HMD demystifies reports about data breaches, spying etc. on Nokia phones

After yesterday’s report by NRK that described how Nokia 7 plus Devices in Norway were sending data to China, the story slowly started to grow out of proportion. In case of the 7 plus, HMD Global in one of the previous updates installed the activation app for China that was trying to communicate with a Chinese server. With the February update, that mistake was fixed, the company confirmed.

Shortly after the story, and after Finland’s Data Protection Board confirmed it will investigate what happened, different stories started popping out around the web. HMD finally reacted to the story, with a full explanation. In short, phones meant for the global market send activation data to HMD’s AWS servers in Singapore, while the phones meant for China communicate with the already mentioned Chinese server. The wrong activation client was installed on some 7 plus units. The full response follows down below.

What you need to know about your privacy and the alleged “data breach” on Nokia 7 Plus phones

22 March 2019

HMD Global takes the privacy and security of its consumers seriously. With the recent news regarding the Nokia 7 Plus, it’s important that you hear about what happened from us and learn more about how we collect and store data.

We have looked deeply into the case at hand and can confirm that no personally identifiable information has been shared with any third party. We have analysed the case at hand and have found that our device activation client meant for our China variant was mistakenly included in the software package of a single batch of Nokia 7 Plus phones. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server. However, such data was never processed, and no person could have been identified based on this data. To be clear, no personally identifiable information has been shared with any third party. This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it. If you want to check if your Nokia 7 Plus has received the security fix, we have included step-by-step instructions below.

There is also some speculation about other Nokia phones sharing similar data with third-party servers. We can confirm that this is incorrect speculation and no Nokia phones are impacted. All device data of Nokia Phones other than the China variant is stored at HMD Global’s servers in Singapore provided by Amazon Web Services. HMD Global takes the security and privacy of its consumers seriously and complies with all applicable privacy laws. Data collected from our devices is stored safely in accordance with applicable laws. The device data collection is further explained on our web pages . We encourage our consumers to familiarize themselves with this information and our Privacy Policy that further explains the data collection. HMD Global takes the privacy and security of its consumers seriously.

However, before you go, please take a look at our infographic and Q&A below for more information on how we collect and store data, plus step-by-step instructions to check if your Nokia 7 Plus has received the security fix.

Additional information

Why do we collect data from the devices?

We collect data from devices for two primary reasons:

  1. Activating device warranty: When the device is taken into use for the first time, it sends data to our servers. This data helps us activate warranty on the device.
  2. Improve user satisfaction: In case you choose to participate in the User Experience Program, we collect device satisfaction feedback and diagnostics data from your Nokia phone. This helps us to enhance our products and services based on your feedback.

How do we manage privacy within HMD Global?

  • Our software developers are continuously trained to master local privacy requirements such as the GDPR or China Cyber Security Law requirements. This applies also to the software developers from partners working together with us.
  • We take privacy extremely seriously and follow ‘privacy as a design’ process. This means that all changes and updates to data collection are always approved by a privacy expert.
  • On top of that, we conduct regular third party audits for our data collection and management processes.
  • We also have strict policies in place related to technical architecture, data and access management.

Where is my device data stored if I have purchased the device for example from Europe, US or India?

  • Your data is stored in Singapore. Singapore, as you may already know, follows very strict privacy laws.

Where is my device data stored if I have purchased the device from China?

  • In order to comply with China Cyber Security law, we are obligated to store data originating from China in China. This means that only those devices that are sold in China will send data to our servers in China.

How can I check if my Nokia 7 Plus has received the security fix?

If you want to confirm your device is up to date, follow these steps:

  • Go to Settings > System > About Phone > Scroll down to “Build Number”
  • If your phone shows “00WW_3_39B_SP03” or “00WW_3_22C_SP05” as the “Build number”, you have already installed the fix on your Nokia 7 Plus.
  • If your phone is not showing either of the above, don’t worry, you can always request the latest approved build by following these steps:
  • Go to “Settings” > “System” > “Advanced” > “System Update” > “Check for Update”.
  • A Wi-Fi connection is preferred, but if not possible, you can select “Resume” to use your cellular data connection. Please be advised that using a cellular connection may incur a data charge. Check with your operator if any concerns.

To conclude, the initial reporting, that really lined out a mistake HMD made, evolved into some kind of a conspiracy theory with users reporting of packages being sent here and there, data breaches, malware, spyware, China etc. With less than 20 million smartphones shipped last year, HMD is probably the last Android manufacturer to take part in some form of a spygate. After all, Vault 7 already revealed everything we need to know about the state of Internet security today.

HMD needs to be careful, especially regarding privacy and faster react to such situations. The infographic and statement they published are well made, but probably a day late.

Source: Nokia Mobile Privacy Info

Note: If you want to view or delete your data HMD stores, you can do that here