Telecoms.com

Norwegian media is reporting that private data of Nokia 7 Plus users may have been sent to a server in China for months. Finland’s data protection ombudsman will investigate and may escalate the case to the EU.

Henrik Austad, a Nokia 7 Plus user in Norway, alerted the Norwegian public media group NRK in February when he noticed every time he powered on his phone it would ping a server in China and batches of data would be sent. The data included the phone’s IMEI numbers, SIM card numbers, the cell ID of the base station the phone is connected to, and its network address (the MAC address), and they have been sent unencrypted. Investigation by NRK discovered that the recipient of the data is a domain (“http://zzhc.vnet.cn”) belonging to China Telecom.

Because HMD Global, the company behind the Nokia-branded phones that was set up by former Nokia executives and has licensed the Nokia brand, is a Finland-registered company, the news was quickly brought to the attention of Reijo Aarnio, Finland’s data protection ombudsman . “We started the investigation after receiving the news from the Norwegian Broadcasting Company (NRK) and I also consulted our IT experts. The findings showed this looks rather bad,” Aarnio said.

When talking to the Finnish state broadcaster YLE and the country’s biggest broadsheet newspaper Helsingin Sanomat (HS), the ombudsman also raised a couple of serious concerns he said he would seek clarifications from HMD Global early next week:

• Are the users aware that their personal data are being transferred to China?
• On what legal ground, if any, are personal data transferred outside of the EU?
• Have corrective actions been taken to prevent similar cases from happening again?

Earlier when writing to NRK, Aarnio said his first thought was this could be a breach of GDPR, and, if true, the case would be brought in front of the European Union. (Although Norway is not a EU member state, Iceland, Liechtenstein, and Norway, the three EEA countries which are not part of the EU, agreed to accept GDPR two months after it came into effect in the EU.)

Replying to Telecoms.com’s enquiry, HMD Global, through its PR agency, sent this statement:

We can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed and no person could have been identified based on this data. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it.

Collecting one-time device activation data when the phone is taken first time into use is an industry practice and allows manufacturers to activate phone warranty. HMD Global takes the security and privacy of its consumers seriously.

Jarkko Saarimäki, Director Finland’s National Cyber Security Centre (Kyberturvallisuuskeskus), which offered to support the ombudsman if needed, raised another point while talking to YLE, “In cases of this kind, the company should report the case to the Office of the Data Protection Ombudsman (tietosuojavaltuutetun toimisto) and inform the customers of the data security risk.” It looks what HMD Global has done is exactly the opposite: it quietly fixed the issue with a software update.

What exactly happened remains unclear, but the investigation from NRK may shed some light. Further research into the data transfer took NRK investigators to GitHub, where they discovered a set of code that would generate data transmission similar to that on the Nokia 7 Plus in question, and to the same destination. This code resides in a subfolder called “China Telecom”. On the same level there are also subfolders for China Mobile, China Unicom as well as other folders for different purposes. Henrik Lied, the NRK journalist who first reported the case, shared with Telecoms.com this subfolder structure that he captured on GitHub:

Closer analyses of the code in question on GitHub by Telecoms.com seem to have given us a bit more insight. This is what we assume has happened: HMD Global or its ODM partner sourced the code from a developer by the GitHub username of “bcyj” to transfer user data when a phone on China Telecom network is started. But, by mistake, HMD Global has loaded this set of code on a number of Nokia 7 Plus meant for Norway (“our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus”). When it realised the mistake by whatever means HMD Global released a software update to overwrite this code.

Incidentally it looks the code was originally written for a Chinese OEM LeEco (which is largely defunct now) whose product, e.g. the Le Max 2, was running on the Snapdragon 820 platform with the MSM8996 modem. The modem was later incorporated in the mid-tier platform Snapdragon 660 which powers the Nokia 7 Plus.

There are still quite a few questions HMD Global’s statement does not answer.

• How many users have been affected? And in what countries? The award-winning Nokia 7 Plus is one of the more popular models from HMD Global, and it is highly unlikely a batch of products were specifically made for the Norwegian market with its limited size. Could the same products have been shipped to other Northern European markets too?
• Is China Telecom the only operator in China that requires phones on its network to be equipped with a software that regularly sends personal data? We do not find similar programmes under the China Mobile or China Unicom subfolders on the same GitHub location.
• Is HMD Global the only culprit? Or other OEMs’ products on China Telecom network and on the same Qualcomm modem are also running the same script every time the phone is powered on, but they have not made the same mistake by mixing up regional variants as HMD Global did?
• On what ground could HMD Global claim that the recipients of the data or any other parties who have access to the data (as they are sent unencrypted), will not be able to identify the individuals (“no person could have been identified based on this data”)? To defend itself, in its statement to NRK, HMD Global referred to the Patrick Breyer vs Bundesrepublik Deutschland case when the Court of Justice of the European Union (CJEU) ruled that whether a certain type of data would qualify as “personal data” should generally need to be assessed based on a “subjective / relative approach”. In the present case HMD Global seems to be arguing that the recipients of the data sent from the phones are not able to establish the identities of the users. It may have its point as China Telecom (or other identities in China that receive the data) does not have the identity information of the users. However, this is a weak defence. The CJEU sided with the German Federal Court of Justice because the point of dispute was dynamic IP only, and the court deemed “that dynamic IP addresses collected by an online media service provider only constitute personal data if the possibility to combine the address with data necessary to identify the user of a website held by a third party (i.e. user’s internet service provider) constitutes a mean “likely reasonably to be used to identify” the individual”, as was summarised by the legal experts Fabian Niemann and Lennart Schüßler. In the HMD Global case, however, a full set of private data were transmitted, not to mention transmitted unencrypted.
• On what evidence did HMD Global claim that the data transmitted has not been processed or shared with third parties?

To be fair to HMD Global, this is not the first, and by no means the biggest data leaking incident by communication products. For example the IT and communication system at the African Union headquarters, supplied and installed by Huawei, was sending data every night from Addis Ababa to Shanghai for over four years before it was uncovered by accident. Huawei’s founder later claimed that the data leaking “had nothing to do with Huawei”, though it was not clear whether he was denying that Huawei was aware of it or claiming Huawei was not playing an active role in it.

=======================

Update 14:00 Saturday 23 March 2019: HMD Global, through its PR agency, sent us an updated statement to clarify: if a Nokia phone is bought outside of China, “Your data is stored in Singapore. Singapore, as you may already know, follows very strict privacy laws.” If the device is bought from inside of China, “In order to comply with China Cyber Security law, we are obligated to store data originating from China in China. This means that only those devices that are sold in China will send data to our servers in China.” The update also clarified the cause of the case in question: “our device activation client meant for our China variant was mistakenly included in the software package of a single batch of Nokia 7 Plus phones that were not intended to be sold in China.”