Xiaomi told 500 million users their private browsing was private. Researchers caught the Redmi Note 8 recording every URL, every search, every news click in incognito mode and shipping it to servers whose domains are registered in Beijing. The data was "encrypted" with base64 — a researcher decoded it in seconds. When Forbes showed Xiaomi the video proof, the company denied it. They later added an opt-out toggle. The default stayed opt-in. Xiaomi told Lithuania it never censors users. Lithuania's cyber security agency found a list of 449 banned phrases — "Free Tibet," "democracy movement," "Long live Taiwan independence" — automatically downloaded to the Mi Browser on European phones. The censorship was switched off but could be remotely activated without anyone knowing. Lithuania's Defence Ministry told the entire nation: throw your Chinese phones away. Over 200 government agencies had already bought thousands of them.
What they claim: HyperOS 2 Privacy Dashboard: Markets hardware-level controls that "block access to microphone, camera, and location at the system level."
What we found: Trinity College Dublin and University of Edinburgh researchers found Xiaomi phones transmit telemetry data with no opt-out. com.miui.analytics sends app usage timing to servers in Singapore. Each phone lock event triggers a request to data.mistat.intl.xiaomi.com. Pre-installed Facebook services run in background even after the Facebook app is deleted. Douglas Leith: "I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out."
What they claim: Xiaomi Privacy Policy lists data collection purposes but does not disclose behavioral analytics partnerships.
What we found: Forbes investigation found Xiaomi browsers pinged domains tied to Sensors Data (Sensors Analytics), a Chinese behavioral analytics startup. Xiaomi is listed as a customer on Sensors Data's website. This commercial surveillance partnership — where a third-party company receives detailed browsing behavior of Xiaomi users — was not disclosed in Xiaomi's privacy policy.
What they claim: Xiaomi implies browsing tracking is an app-level feature that can be controlled through browser settings and incognito mode.
What we found: The browser tracking code was not just in the app — it was present in the firmware of the Mi 10, Redmi K20, and Mi MIX 3. A factory reset does not remove it. Switching to a different browser does not stop the firmware-level data collection. The surveillance is baked into the foundation of the device.
What they claim: Xiaomi ships phones with user-removable apps, implying users control what runs on their device.
What we found: Pre-installed Facebook background services continue running and harvesting data even after users delete the Facebook app. These services cannot be removed without ADB commands executed from a computer — a process requiring developer tools most users don't have. Xiaomi ships phones with surveillance infrastructure that survives the user's attempt to remove it.
What they claim: Xiaomi official statement (September 2021): "Xiaomi's smartphones do not censor communications... Xiaomi has never and will never restrict or block any personal behaviors of our smartphone users."
What we found: Lithuania National Cyber Security Centre (September 2021): Found the Mi 10T 5G had built-in censorship capabilities. Mi Browser periodically downloaded a list of 449 censored terms including "Free Tibet," "Long live Taiwan independence," and "democracy movement." Functionality disabled for European phones but could be remotely activated without user knowledge or consent.
What they claim: Xiaomi markets MIUI/HyperOS as a premium user experience. Ads are labeled as "Recommendations" in system settings.
What we found: MIUI injects advertisements into core system apps: Settings, Security, File Manager, Music, Themes, Downloads, and Mi Browser. The MSA (MIUI System Ads) component — com.miui.systemAdSolution — collects usage data and pushes targeted ads. Disabling MSA requires navigating to Authorization & Revocation, attempting the toggle 4-5 times (it deliberately fails on first attempts), then restarting the phone. Major OTA updates silently reinstall MSA.
What they claim: Xiaomi Privacy Policy: "Privacy is one of Xiaomi's core values." Mi Browser offers incognito mode implying private browsing.
What we found: Forbes investigation (May 2020): Cybersecurity researchers Gabriel Cirlig and Andrew Tierney found the Xiaomi Redmi Note 8 transmitted every URL visited, every search query, and every news article viewed — even in incognito mode — to servers in Singapore and Russia, with domains registered in Beijing. Tracking code found in firmware of Mi 10, Redmi K20, and Mi MIX 3. When confronted with video proof, Xiaomi denied it.
What they claim: Xiaomi official statement: "We do not provide any form of backdoor in any of our products or services." Xiaomi Transparency Report: "We do not give governments or law enforcement agencies direct access to customer data."
What we found: China National Intelligence Law (2017), Article 7: "All organizations and citizens shall, in accordance with the law, support, assist, and cooperate with national intelligence work." Article 14 grants intelligence agencies authority to demand cooperation. No public-interest defense, no judicial oversight for national security requests, no transparency reporting requirement. Xiaomi is headquartered in Beijing and fully subject to these provisions.
What they claim: Xiaomi response to Forbes (May 2020): "Data is encrypted and anonymized."
What we found: The browser telemetry was encoded in base64, which researcher Gabriel Cirlig decoded in seconds. Base64 is not encryption — it is encoding, freely reversible by anyone. The decoded data could be trivially correlated to specific users via device identifiers. Cirlig: "My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user."
What they claim: Xiaomi response to Oversecured disclosure (May 2024): "Protecting the data security and privacy of our users is the top priority."
What we found: Oversecured reported 20 vulnerabilities to Xiaomi in April 2023 across Gallery, GetApps, Mi Video, Bluetooth, Phone Services, Settings, ShareMe, System Tracing, and Xiaomi Cloud. Flaws included shell command injection, arbitrary file theft with system privileges, and disclosure of phone/settings/account data. Not publicly disclosed until May 2024 — a full 12 months. Root cause: Xiaomi modified AOSP components to add functionality, introducing exploitable flaws.
What they claim: Xiaomi: "We moved international user data to AWS servers in Oregon and Singapore" (2014), implying data security through infrastructure.
What we found: Princeton University and Citizen Lab researchers (May 2025) found 47.6% of the top 800 apps from Xiaomi's Mi Store use non-standard and weak encryption protocols, enabling third-party eavesdropping. Moving servers to Oregon means nothing when nearly half the apps transmitting data use encryption so weak that anyone on the network can read it.
What they claim: Xiaomi India: "Royalty payments were for in-licensed technologies."
What we found: India Enforcement Directorate (April 2022): Seized $725 million from Xiaomi India's bank accounts after finding the company made illegal remittances of 55.5 billion rupees to foreign entities disguised as "royalty" payments. Former MD Manu Kumar Jain alleged ED officials threatened him and his family with "dire consequences." Seizure upheld by India's High Court in April 2023 — nearly half of Xiaomi's annual worldwide profits.
What they claim: MIUI Settings allow users to disable MSA (MIUI System Ads) through Authorization & Revocation menu, implying user control over ad delivery.
What we found: Users who successfully navigate the hostile MSA disable process (toggle fails on first 3-4 attempts, requires phone restart) find MSA silently reinstalled after major OTA updates. ADB-removed bloatware packages including com.miui.systemAdSolution are also restored after system updates. The opt-out mechanism is designed to be temporary and reversible by Xiaomi.