Some Nokia phones were spotted sending user data to China
HMD Global has managed the Nokia smartphone brand impressively well since it took over in December 2016, but now the Finnish company has found itself in hot water.
In a report published earlier today, Norway’s public broadcaster NRK claims to have found proof that certain Nokia smartphone have been transmitting unencrypted user information to China. Allegedly, on-device data such as GPS location, the device serial number, and even the user’s phone number were being transmitted back to a Chinese server.
The server in question was under the domain “vnet.cn,” which is reportedly managed by state-owned carrier China Telecom. From the look of things, every time the Nokia 7 Plus units were powered on, data would immediately be transferred over to the server. Similarly, simply turning on the display or unlocking the device would trigger the same process.
Fortunately for consumers, this issue was present only a “single batch” of Nokia 7 Plus units. Presumably, the smartphones were initially intended for the Chinese market but ultimately made it into the hands of European consumers. Moreover, since the issue has been raised, HMD Global has removed the infringing files from the devices.
In a report published earlier today, Norway’s public broadcaster NRK claims to have found proof that certain Nokia smartphone have been transmitting unencrypted user information to China. Allegedly, on-device data such as GPS location, the device serial number, and even the user’s phone number were being transmitted back to a Chinese server.
Fortunately for consumers, this issue was present only a “single batch” of Nokia 7 Plus units. Presumably, the smartphones were initially intended for the Chinese market but ultimately made it into the hands of European consumers. Moreover, since the issue has been raised, HMD Global has removed the infringing files from the devices.
As a result of this apparent slip-up, HMD Global is now being investigated by Finland’s data protection watchdog.
UPDATE: We have received the following statement from HMD Global on the matter:
We can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed and no person could have been identified based on this data. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it.
Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously.
Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously.
Things that are NOT allowed: