"It's a back door with a phone function," security researcher Gabi Cirlig describes his Redmi Note 8 from Xiaomi. Cirlig had previously discovered that his smartphone collects tons of private data and sends it to the Chinese manufacturer's server. This includes, for example, every website visited with the operating system browser, such as the online magazine Forbes reports. However, the problem affects not only the Redmi Note 8, but also other Xiaomi devices. The manufacturer confirmed the data collection in one opinion, however, said to adhere to data protection standards.
In addition to the websites visited, according to Cirlig, every search query, regardless of which search engine, is transmitted to Xiaomi. This is the case even in the browser's incognito mode, the security researcher emphasizes. In addition, Xiaomi records the folders that a user opens, the screens that a user views, and the settings that have been made. This data would be sent to servers in Singapore and Russia, the domains would be registered in Beijing.
In the statement, Xiaomi confirms that it collects extensive data about the smartphone and its users: According to this, information about settings, usage of the user interface, performance, memory usage, crash reports and general system information would be recorded. The URLs visited are collected, according to Xiaomi, to identify slow websites. With these, however, the complete surfing behavior of the users can be traced, and URLs also always contain personal data such as email addresses.
However, the data would only be collected in the form of aggregated usage statistics and could not be associated with the individual user, explains Xiaomi. Cirlig contradicts this: "My biggest concern for privacy is that the data sent can be easily correlated with a user." This is possible simply by collecting unique IDs to identify a specific device, which in turn could easily be associated with a real person.