Xiaomi

Overview

Xiaomi Corporation is one of the world's largest smartphone manufacturers and consumer electronics companies, founded by Lei Jun in 2010 in Beijing. The company has grown from a startup selling budget Android phones through flash sales to the world's third-largest smartphone vendor by market share, shipping over 145 million devices in 2023. Xiaomi is publicly listed on the Hong Kong Stock Exchange and reported revenue of approximately $37 billion in 2023.

Xiaomi's business model is built on selling hardware at near-cost margins and monetizing users through software services, advertising, and its ecosystem of IoT (Internet of Things) devices. This "razor and blades" approach means Xiaomi has a structural incentive to maximize data collection and advertising engagement from its hardware installed base.

Hardware Ecosystem

Xiaomi's product range extends far beyond smartphones:

• Smartphones: Xiaomi, Redmi, and POCO brands spanning budget to flagship price points
• Smart home devices: Air purifiers, security cameras, robot vacuums, smart speakers, smart displays, and lighting (under the Mijia brand)
• Wearables: Xiaomi Band fitness trackers (one of the world's best-selling wearables), smartwatches
• Laptops and tablets: Mi Notebook and Pad series
• Electric vehicles: Xiaomi SU7 electric car (launched 2024)
• Networking: Routers, mesh WiFi systems

This ecosystem, connected through Xiaomi's Mi Home app and cloud services, creates a comprehensive data collection infrastructure spanning personal communications, home environment monitoring, health metrics, transportation, and internet traffic.

Chinese Jurisdiction

As a Chinese company, Xiaomi operates under the same legal framework as ByteDance: China's National Intelligence Law (2017), Data Security Law (2021), Personal Information Protection Law (2021), and Counter-Espionage Law (2023). These laws create structural obligations to cooperate with Chinese intelligence services that cannot be overridden by corporate privacy policies.

Data Collection Practices

Xiaomi's data collection has been the subject of multiple independent investigations that revealed practices extending well beyond what users are informed about.

Browser Data Collection

In April 2020, Forbes published an investigation by cybersecurity researcher Gabi Cirlig that revealed Xiaomi's default Mi Browser and Mint Browser were collecting and transmitting detailed browsing data to Xiaomi's servers, including:

• Every website visited, including URLs with search queries
• All items viewed in the Xiaomi news feed
• Device metadata and usage patterns
• Critically: This data was collected and transmitted even when using the browser's "Incognito" mode

The data was transmitted to servers operated by Sensors Analytics (Shence), a Beijing-based behavioral analytics company. Cirlig demonstrated that despite nominal data anonymization, the transmitted data included device-specific identifiers that could be trivially linked to individual users.

Xiaomi initially denied the findings, calling them "misrepresentation of facts." After widespread media coverage and independent verification by other researchers, Xiaomi pushed a browser update that added a toggle to opt out of data collection in Incognito mode, but left collection enabled by default in normal browsing mode.

A subsequent investigation by Cirlig found similar data collection behavior in Xiaomi's Mi Browser Pro and Mint Browser on devices sold in Europe, demonstrating that the practice was not limited to Chinese-market devices.

Lithuanian Government Censorship Report (2021)

Lithuania's National Cyber Security Centre (NCSC) published a security assessment of 5G-capable Chinese-manufactured phones that produced the most detailed government analysis of Xiaomi's data practices to date:

• Built-in censorship capability: Xiaomi phones shipped to Europe contained a module capable of detecting and censoring content related to sensitive political topics including "Free Tibet," "Long live Taiwan independence," "democracy movement," and other terms. While the censorship function was disabled on EU-market devices at the time of analysis, the NCSC found it could be remotely activated from Xiaomi's servers.
• Encrypted phone-home behavior: Xiaomi devices transmitted encrypted usage data to servers in Singapore, raising concerns about the opacity of data flows.
• System app permissions: Multiple pre-installed Xiaomi system apps requested permissions beyond their stated function, including contact list access, location tracking, and phone state information.

The Lithuanian government recommended that citizens avoid purchasing Xiaomi devices and consider discarding existing ones. Latvia and Estonia subsequently issued similar advisories. The European Commission took note but did not issue a bloc-wide recommendation.

MIUI/HyperOS Telemetry

Xiaomi's custom Android skin (MIUI, succeeded by HyperOS in 2023) includes extensive telemetry systems:

• App usage tracking and analytics
• Device health and performance monitoring
• Location-based services tightly integrated into the system UI
• Advertising identifiers used across the Xiaomi ecosystem
• Pre-installed apps that cannot be fully disabled without ADB (Android Debug Bridge) commands

Independent security researchers have documented that MIUI/HyperOS phones "phone home" to Xiaomi servers at a rate significantly higher than stock Android devices, transmitting device state information, app usage data, and network environment details.

IoT Ecosystem Data

Xiaomi's Mi Home ecosystem connects hundreds of smart device types, creating ambient data collection across the home environment:

• Security cameras: Video and audio recording, motion detection, facial detection
• Robot vacuums: Room mapping data (floor plans of users' homes)
• Air purifiers and environmental sensors: Occupancy patterns, air quality, temperature
• Smart speakers: Voice command processing with wake-word detection
• Fitness bands: Heart rate, sleep patterns, step counts, GPS tracks

In 2020, a vulnerability in Xiaomi's cloud-connected cameras allowed users to see video feeds from other users' cameras on Google Nest Hub displays, exposing the fragility of Xiaomi's IoT security infrastructure.

Known Clients & Government Contracts

Xiaomi's primary business is consumer electronics retail, but the company has significant relationships with the Chinese government and military-industrial complex.

U.S. Department of Defense Designation

In January 2021, the U.S. Department of Defense designated Xiaomi as a "Communist Chinese Military Company" (CCMC) under Section 1237 of the National Defense Authorization Act. This designation alleged ties between Xiaomi and the Chinese military establishment.

Xiaomi sued the U.S. government and won a preliminary injunction in March 2021, with a federal judge finding that the designation was "arbitrary and capricious." The DoD formally removed Xiaomi from the CCMC list in May 2021. However, the episode highlighted concerns about Xiaomi's relationship with the Chinese state.

Smart City and Government Projects

Xiaomi participates in Chinese smart city initiatives, supplying IoT infrastructure including surveillance cameras, environmental sensors, and connectivity hardware for government-managed urban monitoring systems. These projects, part of China's broader smart city push, blur the line between consumer IoT products and government surveillance infrastructure.

Telecommunications Partnerships

Xiaomi has carrier partnerships across dozens of countries, with devices sold through major telecommunications providers in Europe, India, Southeast Asia, and Latin America. These partnerships sometimes include pre-installed carrier apps and data-sharing arrangements that add additional telemetry beyond Xiaomi's own collection.

Privacy Incidents & Litigation

Browser Surveillance Controversy (2020)

The Forbes investigation into Mi Browser data collection generated significant international coverage and regulatory attention. Key aspects:

• Xiaomi's initial denial and subsequent partial remediation (adding an opt-out toggle rather than eliminating collection)
• Independent verification by multiple security researchers confirmed the findings
• The discovery that Incognito mode was not private demonstrated a fundamental breach of user trust comparable to Google's Incognito mode deception
• Data transmission to Sensors Analytics servers in Beijing raised concerns about Chinese government access

Lithuanian Censorship Discovery (2021)

The NCSC report's finding of built-in censorship capabilities had diplomatic consequences:

• Lithuania downgraded diplomatic relations with China (partly in response to broader geopolitical tensions, with the Xiaomi findings contributing to the security rationale)
• German Federal Office for Information Security (BSI) conducted its own review but did not confirm the censorship findings on German-market devices
• The European Commission's Cybersecurity Certification Framework discussions referenced the Lithuanian findings as evidence of supply chain risks

Xiaomi Camera/Google Nest Hub Vulnerability (2020)

A user discovered that when connecting a Xiaomi Mijia camera to a Google Nest Hub, the display showed still images from other users' cameras, including images of sleeping babies and house interiors from strangers. Google temporarily disabled Xiaomi device integration with Google Home.

Xiaomi attributed the issue to a cache update error affecting approximately 1,000 users. The incident demonstrated vulnerabilities in Xiaomi's cloud infrastructure and the risks of IoT interoperability.

India Tax and Data Concerns

Indian authorities seized $725 million from Xiaomi India in 2022, alleging violations of the Foreign Exchange Management Act. While primarily a financial enforcement action, Indian government officials cited data security concerns about Chinese-manufactured devices as part of broader scrutiny of Chinese technology companies operating in India.

Xiaomi maintained approximately 20% smartphone market share in India through 2023 despite the government's increasingly hostile posture toward Chinese technology companies following the 2020 ban on TikTok and other Chinese apps.

GDPR Compliance Questions

European data protection authorities have examined Xiaomi's data practices following the browser surveillance and Lithuanian censorship revelations. While no major GDPR fine has been imposed as of 2026, Xiaomi's practices of transmitting user data to servers outside the EU and the opacity of data processing for European users remain under regulatory scrutiny.

Threat Score Analysis

Xiaomi receives a composite threat score of 65/100, reflecting documented surveillance practices, Chinese jurisdiction risk, and the breadth of its IoT data collection ecosystem:

• Data Collection (78/100): Xiaomi collects data across smartphones, wearables, smart home devices, and (with the SU7) vehicles. The browser surveillance documented by Forbes demonstrated collection beyond disclosed practices, including in privacy modes. The IoT ecosystem, cameras, vacuums mapping home floor plans, fitness bands tracking health data, creates ambient surveillance across users' domestic environments. MIUI/HyperOS telemetry rates exceed stock Android baselines.

• Third-Party Sharing (68/100): Xiaomi's advertising-subsidized business model monetizes user data through targeted advertising within MIUI/HyperOS and pre-installed apps. Data transmission to Sensors Analytics (Beijing) and other third-party analytics providers has been documented. The structural risk of Chinese government data access under the National Intelligence Law elevates this score, though Xiaomi's consumer data is less sensitive than communications metadata or social media behavioral profiles.

• Breach History (50/100): Xiaomi has not suffered a catastrophic data breach. The camera/Nest Hub cross-user data exposure was limited in scope. However, the browser surveillance practices represent a form of systemic privacy violation, deliberate undisclosed data collection, that is functionally more damaging than a traditional breach. The Lithuanian censorship capability discovery, while not a breach, demonstrated hidden functionality that undermined device trustworthiness.

• Government Contracts (60/100): Xiaomi's participation in Chinese smart city projects, its operation under China's National Intelligence Law, and the (overturned) U.S. military company designation reflect government entanglement. Unlike Huawei, Xiaomi has not been documented providing telecommunications infrastructure to Chinese intelligence services, and the CCMC designation was successfully challenged in court.

• Transparency (40/100): Xiaomi's initial denial of the browser surveillance findings, followed by minimal remediation, demonstrated a pattern of opacity. The company does not publish meaningful transparency reports regarding government data requests. The Lithuanian finding of remotely activatable censorship modules, hidden functionality that Xiaomi did not disclose, represents a fundamental transparency failure. Xiaomi publishes standard privacy policies but provides minimal visibility into actual data flows, server locations, or government cooperation.

Weighted calculation: (78 * 0.25) + (68 * 0.25) + (50 * 0.20) + (60 * 0.15) + (40 * 0.15) = 19.5 + 17 + 10 + 9 + 6 = 61.5, adjusted to 65 due to the hidden censorship capability documented by Lithuania and the breadth of IoT data collection creating ambient home surveillance.

Transparency & Accountability

Xiaomi's transparency practices lag significantly behind both Western technology companies and some Chinese peers.

Absence of Transparency Reporting

Unlike Apple, Google, Meta, and Microsoft, which publish regular transparency reports detailing government data requests by jurisdiction, Xiaomi does not publish comparable disclosures. Users have no visibility into how frequently Chinese or other governments request data from Xiaomi or how the company responds.

Denial-Then-Minimize Pattern

Xiaomi's response to the browser surveillance investigation established a concerning pattern:

1. Initial categorical denial ("misrepresentation of facts")
2. Partial acknowledgment after independent verification
3. Minimal remediation (opt-out toggle rather than eliminating collection)
4. No explanation of how the practice originated or who authorized it

This pattern was repeated with the Lithuanian censorship findings, where Xiaomi disputed the characterization while not addressing the existence of the censorship module itself.

Regulatory Environment

As a Chinese company, Xiaomi operates within a regulatory environment that structurally limits transparency:

• Chinese national security laws prohibit disclosure of government data requests in many circumstances
• There is no independent judicial oversight of intelligence agency data access comparable to Western FISA courts or EU judicial review
• Xiaomi's Hong Kong listing subjects it to Hong Kong Securities and Futures Commission disclosure requirements, but these do not extend to government surveillance cooperation

Supply Chain Concerns

Xiaomi's devices are manufactured primarily in China and India. The Lithuanian censorship module finding raised broader supply chain integrity questions: if a censorship capability can be embedded in firmware and remotely activated, what other capabilities might exist that have not yet been discovered?

This supply chain concern extends to Xiaomi's entire IoT ecosystem. Security cameras, smart speakers, and home automation devices that connect to Xiaomi's cloud services create persistent access points that users cannot independently audit. The combination of Chinese jurisdiction, documented hidden functionality, and extensive home IoT deployment creates a transparency deficit that corporate privacy policies cannot address.