Xiaomi told 500 million users their private browsing was private. Researchers caught the Redmi Note 8 recording every URL, every search, every news click in incognito mode and shipping it to servers whose domains are registered in Beijing. The data was "encrypted" with base64 — a researcher decoded it in seconds. When Forbes showed Xiaomi the video proof, the company denied it. They later added an opt-out toggle. The default stayed opt-in.
critical
Xiaomi told Lithuania it never censors users. Lithuania's cyber security agency found a list of 449 banned phrases — "Free Tibet," "democracy movement," "Long live Taiwan independence" — automatically downloaded to the Mi Browser on European phones. The censorship was switched off but could be remotely activated without anyone knowing. Lithuania's Defence Ministry told the entire nation: throw your Chinese phones away. Over 200 government agencies had already bought thousands of them.
critical
Xiaomi says it provides no backdoor to any government. Chinese law says every Chinese company must "support, assist, and cooperate with national intelligence work." There is no opt-out clause. There is no judicial oversight. There is no transparency requirement that would reveal compliance. A Beijing-headquartered company promising independence from Beijing is making a promise Chinese law forbids it from keeping.
Xiaomi says your data is anonymized, but your phone sends your permanent device ID (IMEI) and hardware serial number to Xiaomi tracking servers — meaning they can always identify your specific phone regardless of what settings you change.
critical
Xiaomi gives you a button to turn off data collection, but researchers proved that turning it off doesn't actually stop your phone from reporting what apps you use and how long you use them.
critical
Xiaomi's privacy policy never mentions that your phone has a hidden feature that can filter out political content about Tibet, Taiwan, and democracy — and Xiaomi can turn this censorship on remotely without telling you.
The vacuum creates detailed maps of your home and takes photos during every cleaning cycle, but Xiaomi's privacy policy never tells you this data is being collected or sent to their servers. Security researchers proved the vacuum works perfectly fine without sending any data to the cloud, so this data collection serves Xiaomi's interests, not yours.
critical
Xiaomi says they don't sell your data, but the app that controls your vacuum has 8 hidden trackers from companies like Facebook and ByteDance (TikTok's parent company). These trackers collect information about you and your devices to serve targeted ads. Your robot vacuum data is feeding the same advertising networks that track you across the internet.
high
The app that controls your vacuum cleaner wants access to your phone's camera, microphone, and phone identity. A vacuum cleaner does not need to record audio through your phone or take photos with your phone's camera. These extra permissions let the app collect data that has nothing to do with cleaning your floors.
Xiaomi says it only collects data it needs, but the app for this fitness band can read your text messages, access your camera, record through your microphone, and read your contacts. None of these are needed to track your heart rate or count your steps.
critical
Xiaomi says your data stays in your region, but the fitness band's app sends data to Xiaomi's advertising and tracking servers. Xiaomi is a Chinese company legally required to cooperate with Chinese intelligence services if asked — meaning your heart rate, sleep, and exercise data could be accessed by a foreign government no matter where you live.
critical
The fitness band collects detailed health data — your heart rate every minute, blood oxygen levels, how you sleep, your stress levels, and menstrual cycles. Independent researchers found that Xiaomi scores among the worst of all fitness tracker companies for protecting this data, and there are no rules limiting how long they keep it.
Xiaomi says it doesn't sell your personal information, but the app that controls your air purifier contains advertising trackers from TikTok's parent company (ByteDance), Facebook, Tencent, and Google. These trackers collect your usage data and feed it into advertising networks. Your air quality and home environment data flows through an app designed to serve you ads.
critical
Your air purifier works perfectly fine without connecting to Xiaomi's servers — hackers have proven this by replacing the Wi-Fi chip's software. But Xiaomi forces you to create an account and connect to their cloud to use the device, including a server specifically for advertising. They chose to require cloud connectivity to collect your data, not because the purifier needs it to clean your air.
critical
The air purifier itself — not just the app — connects to Xiaomi's advertising servers. This is built into the device's hardware firmware. Even if you turn off personalized ads in the app settings, the purifier's Wi-Fi chip is still talking to Xiaomi's ad system. Your air purifier is literally part of an advertising network.
Xiaomi says they only collect what's necessary, but their smart home app demands access to your phone's unique hardware IDs, microphone, infrared transmitter, and the ability to launch activities in the background — plus it has 8 tracking libraries built in, including advertising networks from ByteDance and Tencent. Managing a smart plug doesn't require any of this.
critical
Xiaomi says they don't sell your data, but independent investigations found they send up to 61 types of information to Chinese servers, track your web browsing even in private mode, and have been hit with GDPR complaints across Europe for illegally transferring data to China. Saying 'we don't sell data' while transmitting it to servers in Beijing and Singapore is misleading at best.
critical
A European government found that Xiaomi phones contain a hidden censorship system with a list of 449 banned political phrases that Xiaomi can remotely turn on at any time. Even in Europe where the filter is currently disabled, the banned word list keeps getting updated. A company that builds hidden censorship tools into its products is not trustworthy when it claims to respect your privacy.