According to a security researcher working with Forbes, Xiaomi has been collecting browsing data from users who are using Xiaomi phones and the built-in browser. And the fun part is that the browser does so even in incognito mode or even when using the privacy-conscious DuckDuckGo web browser.
Gabriel Cirlig, the security researcher, is using a Redmi Note 8 as a daily driver and noticed that the device records pretty much everything he does on the phone and sends the data to servers in Russia and Singapore, although the domains are hosted in Beijing. We are talking screens, websites visited, folders opened, settings he changed, music played on the default app, etc.
The data itself is poorly encrypted using the base64 format, so it was very easy for him to transcribe the data into plain text.
Cirlig went even further and downloaded the ROMs for Xiaomi Mi 10, the Redmi K20 and the Mi Mix 3 and found the very same security vulnerability on all of them. Another security researcher, Andrew Tierney, found the suspicious behavior on the Mi Browser Pro and the Mint Browser too.
Xiaomi has responded to the allegations saying that Forbes findings are misleading and untrue. A spokesperson for the company said that Xiaomi complies with all local laws and regulations on user data privacy and the collected browsing data has been anonymized. As to why Xiaomi is collecting it, it's because the firm is trying to improve the user's browsing experience and it's a standard practice. More importantly, the data can't be traced back to a specific user. However, Gabriel Cirlig sent a video to Xiaomi showing how the browser sends its history to the said servers even in incognito mode.