Finland's chief of data protection said on Thursday that he would investigate Nokia owner HMD over claims that its mobile phones have been sending data to Chinese state-owned servers.
The investigation follows an report by Norwegian public broadcaster NRK which claims that owners of Nokia 7 Plus phones may have sent sensitive information to a server in China for several months.
NRK conducted an investigation after being tipped off by a man named Henrik Austad, who monitored the traffic on his Nokia 7 - discovering that it was sending unencrypted information to a Chinese server "vnet.cn" while switched on. The data reportedly included his location, SIM card number and the phone's serial number.
The information consists of identifiable data on both the telephone and the telephone number to which it is attached, and which base station it is associated with. This enables the recipient of the package, and anyone with access to the traffic stream along the way, to follow the phone's real-time movements. -NRK
When NRK tried to track down the ownership information for the URL to which the information was being sent, they hit a dead end.
In the register, the "China Internet Network Information Center" (CNNIC) is listed as the contact point. This body is responsible for all domains under the top-level domain .cn . When we contacted CNNIC, we were told that the state-owned telecommunications company China Telecom was the owner of the domain.
Through Chinese sources, we attempted to get answers to who has disposed the server, but the customer service manager at China Telecom was unable to find the relevant information. A quick Google search, however, brought us further:
In an open profile on Github, a sharing and collaboration platform for developers, there is code from the electronics manufacturer Qualcomm.This code contains a registration procedure that is very similar to the method used by Nokia 7 Plus. The code collects a lot of data about the phone and sends the information in identical format to the same server we received from our tips. -NRK
Finland's data protection ombudsman Reijo Aarnio will investigate any breaches that involved "personal information and if there has been a legal justification for this," according to Reuters.
Finnish startup HMD Global, which signed a ten-year license with Microsoft for the Nokia brand in 2016, reportedly admitted to NRK that a batch of Nokia 7 phones had sent data to China. It said it had fixed the "error" in a January software update that most customers had installed. HMD claimed the phones didn't send any personal data that could identify their owners. The Nokia 7 itself is a China exclusive handset launched in October 2017. A second-gen version, the Nokia 7.1, was released in the US a year later.
Pointing to the stricter privacy laws imposed by the EU last year, Aarnio told NRK that his first reaction was "that this can at least be a violation of the GDPR legislation." Google already fell foul of the guidelines in France earlier this year, where it was hit with a €50 million (about $57 million) fine for its alleged opaque data consent policies. -Engadget
Launched in Q1 2018, the The Nokia 7 Plus was an instant success, selling 250,000 phones in the first five minutes in China.