The Managing Director of Xiaomi, India’s No.1 smartphone maker, today clarified that his company does record a list of the websites visited by anyone using their apps, but but was doing so to make the user experience better.
“The usage data that is logged is used to make your experience better,” Manu Kumar Jain said in a letter to Xiaomi fans today.
“For example if any website doesn’t work or loads slowly, that anonymised data is used to make your browsing experience better and faster. This is similar to what any other browser does.”
The clarification comes in the wake of a report on Forbes.com in which a techie accused the company of recording practically all his activity on Mi apps such as the built-in browser and news reader, and then sending this data to its own servers.
According to the researcher, his Redmi Note 8 phone was recording “what folders he opened and to which screens he swiped, including the status bar and the settings page.”
Xiaomi’s web browser sends all the data about the user’s browsing habits, including which webpages the user had viewed, back to the company.
This was being done even if the user had switched to ‘incognito’ or private browsing mode on the browser, the techie pointed out in allegations that have since been endorsed by some fellow techies on Twitter.
These people found that other apps, such as the News app from Xiaomi, also sent data about which item the user was reading and so on to the company’s servers.
In his response to the allegations, Manu Jain did not dispute that browsing data was being sent, but made two clarifications.
First, he said, the data was being sent so that the overall experience can be improved later. Second, he pointed out, the data is sent in such a way that the user’s identity is not included if the user has switched to ‘incognito’ or private browsing mode.
“In incognito mode, all user data is completely encrypted and anonymised. Mi Browser will never know what you browse in incognito mode and can’t identify you basis incognito browsing,” Jain said.
Xiaomi put out a blog post on its website which explained that when a user is in private browsing mode, the browser will not include the user’s name or any other personal details. Instead, it will only include a number that was unique to that browser or device.
Hence, argued Xiaomi in the blog post, users don’t have to worry about their browsing habits getting exposed to anyone who happened to have access to Xiaomi’s servers. The unique numbers or “tokens do not correspond to any individual”, it said.
However, one of the security researchers who raised questions about Xiaomi’s policy pointed out that the token or unique number did not change, but continued to be the same even after restarting the device. Hence, he argued, one number corresponded to one installation or device.
“Significant detail about my phone and the URLs I visit are being sent alongside an unchanging UNIVERSALLY UNIQUE ID. Each request I make is attached to a UNIQUE identifier which doesn’t change. There is absolutely no attempt at making this anonymous,” he tweeted.
The researcher also dismissed the company’s argument that the data is not being sent to third parties, but only to Xiaomi.
“I really don’t care who it gets sent to. I’ve never claimed it gets sent to any entity in particular. It is going from my device to another entity,” he said.
In his clarification, India MD Manu Jain repeated his company’s statement that users have given permission to collect the data that they do collect.
“..we don’t collect any information that the user has not given explicit consent to,” he said on Facebook.
Separately, the most popular web-browser in the market, Google Chrome, also collects browsing data.
However, in case of Chrome, the browser does not send individual URLs to Google servers, but processes the data locally to get certain insights and information, and then sends this information to Google. It also does not use private browsing data for such processing.
Mozilla’s Firefox is among the few web browsers that does not send data about websites to its makers.