LIVE post: Evidence and statement in response to media coverage on our privacy policy

Dear readers,

We at Xiaomi hope you and your loved ones are staying safe during this difficult time.

There have been media reports and discussions on social media over Xiaomi’s privacy policy about our process for browser data collection and storage. We would like to provide a statement on further stepping up user privacy protection in our browser products.


Updated at 02:04, May 4, GMT+8, in Beijing

 

—START—

By 01:30, May 4, GMT+8 in Beijing, the software updates had been available for our browser products including, preloaded Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play.

The latest versions are: Mi Browser/Mi Browser Pro (v12.1.4), and Mint Browser (v3.4.3).

These software updates include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection.

We thank you all for your attention, suggestions and dedication during the past few days to further improving the overall user experience of our products and services.

—END—


Updated at 16:59, May 3, GMT+8, in Beijing

 

—START—

We would like to express our appreciation for researchers’ engagement, passionate and constructive discussion. 

Given our goal of providing world class secure services and products to all users, our next Mint Browser and Mi Browser software update will include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection, in an effort to further strengthen the control we grant users over sharing their own data with Xiaomi. The software updates will be submitted to Google Play for approval within today (May 3, GMT+8).

We believe this functionality, in combination with our approach of maintaining aggregated data in non-identifiable form, goes beyond any legal requirements and demonstrates our company’s commitment to user privacy. 

As always, Xiaomi welcomes users to participate in our product development and advancement. Listening to feedback from users and letting them take part in Xiaomi’s future have been at the core of our company from the beginning.

—END—

 


Updated at 04:55, May 2, GMT+8, in Beijing

 

Please find below a public statement in response to a recent article by Forbes on our privacy policy on April 30:

—START—

Xiaomi has reviewed a recent article by Forbes on our privacy policies and believes the reporting to be misrepresentative of the facts. At Xiaomi, our users’ privacy and security are of top priority. We strictly follow and are fully compliant with user privacy protection laws and regulations in the countries and regions we operate in. In light of the misrepresentations, we would like to clarify the following:

1. In all global markets where Xiaomi is officially present, in order to offer the best possible user experience, increase compatibility between the operating system and various apps, as well as undertake the obligation of protecting user privacy, all collected usage data is based on permission and consent given explicitly by our users. Additionally, we ensure the whole process is anonymous and encrypted. The collection of aggregated usage statistics data is used for internal analysis, and we do not link any personally identifiable information to any of this data. Furthermore, this is a common solution adopted by internet companies around the world to improve the overall user experience of various products, while safeguarding user privacy and data security.

2. Xiaomi hosts information on a public cloud infrastructure that is common and well known in the industry. All information from our overseas services and users is stored on servers in various overseas markets where local user privacy protection laws and regulations are strictly followed and with which we fully comply.

3. Prior to publication, the reporter emailed us with questions relevant to the article and Xiaomi responded with full transparency, providing detailed answers regarding our technology and privacy policies. We believe the article published does not accurately reflect the content and facts of these communications. After the article was posted, we contacted the reporter with further clarification and are currently in discussion with the intention of swiftly reassuring him with how our data security works in action. In parallel, we created a live post on Xiaomi’s official blog to share this same information with the public. The Forbes article, which details how we protect users’ privacy and comply with all laws and regulations, has recently been updated to include a link to our blog post. https://blog.mi.com/en/2020/05/02/live-post-evidence-and-statement-in-response-to-media-coverage-on-our-privacy-policy/

4. As an internet company, internet security, safety and user privacy are Xiaomi’s core principles and the foundation of our day-to-day work. Our products, technologies, performance and measures on user privacy protection are constantly being improved. In the latest launch of our operating system, MIUI 12, we have adopted the industry’s most stringent and transparent privacy protection measures, to date. For additional transparency, we always welcome fact-based supervisions, inquiries and discussions from the public to continuously improve our products and services for our beloved users and Mi Fans.

—END—


Updated at 00:05, May 2, GMT+8, in Beijing

 

Xiaomi’s statement for now in response to a Forbes article published on April 30:

—START—

Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.”

—END—

The following provides detail on how Xiaomi collects data and protects user privacy:

There are two types of data collection:

1. Collection of aggregated usage statistics data – Data (such as system information, preferences, user interface feature usage, responsiveness, performance, memory usage, and crash reports) is aggregated and cannot alone be used to identify any individual.

An example of usage scenario: The URL is collected to identify web pages which load slowly; this gives us insight into how to best improve overall browsing performance.

2. Syncing of user browsing data – An individual’s user browsing data (history) is synced when:

  • The user is signed in on Mi Account; and
  • The data sync function is set to “On” under Settings

An example of usage scenario: To provide users quick access to previously viewed websites when users switch between different devices after logging in to their Mi Accounts.

Under incognito mode, user browsing data is not synced, however, aggregate usage statistics data (mentioned in point 1 above) is still collected.

Below are screenshots to further demonstrate these points. 

  1. This screenshot shows the code for how we create randomly generated unique tokens to append to aggregate usage statistics; and these tokens do not correspond to any individuals.

  2. This screenshot shows how the Mi Browser works under incognito mode, where no user browsing data will be synced.

  3. The following URL shows that the collected usage statistics data is stored on Xiaomi’s domain and we do not pass any data to Sensor Analytics. (MIUI is the operating system of Xiaomi’s devices).
  4. This image shows that usage statistic data is transferred with HTTPS protocol of TLS 1.2 encryption.

Below are four certifications Xiaomi received from widely acclaimed international third-party companies and organizations – TrustArc and British Standard Institution (BSI) – which have certified the security and privacy practices of Xiaomi’s smartphone and its default apps, including Mi Browser.

Details could be found here on Xiaomi Trust Center page.

ISO27001:2013

ISO 27001 is a widely accepted and applied international certification standard for information security management system. This certification indicates that Xiaomi has implemented internationally recognized information security control measures defined in this standard.

ISO27018:2014

ISO 27018 is an international code of conduct that focus on personal data protection on cloud. This certification indicates that Xiaomi Cloud has a complete system for the protection of personal data.

ISO29151:2017

ISO/IEC 29151:2017 is an internationally recognized guide for the personal identity information protection. This certification proves Xiaomi’s capabilities of information security guarantee and privacy data protection.

TRUSTe

TrustTe enterprise privacy certification standards have combined the privacy compliance requirements of countries. This certification shows that Xiaomi has established a complete privacy compliance system and obtained internationally recognized privacy data protection capabilities.