android phone globally at the end of last year.
Wait, what? Thomas Brewster explains—“Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use”:
Gabi Cîrlig [discovered] that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba.
…
The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked. [It] appeared to be happening even if he used the supposedly private “incognito” mode.
…
In response to the findings, Xiaomi said, “The research claims are untrue.” … But a spokesperson confirmed it was collecting browsing data [although] denied that browsing data was being recorded under incognito mode. … The company spokesperson continued to deny that the information was being recorded.
…
Cirlig also discovered that Xiaomi’s music player app on his phone was collecting information on his listening habits. … All of the data was being packaged up and sent to remote servers in Singapore and Russia.
What the actual ****? The dead-eyed drones in Xiaomi’s PR team pretend to blog—“Evidence and statement in response to media coverage on our privacy policy”:
There have been media reports and discussions on social media over Xiaomi’s privacy policy about our process for browser data collection and storage. … Xiaomi was disappointed to read the recent article.
…
Our user’s privacy and internet security is of top priority. … We are confident that we strictly follow and are fully compliant with local laws. … All collected usage data is based on permission and consent given explicitly by our users … and we do not link any personally identifiable information to any of this data.
…
Security, safety and user privacy are [our] core principles and the foundation of our day-to-day work. … We have adopted the industry’s most stringent and transparent privacy protection measures.
…
Our … software update will include an option in incognito mode for all users … to switch on/off the aggregated data collection. … Listening to feedback from users [has] been at the core of our company from the beginning.
Outrageous! The update confirms that Xiaomi’s spokesdroid was twice “incorrect” about collecting Incognito browsing data. Andrew Tierney—@cybergibbons—tears it down:
I and several others have re-confirmed the findings today, across multiple devices. There is no doubt that the Mint Browser sends search terms and URLs whilst in Incognto mode.
…
The blog is whataboutism and denial at it’s finest. … “Collection of aggregated usage statistics data” … makes no sense. [They] give an example of collecting a URL. … There is a massive gap here.
…
There is no client-side aggregation. [They say] they “create randomly generated unique tokens” that “do not correspond to any individuals.” This code shows nothing of the sort. … But, more to the point, calling a UUID “anonymous” does not make it anonymous.
…
It’s easy – just say: “There’s an issue, we’ll fix it.” Job done.
And Gabriel Cîrlig—@hookgab—is slightly more succinct:
I said it before and I’m gonna say it again.
STOP👏SENDING👏MY👏DATA.
Where’s the 50-cent army? ClarkMills proffers this pablum-apologium:
If it’s made in China, America will try dissuade you from buying it. The joke is wearing a bit too thin guys.
But how is this different from the data Google collects? Ben Tasker explains:
For one, I don’t think Google have ever said “no they’re wrong, we don’t collect that.” … Xiaomi’s issue here is derived from so much more than what their browser was doing.
Their entire response to it has been utter ****. … It’s waffle that completely avoids the thing at issue, when it’s not outright contradicting itself. It’s that response which has blown it up into a brouhaha.
Had they said “yes … we’ll fix this” then there wouldn’t have been nearly the same ****storm. Instead they went with “the people who found this are wrong.”
And Snotnose sniffs:
From the “whoops we got busted” files.
…
Not like it’s an accident they collected all this data in the first place. The only question now is how have they hidden this data collection in the new apps?
Oh, you think they removed the collection in the new apps? Let me laugh even harder.
Meanwhile, tin 2 cuts to the chase:
Which piece of **** software developer is sitting there thinking it’s fine to add telemetry to private browsing mode?
And Finally:
To read the Terms of Use, you must first agree to the Terms of Use
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
