Cirlig found a worrying amount of his behaviour was being tracked, and various kinds of device data were also being harvested. When he looked around the Web on the device's default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private "incognito" mode.
The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.
Other investigators have since found found browsers shipped by Xiaomi on Google Play -- Mi Browser Pro and the Mint Browser -- were collecting the same data.
In response to the findings, Xiaomi said: "The research claims are untrue," and "Privacy and security is of top concern", adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters". A spokesperson did however confirm it was collecting browsing data, claiming the info was anonymised and users had consented to it.
Cirlig pointed out that Xiaomi "was also collecting data about the phone, including unique numbers for identifying the specific device and Android version. Cirlig said such 'metadata' could 'easily be correlated with an actual human behind the screen'".
The researchers found their Xiaomi apps to be sending data to domains that appeared to reference Sensor Analytics, which Xiaomi says "provides a data analysis solution for Xiaomi", adding that that the collected anonymous data "are stored on Xiaomi's own servers and will not be shared with Sensor Analytics, or any other third-party companies".