After a report by Norwegian public broadcaster NRK about how an HMD Nokia phone sent data to servers in China, the Finnish Data Protection Board launched an inquiry into HMD’s practices, reports Helsingin Sanomat.
NRKbeta.no today run an article describing how a concerned reader, Henry, found that his Nokia 7 plus is sending unencrypted data packages to a server in China under the domain vnet.cn, administrated by China Internet Network Information Center (CNNIC), a body responsible for the .cn top level domain, while the domain was registered by China Telecom.
A deeper dive resulted in finding a similar code to the ones found on the Nokia 7 Plus that was made by Qualcomm. The code is located in Github in a subfolder named “China Telecom” and was created in 2014. The code in question is probably intended for the Chinese version of Nokia 7 plus and not the global version, speculates NRK.
NRK contacted HMD Global that confirmed that “there has been an error in the package process of software in a single batch of a phone model, which by mistake attempted to send the activation data to a foreign server. The data was never treated, and no personal information was shared with third parties or Government officials.”
At the end of February, HMD sent an update that removed the software in question on the devices from the batch that was affected by this error in package process. Most users of the affected 7 plus batched installed the update.
Finland’s Data Privacy authorities, as reported by HS.fi, will investigate the report from NRK and determine the details about the situation. The idea is that data can be freely moved inside the EU, but going outside, companies need to have a legitimate reason for doing so, says the Commissioner Reijo Aarnio.
HMD Global, the maker of Nokia phones, has a dedicated “privacy portal” that describes the data the company collects, how it is processed and how long does HMD keep the data. Some parts of the privacy ToS follow down below.
If you want to explicitly request a removal of your data from HMD’s database, you can submit a request and view your data here.
Mobile devices communicating with manufacturer’s servers is a normal praxis in the industry, because the data from the User Experience Program (which users can opt out) and information about the device are necessary to check for system issues and to identify the correct device variant before pushing an update. However, there are rules which data is processed and how it is sent.
For transparency sake, HMD should start an internal investigation into how this code ended up in Nokia 7 plus units in Norway, and make the report public. Notifying affected users (or all users in the affected region if they cannot identify the affected ones) via email that states basically what their response to NKR was – data was sent by mistake, nothing was processed, it’s fixed, – would have been a good move for restoring customer trust, that still can be done.